2020’s Nobelium attack sent shock waves through both government and private sectors. 2021 has already seen large-scale nation-state attacks such as Hafnium1 alongside major ransomware attacks2 on critical infrastructure. The breadth and boldness of these attacks show that, far from being deterred, bad actors are becoming more brazen and sophisticated. To help protect US national security, the White House on May 12, 2021, issued Presidential Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity3. This EO mandates “significant investments” to help protect against malicious cyber threats:
“The Federal Government must bring to bear the full scope of its authorities and resources to protect and secure its computer systems, whether they are cloud-based, on-premises, or hybrid…security must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT)).”
Executive Order 14028 also states the “private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.”
Section 3 of the EO required federal agencies to develop a plan to adopt a Zero Trust Architecture. This blog post will discuss how Microsoft is continuing to help with the implementation of Zero Trust to fulfill these directives.
How is Microsoft helping to implement EO 14028?
The National Institute of Standards and Technology (NIST) is one of the agencies chartered with creating the cybersecurity standards and requirements outlined in Executive Order 14028. Microsoft is working with NIST’s National Cybersecurity Center of Excellence (NCCoE) on the Implementing a Zero Trust Architecture Project to develop practical, interoperable approaches to designing and building Zero Trust architectures that align with the tenets and principles documented in NIST SP 800-207, Zero Trust Architecture. The NCCoE public-private partnership applies standards and best practices to develop modular, easily adaptable examples of cybersecurity solutions by using commercially available technology.
Much of the technology required to execute the roadmap is already in place at many agencies—
- Scenario 1: Cloud-ready authentication apps: Many agencies are already on their way toward secure baselines for software as a service (SaaS) using best-practice approaches around ID configuration for Office 365, implementing strong multifactor authentication, and enforcing requirements with Conditional Access policies. This work can be easily extended to other SaaS applications and custom claims-based applications.
- Scenario 2: Web apps with legacy authentication: For applications that can’t be easily rewritten for modern authentication, agencies can use the Azure Active Directory (Azure AD) Application Proxy. This architecture builds on the Azure AD foundation to extend Zero Trust to legacy systems. Application Proxy also provides outbound-only connectivity and much more restrictive access than a VPN solution.
- Scenario 3: Remote server administration: Simplify secure remote administration by layering with a strongly authenticated administrator account and privileged-access workstation. This reduces the attack surface area, preventing unsanctioned server-to-server management by requiring multifactor authentication and allow-listed admin devices for server administration via Azure AD Conditional Access. The result is a high level of assurance for multi-cloud and hybrid server administration.
- Scenario 4: Segment cloud administration: This design pattern allows agencies to administer Microsoft and non-Microsoft workloads from isolated, dedicated, and segmented administrator accounts. Once this pattern is implemented, auditing controls should also be introduced to ensure that privilege segmentation remains in effect.
- Scenario 5: Network micro-segmentation: Agencies must establish multiple levels of segmentation to achieve both secure control and data planes. Azure native capabilities allow agencies to apply a consistent micro-segmentation strategy to protect against threats, implement defense in-depth, and achieve policy-enforced continuous monitoring at a granular level.
What is Zero Trust’s role in EO 10428?
Vasu Jakkal, Microsoft’s Corporate Vice President of Security, Compliance, and Identity, recently outlined The critical role of Zero Trust in securing our world. In her blog post, she mentions Section 3 of EO 14028 calling for “decisive steps” for the federal government “to modernize its approach to cybersecurity” by accelerating the move to secure cloud services and Zero Trust implementation—
Section 3(b)(ii) of EO 14028 outlines that agencies should “develop a plan to implement Zero Trust Architecture, which shall incorporate, as appropriate, the migration steps that the National Institute of Standards and Technology (NIST) within the Department of Commerce has outlined in standards and guidance, describe any such steps that have already been completed, identify activities that will have the most immediate security impact, and include a schedule to implement them.”
Microsoft applauds this recognition of the Zero Trust strategy as a cybersecurity best practice, as well as the White House encouragement of the private sector to take “ambitious measures” in the same direction as the EO guidelines.
What can we expect from NCCoE?
“The telework tidal wave and increasing cybersecurity breaches and ransomware attacks have made implementing a Zero Trust architecture a federal mandate and a business imperative. We look forward to working with our project collaborators, such as Microsoft, to deliver timely, informed technical ‘how-to’ guidance and example implementations of Zero Trust architectures to assist federal agencies and other industry sectors with their Zero Trust journeys.”—
Kevin Stine, Chief of the Applied Cybersecurity Division in the National Institute of Standards and Technology’s Information Technology Laboratory (ITL)
The proposed example solutions will integrate commercial and open-source products to showcase the robust security features of Zero Trust architecture when applied to common enterprise IT use cases.* The goal of this NCCoE project is to build several examples of a Zero Trust architecture—
The example solutions will be shared publicly in a NIST Special Publication (SP) 1800 series document. Each SP 1800 series publication generally serves as a “how-to” guide to implement and apply standards-based cybersecurity technologies in the real world. The guides are designed to help organizations gain efficiencies in implementing cybersecurity technologies while saving them research and proof-of-concept costs.
This SP 1800 series of publications will provide:
- Detailed example solutions and capabilities.
- Demonstrated how-to approaches using multiple products to achieve the same end result.
- Modular guidance on the implementation of capabilities to organizations of all sizes
- All necessary components, along with installation, configuration, and integration information, so organizations can easily replicate solutions.
As part of our continuing support for federal agencies, Microsoft’s Chief Technology Officer, Jason Payne, has outlined recommended next steps for federal agencies. We also provide a downloadable PDF of key Zero Trust Scenario Architectures mapped to NIST standards, as well as a downloadable PDF Zero Trust Rapid Modernization Plan. These resources provide concrete steps to help agencies meet aggressive EO timelines, as well as improve their baseline cybersecurity posture. For a quick overview of the NCCoE Zero Trust architecture project, organizations can download the Implementing a Zero Trust Architecture Project Factsheet.