Cues from OMB Zero Trust Architecture memo

Towards the end of January 2022, the Office of Management and Budget (OMB) released its memorandum on moving government agencies to a zero-trust model. Enterprises that align themselves to industries regulated by the federal agencies can take a cue from it to improve their security posture. The memo considers the recent ransomware attacks on various enterprises in the U.S. 

According to the memo that alludes to the Department of Defense Zero Trust Reference Architecture, “The foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access. It is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction.”

It stresses some of the zero trust architecture (ZTA) fundamentals that some U.S. agencies have asked for some time. They include multi-factor authentication (MFA), network segmentation based on the criticality of data, and encryption of data-at-rest and data-in-transit.

The memo acknowledges that the “castle wall and moat” model for the network is not enough and that the security control model should be structured around data and access to it. It wants the agencies to consider every application to be treated as internet-accessible from a security perspective.

Any regulated enterprise would always want to be a notch up in its controls not just from a regulatory perspective but also to protect its customer’s data.

Here are some of the controls to be considered based on the memo:

1. Identity: Enterprise should manage their identities that include employees, contractors, systems, and customers helping the firm sustain sophisticated online phishing attacks.

  • Enterprise-wide identity systems: Improve identity system and access controls that are centrally managed and have:
    • (1) a holistic view of its users with a strong understanding of their roles, responsibilities, and authorities, and 
    • (2) an ability to verify user identities when they try to access a resource or system. 
  • MFA: Implement strong authentication with multiple factors to elevate trust before accessing a critical resource. Avoid using Privileged Access Management (PAM) solutions that provide temporary single-factor credentials for human access to a system as a general-purpose substitute for MFA or for routine single-sign-on (SSO) access to legacy systems.
  • User Authorization: No identity should have a perpetual trust level to access a resource. Trust must be evaluated, verified, and elevated, if needed, at each request.

2. Devices: The enterprise should have a complete inventory of every device it operates and authorizes for its business use. It should be able to prevent, detect, and respond to incidents on those devices.

  • Inventorying Assets: Implement a centrally managed asset management system that can create and maintain inventory over time with features such as dynamic discovery and cataloging of assets.
  • Enterprise wise endpoint detection and response: Have an endpoint detection and response (EDR) system to detect cybersecurity incidents proactively. Some legacy systems such as mainframes and connected devices may not have compatible EDR tools available, and the enterprise may need to consider alternative means to enforce zero trust. 

3. Networks: Enterprise needs to encrypt all DNS requests and HTTP traffic within their environment. It needs to break down its perimeters into isolated environments based on the criticality of the data it contains.

  • Network visibility and attack surface: Have deep traffic inspection capabilities while implementing encryption algorithms that slow down quick decryption of network traffic. Implement heavy internal use of recent versions of standard encryption protocols, such as TLS 1.3, that are designed to resist bulk decryption.
  • Encrypting DNS traffic: Resolve DNS queries using encrypted DNS wherever technically supported. Implement DNS resolvers that support standard encrypted DNS protocols (DNS-over-HTTPS or DNS-over-TLS). Use them to communicate with upstream DNS resolvers.
  • Encrypting HTTP traffic: Implement data-in-transit encryption beyond user-visible websites. Such websites include interfaces with HTTP commonly used for APIs between servers, mobile applications, and other endpoints. All enterprise-owned websites must “preload” with HTTPS.
  • Encrypting email traffic: While enterprises continue to use email as a critical method of communication and authentication, they should try to find acceptable ways to encrypt email in transit.
  • Enterprise-wide architecture and isolation strategy: The traditional mindset of the “castle wall and moat” model has kept many enterprise networks flat. Such a network is one of the significant factors in propagating ransomware. Isolate the network in such a way that an adversary that compromises one application or component cannot quickly move laterally within the enterprise and compromise other distinct environments.

4. Applications and Workloads: The enterprise must go above and beyond implementing and documenting security controls. It should have a comprehensive and rigorous approach to verify each application is built according to an approved design. Its application should have rigorous empirical testing and welcome external vulnerability reports.

  • Application security testing: While implementing non-disruptive analysis that uncovers systemic security issues using Security Architecture Reviews (SAR) in the enterprise, it should incorporate reports from manual and automated vulnerability scans and code analysis. Some applications may have interfaces that may not be covered by automated tools and require custom tests to ensure the application is built according to an approved design. The disposition of a SAR for an application must specify such tests.
  • Easily available third-party testing: In addition to their own testing programs, the enterprise must increase its reliance on external perspectives to identify vulnerabilities that internal staff may not recognize.
  • Welcoming application vulnerability reports: The system owners should have direct, real-time access to incoming vulnerability reports to incorporate an external perspective. Implement a program to validate and resolve externally reported vulnerabilities responsively. It will help improve internal security and avoid public disclosure of unpatched vulnerabilities.
  • Safely making applications internet-accessible: Gone are the days when the enterprise could rely on a VPN to give access to a remote user. An agile approach with minimum viable monitoring infrastructure, denial of service protections, and an enforced access-control policy managed through an enterprise-managed identity system would help move towards a more internet-ready system. 
  • Discovering internet-accessible applications: Having a complete understanding of its internet-accessible assets would help the enterprise apply a consistent set of security policies and fully define and accommodate user workflows. 
  • Immutable workloads: Avoid manual deployment in a cloud environment. Implement technical interfaces that are well optimized for fully automated deployment strategies. They should support deployment and roll-back practices, known as DevSecOps, that confer fundamentally improved security properties. It helps the enterprise deploy code or infrastructure to a cloud environment that technically restricts manual modification. Any changes, such as patches to the operating system or software libraries, and any changes to application code, should be accomplished by redeploying the code, service, or infrastructure. Each infrastructure instance should be built in the same way, enabling a consistent, homogenous environment. Adopt modern software development lifecycle practices, including Continuous Integration/Continuous Deployment (CI/CD) and Infrastructure as Code (IaC) to facilitate the creation of reliable, predictable, and scalable applications based on immutable workloads.

5. Data: Deploy protections that make use of thorough data categorization. Take advantage of cloud security services to monitor access to sensitive data in the cloud and implement enterprise-wide logging and information sharing.

  • Enterprise data security strategy: Data is the core of a zero-trust architecture. The Chief Data Officer (CDO) and the Chief Information Security Officer (CISO) of the enterprise should work together to develop a data strategy that addresses how existing information categorization schemes can support effective data categorization in a security context. 
  • Automating security responses: Implement Security Orchestration, Automation, and Response (SOAR) system to automate security monitoring and enforcement. With careful tuning, iteration, and sensitivity to business needs, SOAR helps improve security and efficiency without causing unacceptable disruption to the daily work of the enterprise. Employ heuristics rooted in machine learning to categorize the data they gather. Deploy processes that offer early warning or detection of abnormal behavior in as close to real-time as possible throughout the enterprise. When considering any automated actions, the enterprise must deploy them in a “report only” mode. It would help security teams monitor the performance of their heuristics and the accuracy of their categorizations before enabling any security actions that might impact staff workflow.
  • Auditing access to sensitive data in the cloud: Any data movement to a cloud environment should consider encryption, managing the keys, and monitoring access to data in the cloud. The enterprise can achieve this by using key management tools operated by the cloud provider or key management tools that are on-premise or otherwise external to the enterprise-controlled cloud environment. The tool helps create a trustworthy audit log that documents attempt to access the data. Keys can be customer-managed or provider-managed. The critical requirement for key management is that, even if an application is compromised and an adversary can decrypt data managed by that application, any decryption attempts will still be reliably logged by a separate system.
  • Timely access to logs: Ensure centralized access and visibility for the enterprise’s highest-level security operations center (SOC) and increase information-sharing between its line of business or subsidiaries to accelerate incident response and investigative efforts.

Leave a comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.