惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

WordPress大学
WordPress大学
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Hacker News: Ask HN
Hacker News: Ask HN
N
News and Events Feed by Topic
Forbes - Security
Forbes - Security
The Last Watchdog
The Last Watchdog
TaoSecurity Blog
TaoSecurity Blog
Schneier on Security
Schneier on Security
SecWiki News
SecWiki News
V
Vulnerabilities – Threatpost
Project Zero
Project Zero
O
OpenAI News
W
WeLiveSecurity
Security Archives - TechRepublic
Security Archives - TechRepublic
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
H
Hacker News: Front Page
Cisco Talos Blog
Cisco Talos Blog
Spread Privacy
Spread Privacy
Help Net Security
Help Net Security
P
Privacy & Cybersecurity Law Blog
K
Kaspersky official blog
S
Security @ Cisco Blogs
Latest news
Latest news
AWS News Blog
AWS News Blog
U
Unit 42
Martin Fowler
Martin Fowler
阮一峰的网络日志
阮一峰的网络日志
S
Secure Thoughts
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Know Your Adversary
Know Your Adversary
Scott Helme
Scott Helme
博客园 - 司徒正美
B
Blog RSS Feed
C
Check Point Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
D
Docker
Google Online Security Blog
Google Online Security Blog
Jina AI
Jina AI
aimingoo的专栏
aimingoo的专栏
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Last Week in AI
Last Week in AI
月光博客
月光博客
C
CXSECURITY Database RSS Feed - CXSecurity.com
S
SegmentFault 最新的问题
NISL@THU
NISL@THU
T
The Blog of Author Tim Ferriss
C
Cisco Blogs
Attack and Defense Labs
Attack and Defense Labs
小众软件
小众软件

MeriTalk

Eliminating Silos in IT/OT Cybersecurity Is a Funding Challenge, Not a Technical One The FedRAMP High Supply Crisis Is a Federal Security Problem – Not a Procurement Footnote How More Tightly Focused Software Development Initiatives Will Unlock Innovation Across Government Transforming Federal Cybersecurity Through Private Sector Innovation Evolving Zero Trust and Embedded AI – Federal Government Cybersecurity Predictions for 2026 Unlocking AI’s Potential in High-Assurance Environments Accelerate Agentic AI in the Federal Government: Top Takeaways Why Congress Must Reauthorize the Technology Modernization Fund Make Cybersecurity a Key Ingredient of Modernization How Spectro Cloud’s PaletteAI Secure helps agencies scale AI securely, compliantly, and confidently Fix the Foundation: How Hybrid Cloud and Trusted Data Enable Government AI New Google Workspace Cost-Saving Offer Available for U.S. Federal Government Reinventing FedRAMP in the Age of AI Balancing Security and Efficiency: The Federal IT Dilemma in the AI Era Meeting Evolving State and Local Cyber Threats AI Is the Solution to Stop AI Data Theft Enhancing U.S. Government Operations with AI and Human-Centered Design How FinOps Can Help Agencies Slash Cloud Costs in 5 Steps Will Quantum Computing Weaken or Strengthen Cybersecurity of Federal Systems? Improving Citizen and Federal Employee Experience with Virtual AI Assistants Strategies for Securing the Federal Supply Chain Reframing the U.S. Government’s Approach to Cybersecurity Oversight Three Steps Agencies Can Take to Meet Government’s AI Requirements The Impact of NIST’s PQC Standardization on the Federal Cybersecurity Ecosystem Generative AI is Revolutionizing Federal Government Operations NIST’s new PQC Algorithms and What They Mean for Federal Agencies Addressing the U.S. Quantum Labor Shortage Before It’s Too Late How a Community Vigil Approach and Secure by Design are Critical to Software Cybersecurity Addressing the Talent Shortage: How Digital Government Improves Satisfaction, Retention Here’s What We Can Learn (and Do) About Cybercrime from FBI’s Latest Internet Crime Report Implementing AI Assurance Safeguards Before OMB’s December Deadline The Next AI Wave: Quantum AI CDM’s Evolution to Non-Traditional Technology: Why Now and How Will it Succeed? Customer Expectations Require Agencies to Raise the Bar on Customer Experience, Report Shows Applying for Government Benefits Shouldn’t Be Difficult When It Comes to Identity Verification Four Federal Software Supply Chain Security Trends to Watch FedRAMP Baseline Transition Points to OSCAL-Native Tools What Zero Trust Means for Modern Government: Best Practices for Key Tenets Four Ways to Handle the IT Funding Crunch Agencies Need to Get Creative to Fill the Cyber Workforce Gap Customer Identity trends report shows control trumps convenience Federal Agencies Making Strides Toward Sustainability and Climate Action Executive Order 14028 | Improving the Nation’s Cybersecurity Depends on Data | All Data is Security Data Applying Geospatial Intelligence, AI/ML to Climate Change Challenge My Cup of IT: Angry at Arthritis, Hunting for Cures How the Federal Government Can Help Combat a Fragmented Internet Accelerating Cybersecurity for US Critical Infrastructure Getting in on the Ground Floor of the ‘New Observability’ Comply-to-Connect is Key to Zero Trust for DoD How Will Upcoming Cryptocurrency Regulations Affect Industry? My Cup of IT: Cup Cake for Kushner? Launching a New Era of Government Cloud Security Managing IT Complexity in Federal Agencies Agencies Must Modernize Zero Trust Approaches to Achieve Optimal Protection Five Essential Metrics for Measuring Federal Government CX Unlocking the Benefits of 5G and Beyond The Federal Factory of the Future: How AI is Transforming Manufacturing The Quantum Impact on Cyber How Next-Gen Computers Will Transform What’s Possible for Federal Government Agencies Must Take an Authentic Approach to Synthetic Data Biometrics and Privacy: Finding the Perfect Middle Ground Two-Way Street: Why Officials and Constituents Are Equally Responsible for Securing the Midterms The “Programmable World” Will Bring the Best of the Virtual World Into the Physical One Cyberattacks are a Common Occurrence and the Costs are Higher Than Ever Increasing Equity Through Data and Customer Experience The AI Edge: Why Edge Computing and AI Strategies Must Be Complementary How Metaverses and Web3 can Reshape Government Four Emerging Technology Trends set to Impact Government Most 5G Enables AI at the Edge Plugging Cyber Holes in Federal Acquisition Resilient Critical Infrastructure Starts with Zero Trust The Evolution of Government Tech Procurement Under CMMC 2.0 Zero Trust Requires Continuous, Tested Security for Federal Agencies How Multi-INT Fusion Accelerates Mission Intelligence for Real-Time Decision Advantage Three Things to Consider for Responsible AI in Government Legislation, White House Orders Show Agencies Opportunity for Hybrid Cloud Creating an Effective Framework for DoD’s Software Factories Realizing Upsides for Digital Security in the Hybrid Workplace A Future With AI and ML: The Power of Workforce Education Five Tips to Begin MFA Integration and Embrace Zero Trust The Vital Intersection Between Equity and Digital Transformation Equity as a Platform: Applying a New Mindset to Scale Innovation Harnessing the Right Data for Evidence-Based Equity From EO to Action: Human Factors of Enabling a Cyber Safety Review Board For Equity in Government Services, It’s Time to Change the Paradigm Critical Questions to Ask When Considering Explainable AI (XAI) for Your Federal Agency The Telework Model for Government: COVID Lessons for Building an Effective Workforce DevSecOps: 4 Steps for Mitigating the Next Cyber Attack in Your Federal IT Environment Better Cyber Hygiene Helps, but Federal Security Needs SASE Lift DoD, Feds Plot Top Cyber, Cloud Priorities for 2022 Cloud-Native Government: How to Transform With Intention DoD and VA Health Networks Face Growing Threat From Medical-Device Vulnerabilities Protecting Our Nation Through Big Data Analytics Three Ways COVID-19 Altered Federal, State IT Budget Allocations Ransomware is More Than a Cybersecurity Issue From Me to We: Take the Mission Further With Multiparty Systems Anywhere, Everywhere: Integrating Your Virtual Workplace ‘I, Technologist’: Empowering Innovators in the Federal Workforce Mirrored World: Digital Twins Report for Duty Across Government Stack Strategically: Rearchitecting Government for What’s Next
New Federal Cybersecurity Requirements: How Agencies Should Implement a Zero Trust Architecture
Miguel Sian · 2021-11-01 · via MeriTalk

With this year’s release of a major strategy policy on cybersecurity, the White House is sending a clear message to agencies: We must move toward the implementation of a zero trust architecture (ZTA) government-wide – and swiftly.

The draft version of the Federal Zero Trust Strategy supports the Executive Order on Improving the Nation’s Cybersecurity by clarifying ZTA priorities, identifying needed outcomes and setting baseline policies/technical requirements for agencies.

As defined by the Zero Trust Reference Architecture published by the Department of Defense (DoD) earlier this year, agencies with an effective ZTA enforce rules and controls so “no actor, system, network or service operating outside or within the security perimeter is trusted. Instead, (agencies) must verify anything and everything attempting to establish access. It is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks and data, from verify once at the perimeter to continual verification of each user, device, application and transaction.”

Fortunately, this transition is well underway: Four of five federal IT decision-makers and other government tech leaders and executives say they are including or defining zero trust within their cybersecurity strategy. But only 55 percent are “very” confident in their agency’s ability to deliver on a zero trust framework.

To hopefully boost this confidence, the White House strategy directs agencies to achieve five goals by the end of Fiscal Year 2024. All five are closely aligned to five pillars of the Zero Trust Maturity Model published by the Cybersecurity and Infrastructure Security Agency (CISA) in June. Here are the goals, along with our recommended best practices as to how to implement them:

1) The establishment of a single sign-on service (SSO) for users that is integrated into applications and common platforms, along with multi-factor authentication (MFA) at the application level with enterprise SSO whenever feasible.

Best practices for implementation: The government has widely adopted MFA, such as the DoD’s Common Access Card (CAC) and Personal Identity Verification (PIV), but not all systems can accommodate these controls,. It is essential to have a variety of authentication techniques that can be applied across the wide range of applications in government. This suggests that agencies must prioritize systems according to mission-criticality, sensitivity and likelihood of breach, and seek to prioritize MFA for systems deemed most critical and then work down from there.

In addition, agencies cannot overlook privileged access management (PAM) as part of this. While PAM isn’t addressed in depth in the strategy, 74 percent of IT decision-makers whose organizations have been breached indicate that the incident was linked to the accessing of a privileged account. Therefore, agencies need to establish effective, proven PAM controls.

2) The completion of an inventory of every device operated and authorized for government use, with the capability to detect and respond to incidents on these devices.

Best practices for implementation: Security teams should make sure that every device is covered, including Internet of Things (IoT), operational technology (OT) and cyber physical system (CPS) devices. A comprehensive ZTA plan will incorporate all of these into a monitoring, detection and protection program.

To increase effectiveness of threat hunting with government-wide endpoint detection and response, the data collected on endpoints need to be correlated, enriched, analyzed, and acted upon in a timely manner. Security orchestration, automation and analytics are essential to accomplish these goals.

3) The encryption of all DNS requests and HTTP traffic, and the segmentation of networks around their applications.

Best practices for implementation: Continued use of shared services such as CISA’s Protective DNS allows agencies to focus their efforts on other – and more challenging – aspects of zero trust strategy, particularly application segmentation. The strategy indicates that agencies must run every distinct application in its own separate network environment. “Multiple applications may rely on specific shared services for security or other purposes,” it states, “but should not rely on being co-located within a network with those services and should be prepared to create secure connections between them across untrusted networks.”

Using software-defined networks and security to create these micro-perimeters provides the speed, flexibility, and scalability needed to create these zero trust network segments. Segmentation can be enforced using various techniques applied at the network, application, user, or data layer. Therefore, is it essential to first understand the use cases and requirements prior to implementation.

4) The treatment of all applications as internet-connected while routinely subjecting these tools to rigorous testing and external vulnerability reports.

Best practices for implementation: This represents a major shift for the government – the acceptance and even embracement of a perimeter-less architecture in which all applications (including Federal Information Security Modernization Act-regulated ones) are connected to the internet. While the strategy states that agencies must “create minimum viable monitoring infrastructure and policy enforcement to safely allow internet access,” it doesn’t offer many specifics on how to accomplish this. Security teams will have to determine what level of monitoring and controls (firewalls, packet capture, network detection response, etc.) will effectively enforce the security standards required for these applications. Recent breaches stemming from SolarWinds and Microsoft Exchange highlight the need to improve software supply chain and application security capabilities, particularly with performing continuous analysis and continuous monitoring.

5) The deployment of protections that make use of thorough data categorization and access monitoring, and the implementation of enterprise-wide logging and information-sharing.

Best practices for implementation: This goal describes the automation of security monitoring and enforcement – or security orchestration, automation and response (SOAR) – as a “practical necessity.” But agencies will do themselves a disservice if they deploy SOAR solely to address the data goals. They must deploy SOAR throughout their entire IT environment as part of their ZTA program, and ensure that SOAR plays a lead role in achieving the five goals summarized here. In the process, agencies will benefit from a wealth of actionable intelligence to enrich their cybersecurity posture throughout the enterprise.

It is very encouraging to see the administration call for a comprehensive strategy. Security leaders and their teams are increasingly recognizing that zero trust brings a vigilant level of oversight and controls which modern times require. However, agencies should carefully consider what is needed in terms of resources and execution to sufficiently satisfy each goal – and even surpass what is “on paper” in the strategy to include SOAR, PAM and additional measures – to best protect themselves for now and the indefinite future.