Six Key Takeaways from the OMB Memo
In May 2021, following a number of high-profile security incidents, U.S. President Biden issued an executive order that set out a high-level agenda to modernize and improve the government’s cyber resilience. This January, the U.S. Office of Management and Budget (OMB) issued a memo to the heads of executive departments and agencies that gave much more detail on how the U.S. government will move toward Zero Trust security principles.
Read on to learn about six of the key takeaways from this 29-page memo.
1. Legacy perimeter-based security is no longer an option
The executive summary begins with ”In the current threat environment, the Federal Government can no longer depend on conventional perimeter-based defenses to protect critical systems and data.” This immediately acknowledges that the old way of building a strong security perimeter and trusting anyone who gains access is no longer fit for purpose.
Instead, a Zero Trust approach should be adopted in which nothing and no one requesting access is trusted unless every user, device, application, and transaction are continuously verified.
2. Eliminate network-level access
One key aspect of moving to Zero Trust is the replacement of network-level access over a virtual private network (VPN) with Zero Trust Network Access (ZTNA). In simple terms, instead of giving users access to the entire network, ZTNA provides access only to the specific applications that a user needs. Moreover, ZTNA opens the capability to continuously monitor and validate the security health of the device and the user who is being granted access.
For example, you might restrict access to high-risk applications if the user’s device does not have the latest security patches applied, or if the user is making that access request from an odd location or at an unusual time of the day.
3. Isolate systems with microsegmentation or network-based segmentation
This highlights the need to adopt the age-old adage of preparing for the worst. In other words, despite the best security efforts, the attackers may gain access. Segmentation is the security principle of isolating the internal east–west traffic so that attackers who gain a foothold can’t easily move laterally to other networks and systems.
Network-based segmentation is a legacy approach that uses physical firewalls to limit what traffic and users can pass through. The big challenge with this approach is that it's a very complex environment to manage and maintain, and it's easy for a firewall to have misconfigured rules that allow access to users or traffic that should be blocked.
A more modern approach is to use microsegmentation that continuously monitors east–west traffic in real time and looks for anomalous traffic behaviors that might indicate there’s a potential malware or ransomware incident. You can learn more about microsegmentation here.
4. If you use MFA, it must be phish-proof
The memo covered a lot of ground regarding modernizing and improving user authentication, but the section on multi-factor authentication (MFA) was explicit. If an agency opts to use MFA instead of or alongside personal identity verification (PIV), then the MFA service should not use SMS or other telephony methods to deliver the second factor.
This is in direct response to the fact that MFA methods can now easily be bypassed using social engineering or man-in-the-middle techniques. Instead, agencies should use a phish-proof MFA service that is based on the FIDO2 standard, which ensures the second factor is secure and cannot be bypassed. To find out more about why phish-proof MFA is needed, read this blog.
5. Moving to passwordless authentication is good
The memo states that eliminating passwords is not mandatory but agencies are “encouraged” to consider doing so. And for good reason: The use of weak passwords that can be easily guessed or the re-use of the same passwords for personal and business logins means that it’s easy for attackers to purchase leaked passwords and use them in attacks. Removing a weak second factor (after all, that’s what a password is) and replacing it with a FIDO2-based second factor closes that loophole. To find out more about passwordless authentication read this blog.
6. Encrypt DNS traffic
DNS underpins everything on the internet. But because DNS requests are sent in the clear, these could be captured or manipulated by attackers as a means of modifying users’ resource requests. For example, an attacker could intercept a DNS request and send a spoofed reply that connects the user to a harmful website that could phish user credentials or deliver malware or ransomware.
So, protecting this traffic by encrypting it makes good security sense. The memo is not specific about what encryption is used; there are currently two approaches: DNS over TLS and DNS over HTTPS. Whichever route is taken, it will be important that agencies can still retain visibility into the DNS traffic as it is often used as a security control point.
When does it all have to be done?
There’s a whole lot more in this memo; this was just a snapshot of some of the items that stood out to me. In terms of implementation, OMB has laid out a pretty aggressive timeline.
For example, before March 27, 2022, agencies need to turn in a detailed 2022–2024 plan that shows how they will meet all the aspects of security addressed in the memo. Agencies must also select one Federal Information Security Management Act moderate-rated system that is not currently internet accessible and deliver that system securely over the internet before next January. All the security measures need to be in place and working by the end of September 2024.
Time will tell if these timelines are realistic and can be met, but there’s a huge amount of work needed to transform agencies to a full Zero Trust approach.
Akamai provides a suite of Zero Trust solutions encompassing microsegmentation, ZTNA, MFA, and secure internet access. To find out more about Akamai’s journey to Zero Trust, watch this on-demand webinar. For information about Akamai’s Zero Trust solutions, visit https://www.akamai.com/solutions/security/remote-work-security.