On January 26th, the US Government issued a memorandum, relating to the adoption of zero trust security practices. The memo can be viewed here. What are the main points and how will it shine a light on the role of identity and access management?
Page 2 of the document, immediately sets the scene with “significant emphasis on stronger enterprise identity and access controls, including multi-factor authentication (MFA).” A seemingly good start if you are an IAM aficionado. The main threat being described by this immediate statement of intent, seems to be “phishing” – which appears 23 times throughout the document.
Section III of the memorandum (subtly titled “Actions”) targets fiscal year 2024 where adoption of the main aims should be completed by. A 30 day target of at least having a zero trust “lead” and accountable exec is the first starting point. The strategic goals are broken down into 5 buckets: Identity, Devices, Networks, Applications and Data. Nothing too complicated there. Let us take a look specifically at the Identity aspects.
The Role of Identity
The memorandum’s vision for “identity” is described as: “Agency staff use enterprise-managed identities to access the applications they use in their work. Phishing-resistant MFA protects those personnel from sophisticated online attacks”.
Strong MFA takes centre stage and must be used at the app layer instead of the network layer. I guess moving the enforcement closer to the protected asset. Passwords get a mention too. Remember those? Password policies “must not require use of special characters or regular rotation”. I imagine the assumption here is basically just pick a good long password, that can be remembered without being written down. The lack of special character probably negates the use of password managers, vaults or generators, instead expecting the end user to generate and store their password.
Resource access “must consider at least one device level signal alongside identity information about the authenticated user”. This is a little confusing, blurring authentication with authorization, but I’m assuming this really just refers to the use of out of band material.
The document is a bit critical of existing identity implementations, stating that new approach requires a holistic view of users and an ability to verify the identities during resource access. Not exactly radical, but alas also very important. The underlying theme, seems to be a movement towards a foundation of “risk based access”.
Metadata and the Policy Enforcement Point
Page 6 onward discusses the need for “metadata” during access evaluation time, via the PEP – policy enforcement point. The metadata in this case refers to “human resources, contract management, or personnel security, to gain time relevant information about the user.” I would also have expected to see data such as threat intelligence, breached credentials and previous transactions information too.
There is also an emphasis on centralisation of identity data. Perhaps it seems data previously has been silo’d, separate and not able to be synchronised.
The use of multi-factor authentication seems critical. MFA is described as “should be integrated at the application layer, such as through an enterprise identity service as described above, rather than through network authentication (e.g., a virtual private network). Approaching an application from a particular network must not be considered any less risky than approaching it from the public internet. Accomplishing this goal in an enterprise means progressively de-emphasizing network-level authentication by its users, and eventually removing it entirely. In mature zero trust deployments, users strongly authenticate into applications, not into the underlying networks.”
The two approaches they list include PIV (personal identity verification) and W3C WebAuthn, with SMS OTP and push notifications actively discouraged due to their inability to prevent phishing.
PAM (privileged access management) gets a mention too, with the promotion of MFA here as well, and not to rely just on ephemeral credentials.
Passwordless is mentioned, but it seems more a “stretch” goal with the expectation that passwords will be part of an MFA approach.
Thankfully RBAC gets short mention – in the sense, that it relies on “static pre-defined roles that are assigned to users and determine their permissions within an organization. A zero trust architecture should incorporate more granularly and dynamically defined permissions, as attribute-based access control (ABAC) is designed to do.” So ABAC seems to be the way to go.
In summary, there are not many hugely far reaching goals as it pertains to IAM. Certainly MFA, ABAC and context are all table stakes for the modern enterprise. However as with most governmental systems – in the US, EMEA and beyond – modern, scaleable and agile deployments can be difficult to acheive. Legacy systems, isolated data and a lack of investment can cause long term issues. These foundations can go a long way to improve agility and security responsiveness.
About The Author
Simon Moffatt is Founder & Analyst at The Cyber Hut. He is a published author with over 20 years experience within the cyber and identity and access management sectors. His most recent book, “Consumer Identity & Access Management: Design Fundamentals”, is available on Amazon. He is a CISSP, CCSP, CEH and CISA. His 2022 research diary focuses upon “Next Generation Authorization Technology” and “Identity for The Hybrid Cloud”.