2020′ s Nobelium attack sent shock waves through both government and private sectors. 2021 has already seen large-scale nation-state assaults such as Hafnium1 alongside major ransomware attacks2 on critical infrastructure. The width and boldness of these attacks is demonstrating that, far from being deterred, bad actors are becoming more brazen and sophisticated. To help protect US national security, the White House on May 12, 2021, issued Presidential Executive Order( EO) 14028 on Improving the Nation’s Cybersecurity3. This EO mandates “significant investments” to help protect against malicious cyber threats 😛 TAGEND
“The Federal Government must bring to bear the full scope of its authorities and resources to protect and secure its computer systems, whether they are cloud-based, on-premises, or hybrid…security must include systems that process data( use of information technologies( IT )) and those that run the vital machinery that guaranteed our safety( operational technology( OT )). ”
Executive Order 14028 also states the “private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and be associated with the Federal Government to foster a more secure cyberspace.”
Section 3 of the EO required federal agencies to develop a plan to adopt a Zero Trust Architecture. This blog post will discuss how Microsoft is continuing to help with the implementation of Zero Trust to fulfill these directives.
The National Institute of Standards and Technology( NIST) is one of relevant agencies chartered with creating the cybersecurity such standards and requirements outlined in Executive Order 14028. Microsoft is working with NIST’s National Cybersecurity Center of Excellence( NCCoE) on the Implementing a Zero Trust Architecture Project to develop practical, interoperable approaches to designing and build Zero Trust architectures that are consistent with the tenets and principles documented in NIST SP 800 -2 07, Zero Trust Architecture. The NCCoE public-private partnership utilizes standards and best practises to develop modular, easily adaptable examples of cybersecurity solutions by utilizing commercially available technology.
Much of the technology required to execute the roadmap is already in place at many agencies–they simply need to activate and fine-tune existing abilities. To this end, Microsoft has identified five of the most impactful scenarios agencies should construct towards EO 14028. These reference architectures are mapped against key NIST requirements concerning Zero Trust while including other EO priorities, such as endpoint detection and response( EDR ), multifactor authentication, and continuous monitoring.
Scenario 1: Cloud-ready authentication apps: Many agencies are already on their lane toward secure baselines for software as a service( SaaS) use best-practice approaches around ID configuration for Office 365, implementing strong multifactor authentication, and enforcing requirements with Conditional Access policies. This study can be easily extended to other SaaS applications and tradition claims-based applications. Scenario 2: Web apps with legacy authentication: For applications that can’t be easily rewritten for modern authentication, agencies can use the Azure Active Directory( Azure AD) Application Proxy. This architecture builds on the Azure AD foundation to extend Zero Trust to legacy systems. Application Proxy also provides outbound-only connectivity and much more restrictive access than a VPN solution. Scenario 3: Remote server administration: Simplify secure remote administration by layering with a strongly authenticated administrator account and privileged-access workstation. This reduces the attack surface area, preventing unsanctioned server-to-server management by involving multifactor authentication and allow-listed admin devices for server administration via Azure AD Conditional Access. The make is a high level of assurance for multi-cloud and hybrid server administration. Scenario 4: Segment cloud administration: This intend pattern allows agencies to administer Microsoft and non-Microsoft workloads from isolated, dedicated, and segmented administrator reports. Once this pattern is implemented, auditing controls should also be introduced to ensure that privilege segmentation shall remain in effect. Scenario 5: Network micro-segmentation: Organizations must establish multiple levels of segmentation to achieve both secure control and data planes. Azure native capabilities allow agencies to apply a consistent micro-segmentation strategy to protect against threats, implement defense in-depth, and achieve policy-enforced continuous monitoring at a granular degree.
What is Zero Trust’s role in EO 10428?
Vasu Jakkal, Microsoft’s Corporate Vice President of Security, Compliance, and Identity, recently outlined The critical role of Zero Trust in securing our world. In her blog post, she mentions Section 3 of EO 14028 calling for “decisive steps” for the federal government “to modernize its approach to cybersecurity” by accelerating the move to secure cloud service and Zero Trust implementation–including a mandate of multifactor authentication and end-to-end encryption of data.
Section 3( b )( ii) of EO 14028 outlines that agencies should “develop a plan to implement Zero Trust Architecture, which shall incorporate, as appropriate, the migration steps that the National Institute of Standards and Technology( NIST) within the Department of Commerce has outlined in standards and guidance, describe any such steps that have already been completed, identify activities that will have the most immediate security impact, and include a schedule to implement them.”
Microsoft praises this recognition of the Zero Trust strategy as a cybersecurity best practise, as well as the White House encouragement of the private sector to take “ambitious measures” in the same direction as the EO guidelines.
What can we expect from NCCoE?
“The telework tidal wave and increasing cybersecurity violates and ransomware attacks have attained implementing a Zero Trust architecture a federal mandate and a business imperative. We look forward to working with our project collaborators, such as Microsoft, to deliver timely, informed technical’ how-to’ guidance and example implementations of Zero Trust architectures to assist federal agencies and other relevant sectors with their Zero Trust journeys.”–Kevin Stine, Chief of the Applied Cybersecurity Division in the National Institute of Standards and Technology’s Information Technology Laboratory( ITL)
The proposed example solutions will integrate commercial and open-source products to showcase the robust security features of Zero Trust architecture when applied to common enterprise IT use examples .* The goal of this NCCoE project is to build several examples of a Zero Trust architecture–applied to a conventional, general-purpose enterprise IT infrastructure–that are designed and deployed applying commercially available technology, and that are aligned with the concepts and tenets documented in NIST SP 800 -2 07, Zero Trust Architecture.
The example answers will be shared publicly in a NIST Special Publication( SP) 1800 series record. Each SP 1800 series book generally serves as a “how-to” guide to implement and apply standards-based cybersecurity technologies in the real world. The guides are designed to help organisations gain efficiencies in implementing cybersecurity engineerings while saving them the investigations and proof-of-concept costs.
This SP 1800 series of publishings will provide:
Detailed instance solutions and capabilities. Demonstrated how-to approaches employing multiple products to achieve the same end make. Modular guidance on the implementation of capabilities to organizations of all sizes All required component, along with installation, configuration, and integrating information, so organizations can easily replicate solutions.
As part of our continuing support for federal agencies, Microsoft’s Chief Technology Officer, Jason Payne, has outlined recommended next steps for federal agencies. We also render a downloadable PDF of key Zero Trust Scenario Architectures mapped to NIST standards, as well as a downloadable PDF Zero Trust Rapid Modernization Plan. These resources provide concrete steps to help bureaux fulfill aggressive EO timelines, as well as improve their baseline cybersecurity posture. For a quick overview of the NCCoE Zero Trust architecture project, organizations can download the Implementing a Zero Trust Architecture Project Factsheet.
Other Microsoft resources include 😛 TAGEND
Downloadable Zero Trust Maturity Model: details how Microsoft defines Zero Trust and breaks down answers across identities, endpoints, applications, networks, infrastructure, and data. Zero Trust Assessment tool: helps assess your organization’s progress in the Zero Trust pilgrimage and offerings suggestions for next steps. Zero Trust Guidance Center: gives step-by-step guidance for the purpose of implementing Zero Trust principles, as well as technological counseling on deployment, consolidation, and developing.
To learn more about Microsoft Security answers, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
2Turning Up The Heat: A Ransomware Attack on Critical Infrastructure Is a Nightmare Scenario, Richard Tracy, Forbes Technology Council, Forbes, 20 July 2021.
The post Microsoft and NIST collaborate on EO to drive Zero Trust adoption showed first on Microsoft Security Blog.