LINEARSTACK
March 23, 2023

Zero Trust Architecture Strategy - Memorandum

US Government memorandum on moving Federal agencies and departments towards zero trust cyber security principles

Federal agencies to implement zero trust by 2024

The US Office of Management and Budget (OMB) this week released a strategy memorandum directing Federal agencies to move closer to zero trust architecture. The memorandum follows up on US President Joe Biden’s Executive Order on cyber security (EO 14028) released in May 2021, which included an important section on implementing zero trust architecture.  

“The foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access. It is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction.”

Steps to move closer to zero trust

  • Enterprise accounts for Federal employees that allow them to access the information they need to do their jobs while remaining protected from advanced, targeted threats and attacks.
  • Tracking and monitoring of endpoint devices and considering their security posture prior to granting them access to sensitive information.
  • Isolating agency systems and encrypting network traffic flowing between different devices.
  • Testing enterprise applications both internally and externally and making them securely available to Federal employees online.
  • Collaborative development of data categories and security rules to detect and block unauthorized access to sensitive information .

The memorandum highlights the need for stronger identity and access controls and directs agencies to "consolidate identity systems so that protections and monitoring can be consistently applied". It also calls on Federal agencies to welcome external partners and independent perspectives to evaluate the security of agency applications, and to develop initiatives and guidance on classifying data based on sensitivity, criticality and protection requirements.  

Federal agencies are required to meet the goals laid out in the memorandum by the end of FY 2024. The goals are based on the Cybersecurity and Infrastructure Security Agency's (CISA's) five zero trust pillars - Identity, Devices, Networks, Application & Workloads, and Data.

Action areas under each zero trust pillar

Identity  
  • Enterprise-wide identity systems
  • Multi-factor authentication
  • User Authorization  
Devices
  • Inventorying assets
  • Government-wide endpoint detection and response
Networks  
  • Network visibility and attack surface
  • Encrypting DNS traffic
  • Encrypting HTTP traffic
  • Encrypting email traffic
  • Enterprise-wide architecture and isolation strategy
Applications and Workloads  
  • Application security testing
  • Easily available third-party testing
  • Welcoming application vulnerability reports
  • Safely making applications internet-accessible
  • Discovering internet-accessible applications
  • Immutable workloads  
Data
  • Federal data security strategy
  • Automating security responses
  • Auditing access to sensitive data in the cloud
  • Timely access to logs

Federal agencies have 60 days to build upon their existing zero trust implementation plans by incorporating the additional requirements included in the memorandum.

Global significance

While the memorandum is addressed to US Federal agencies and departments, it is significant in the global cyber security context and will encourage and increase the pace of zero trust adoption by both government and private entities worldwide.  

With cyberattacks on the rise in New Zealand, Australia, and the wider JAPAC region, businesses in the region will benefit immensely by adopting a zero trust approach to security. The model is especially effective at detecting and blocking threats that bypass traditional security controls and make it past the network perimeter.

How LinearStack can help

With its team of skilled security engineers and analysts, and best-in-class endpoint and network protection technology, LinearStack is uniquely qualified to help organisations implement zero trust security principles across their environments. We are headquartered in Auckland, New Zealand, and manage the security infrastructure and operations of some of the largest organisations in the APAC region. Our team can assess your existing security architecture, identify the gaps and vulnerabilities in your environment, and design your security infrastructure based on zero trust security principles.  

Call us at 0800 008 795 or email us at info@linearstack.co.nz to book a free two-hour consult with one of our experts.

To know more about zero trust principles and the steps needed to implement the model, read this blog post.

Blogs

Start Reading

Our latest blogs and news are here for you

Hackers Increasing Salami Slicing Attacks

Salami attack techniques align with many hackers' threat models.
Read More

Importance of Threat Modeling in CyberOps

A collaboration of previous siloed components = a better utilisation of resources, expedited results & reduced overall risk.
Read More

Enabling Imperva WAF Firewall for Data Protection

Protecting data requires more than one security adaptive control, WAF is an essential component of defense-in-depth.
Read More
Are you experiencing a security issue? Call us now.