Executing the White House’s Federal Zero Trust Strategy
In mid-2021, President Biden issued an Executive Order (EO) focused on improving cybersecurity within the Federal Government. The EO instructs Federal agencies to migrate to a zero trust architecture (ZTA), in which the assumption is that threat exists everywhere; both within and outside the entity’s traditional perimeters.
As described in the Department of Defense Zero Trust Reference Architecture, “The foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access.”.
Access Control is Essential in a Zero Trust Architecture
Recently, the Office of Management and Budget (OMB) released a strategy guiding the US Government towards a ZTA. With access control being an essential component of an effective ZTA, the OMB’s memorandum emphasizes the need for complete device visibility; something that entities – both federal and private – struggle to achieve.
The memorandum specifically states that “tightening access controls will require agencies to leverage data from different sources to make intelligent decisions, such as analyzing device and user information to assess the security posture of all activity on agency systems”.
Improving the federal zero trust strategy with Sepio’s HAC-1
Lastly, below is a table highlighting the ways in which Sepio’s Hardware Access Control (HAC-1) solution can assist Federal agencies in achieving a comprehensive ZTA through complete device visibility and a focused analysis of device behavior based on the specifications of the strategy.
Office of Management and Budget’s Federal Zero Trust Strategy
Agencies maintain a complete inventory of every device authorized and operated for official business…
HAC-1 provides agencies with ultimate device visibility through Physical Layer fingerprinting. HAC-1 sees all assets operating within the enterprise’s infrastructure, whether they are managed, unmanaged or hidden.
More importantly, HAC-1 reveals the device’s true identity through Physical Layer fingerprinting technology and a unique Machine Learning algorithm. The deep visibility allows HAC-1 to calculate a digital fingerprint of all devices, ensuring a complete and accurate asset inventory.
…and can prevent, detect, and respond to incidents on those devices.
HAC-1 compares a device’s digital fingerprint with the extensive built-in threat intelligence database for known-to-be-vulnerable devices to instantly detect when a vulnerable or malicious device is present.
In the case of vulnerable devices, HAC-1 notifies the system administrator to allow for further action; when a malicious device appears in the infrastructure, HAC-1 automatically instigates a rogue device mitigation process that blocks the unapproved hardware. Further, HAC-1 integrates with existing security solutions to provide a speedy response and accelerated mitigation process.
The devices that Federal staff use to do their jobs are consistently tracked and monitored, and the security posture of those devices is taken into account when granting access to internal resources.
Every device gets continuously verified at every given moment to ensure it is trustworthy. Through Physical Layer fingerprinting, HAC-1 can accurately determine a device’s risk posture to ensure access is granted to only the devices which are permitted.
Agencies must ensure their Endpoint Detection and Response (EDR) tools meet CISA’s technical requirements and are deployed widely.
HAC-1 supports agentless deployment for its host and network device identification and risk scoring, requiring no traffic monitoring, to allow for widespread implementation within just 24 hours.
Some specialized systems, such as mainframes and connected devices, may not have compatible EDR tools available. These systems are still at risk of compromise or misuse and may require defenses from other zero trust mechanisms to mitigate risk.
HAC-1 gathers Physical Layer information of all hardware assets and integrates with existing security solutions to easily automate policy enforcement and mitigation processes for devices without compatible EDR tools.
Federal security teams and data teams work together to develop data categories and security rules to automatically detect and ultimately block unauthorized access to sensitive information.
Federal agencies can enhance the protection of sensitive information by enforcing access controls based on a device’s attributes. HAC-1’s policy enforcement mechanism allows the system administrator to define a set of rules for the system to enforce based on device characteristics. Any device that breaches the pre-defined rules automatically gets blocked from accessing the protected data.
User authorization through ABAC and RBAC can be used to allow or deny access by enforcing checks based on the user’s identity, the attributes of the resource being accessed, and the environment at access-time. For example, information about the device the user is using provides the basis for a common environment-based check.
HAC-1 gathers the Physical Layer information of all devices to provide a more holistic overview of the user and ensure that access controls are properly enforced. Further, HAC-1’s rogue device mitigation capability prevents the exploitation of privileged user access through vulnerable or rogue devices.
The risks of weak or compromised network inspection devices can be higher for networks that service a diverse and dynamic set of users, devices, and network destinations, such as those used by agency staff for day-to-day work.
HAC-1 detects and reports rogue devices, suspected devices or precarious devices operating on the network interface that may be easily exploited.