Weekly Wrap-Up
Week of September 6, 2021
Zero Trust Updates
Biden Administration Releases Draft Zero-Trust Guidance
(Nextgov) The federal government is pushing hard for agencies to adopt zero-trust cybersecurity architectures, with new guidance released Tuesday from the administration’s policy arm—the Office of Management and Budget—and lead cybersecurity agency—the Cybersecurity and Infrastructure Security Agency.

The administration released several documents Tuesday for public comment, seeking feedback on the overarching federal policy from OMB and draft technical reference architecture and maturity model from CISA. The guidance follows a May executive order on bolstering cybersecurity across the federal government, which cited specific security methods and tools such as multifactor authentication, encryption and zero trust.
What's in the New Zero-Trust Strategy?
(Politico) The White House this morning is releasing for public comment a draft version of its strategy for implementing “zero trust” principles across federal networks. The Biden administration sees zero-trust networking — in which a computer system is designed with the assumption that hackers have already gained access and must be constantly challenged and impeded — as key to its security overhaul of decades-old networks, and its new strategy will require a raft of actions to lock down software applications, limit users’ access to data and protect network traffic from prying eyes.

Every agency will have to use one “single sign-on” service to let employees access all of its applications; ditch multi-factor authentication systems — such as codes delivered by text message — that are susceptible to phishing attacks; and eliminate archaic password policies requiring special characters and regular password changes. They’ll also have to encrypt all internal traffic and develop plans to segment their networks so that hackers can’t easily slip from one application to another. And they’ll have to make one internal system securely accessible from the internet to reduce the use of VPNs.
OMB Publishes Zero Trust Draft Strategy
(FedScoop) The Office of Management and Budget published a draft strategy Tuesday that will clarify key zero-trust priorities for civilian agencies as they roll out the cybersecurity architecture over the next few years.

Alongside the proposals issued, the Cyber and Infrastructure Security Agency also released a new cloud security technical reference architecture (TRA) and zero-trust maturity model to guide implementation.

Both agencies are seeking public feedback on the draft documents, which they hope will further strengthen the plans.

Top priorities identified in OMB’s new strategy include consolidating agency identity systems, combatting phishing through strong multifactor authentication and treating internal networks as untrusted. It also spells out the need to encrypt traffic and strengthen application security.
Zero Trust: There is More than One Attack Surface
(TechRadar) The security of your home will improve significantly when you complement the lock on your front door with an alarm and video surveillance system that tracks everyone knocking at your door, passing through it, and moving around your house. But this will not stop criminals from breaking your windows and quickly grabbing everything within reach, trying to manipulate and deactivate your alarm system remotely, or watching your every move to gather sensitive information. Similarly, a zero-trust network architecture (ZTNA) is an important first step to enhance business security, but a comprehensive zero-trust strategy requires taking additional steps.
Zero Trust Architecture - Modern Work Anywhere Architecture Without VPN
(Security Magazine) In the 12th Century, Mongols successfully raided walled cities, one after the other, leading to the demise of walled-city architecture for protection. In our modern 21st century, the classic “moat and castle” network design is going through a similar phase as the high-trust flat network with high-cost and less-scalable tunnel “VPN,” no longer provides a trusted expansion of the network in today’s remote world. 

Today’s attackers see this vulnerability with the traditional VPN model, as VPN alone does not have limiting controls if compromised. This risk is increased with attackers shifting towards identity attacks using credential stuffing versus brute force attacks. This is all due to how easily and cheaply it is to purchase compromised credentials on the dark web. This attack vector exploitation has been further accelerated due to:
·    An increase in cloud adoption and usage of SaaS across organizations. 
·    Enterprise applications (e.g., O365, ERP, and other systems) are transitioning to the cloud, which does not allow the usual approach of having a Demilitarized Zone (DMZ) to protect internal networks from untrusted traffic.
Member News
OMB Mandates Agency Log Standardization to Improve Security
(Splunk Blog) The Office of Management and Budget’s memo mandates a maturity model for event log management, sets agency implementation requirements, and establishes government-wide responsibilities. Fortunately, Splunk solutions can help agencies comply with the new mandates.

As I wrote in a recent blog post, Biden Administration Executive Order Reinforces Log Standardization is Key to Security, in May 2021, the Biden Administration issued its much-anticipated Executive Order aimed at improving the cyber posture of the country. The Fact Sheet accompanying its release appropriately noted that “[r]ecent cybersecurity incidents such as SolarWinds, Microsoft Exchange, and the Colonial Pipeline incident are a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals.” Since the Order’s release in May, we have not seen any slowing down in terms of the sophistication and frequency of incidents. 
Executive Spotlight With Palo Alto Networks SVP Dana Barnes Discusses Zero Trust, Cloud Capabilities; AI's Impact on Federal Workforce & Training; Necessary Changes to National Security Efforts
(GovConWire) “To help enable innovation and support companies of all sizes achieve the required authorizations, it may be time for the government to take a look at [Federal Risk and Authorization Management Program] in order to determine the areas where they can implement innovative cloud solutions more quickly. Low risk implementation areas may provide faster initial on-ramp for technologies and help get things moving more quickly.”
If you would like to have your story featured in ADI's Member News, please contact ADI's Policy & Communications Manager, Jaishri Atri.
Questions? Inquiries? Please e-mail: info@hq.alliance4digitalinnovation.org