Okta’s Identity Cloud is Giving Federal Agencies the Building Blocks of a Zero Trust Journey
It’s been a long, long road…..
Journeys are interesting things. You sometimes fail to realize you’re on a journey until the journey is over and you look back and say “Wow, I’ve come a long way”. Sometimes you know you’re on a journey but it’s hard to see where it might take you.
The journey to a higher level of security (sometimes referred to as “Zero Trust”) has been a long one mostly because it seems like we have been talking about it for so long, but we’re finally starting to see light at the end of the dark, dark security tunnel. The path forward is being illuminated through concentrated efforts across the industry, providing clarity and focusing on HOW to achieve the outcomes desired not just WHY we need to evolve our approach to security practices.
Reviewing the M-22-09 framework
This month, the White House’s Office of Management and Budget (OMB) released M-22-09, which builds on the framework outlined in M-19-17 (released in May of 2019). These documents have provided the clearest guidance yet toward enabling government agencies in their journey towards improved security. This OMB memo builds on the great works of those who came before it: The CISA Zero Trust Maturity Model, the DOD Zero Trust Reference Architecture, the NSA “Mindset shift” document and NIST’s 800-207 guidance. It’s worth noting that while many of these documents focused on the what, more recent guidelines are focused on clarifying the how.
So, how do government agencies bring a Zero Trust philosophy, a “lifestyle change” if you will, into their own agencies and make it a successful endeavor? A real beacon of this work is being done by the National CyberSecurity Center of Excellence (NCCoE) as part of the work that came from NIST 800-207. Their Zero Trust Building Block is a prime example of the maturity of our understanding and the guidance that exists to help agencies (and non-federal organizations) reach a successful “nominal, secure state”. I almost said “outcome” here, but it’s important to understand, this journey is never-ending, and must become a part of your organization’s security DNA.
Many people have put great effort into this over the last 5 years and this memo reflects that maturity. We are finally at the doorstep of a better way to protect our people and data. A better way toward a true “anyone, from anywhere, to anything” world. As someone who has focused on better security outcomes for most of my career, I know good guidance when I see it. This latest memo provides clarity in many critical areas.
The five pillars of CISA
First, the strategic goals set forth in this memorandum align with CISA’s five pillars:
- Applications Workloads
The memo also aligns closely with the guidance from other agencies (e.g., NIST, NSA), creating clarity and removing confusion around what areas should be focused on. This is the benefit of time, the advancement of technology and the evolution of understanding. As more agencies achieve success by following guidance like this in their own Zero Trust journeys, we will continue to learn and obtain data points for success. With each of these successes, we’ll be able to share even more, and eventually, these practices will become “muscle memory”.
Defining strong auth
Second, it provides clarity by defining what strong authentication means and what capabilities can be leveraged to meet the challenge of advanced and persistent credential-based threats. The focus on “phishing resistant” authentication factors is key here. This guidance builds on leveraging the legacy of smartcards (PIV/CAC), but it opens the door wider to more modern authentication frameworks like WebAuthn.
This gives agencies the ability to leverage what they already have, where they can. More importantly, it gives them the permission to seek out better, more modern (e.g., futureproof) authentication. Agencies locked into citizen-facing (i.e., bring your own authenticator) use-cases won’t be able to crack that “better security + better user experience” nut they’re striving for. It also highlights the shift from a network-centric approach to a security one, swapping MFA enforcement from the network to the application layer.
A collaboration of IT and security
Third and last, the statement emphasizes that this adoption can’t happen in a silo, encouraging a new collaboration between IT and security leadership to deploy and sustain Zero Trust capabilities. It highlights how critical it is that agency leadership, and the entire “C-suite”, have a shared commitment to overhauling an agency’s legacy security architecture and operations. This journey of adoption requires a team effort, with all the players aligned to ensure smooth and successful execution.
Transitioning to a Zero Trust architecture will not be a quick or easy task for an enterprise as complex and technologically diverse as the Federal Government. The strategy set forth in this memorandum is designed to reduce uncertainty and outline a common path.
Like every piece of documented guidance, this one does not live in a vacuum and is certainly not the end of the road in terms of work to be done. We are in the early phase of this journey. And, as a good friend of mine used to say, we’re in the 3rd inning of this ballgame. Plenty of game left.
Interested in how Okta can help federal agencies step through the following?
- Improved identity systems and access control
- Strong, adaptive MFA throughout the enterprise
- Making applications Internet-accessible in a safe manner
- Automated workflows for user lifecycle management