Microsoft’s Federal Security CTO on the Impact of OMB’s Zero Trust Strategy
Last January, the Office of Management and Budget (OMB) released M-22-09, a memorandum that set forth the federal government strategy on zero trust adoption, in an effort to reinforce the security and protection of government agencies’ critical systems, networks, and IT infrastructures.
“A transition to a ‘zero trust’ approach to security provides a defensible architecture for this new environment,” read the memo. “Transitioning to a zero trust architecture will not be a quick or easy task for an enterprise as complex and technologically diverse as the Federal Government….Agencies that are further along in their zero trust process should partner with those still beginning by exchanging information, playbooks, and even staff.”
In a recent interview at CyberScoop’s Zero Trust Summit 2022, Microsoft’s Federal Security CTO, Steve Faehl, discussed the impacts OMB’s directives are having on not only government agencies, but also on how Microsoft supports its government customers with their zero trust implementation.
Here are three key takeaways from his interview:
Authentication is a zero trust on-ramp
When asked how OMB’s strategy on enterprise-wide identity and access management tool adoption is impacting the cybersecurity work that Microsoft is doing, Faehl responded by explaining that the pushes for centralized authentication and stronger authentication options have enabled agencies to have better visibility into their zero trust posture.
"THE ZERO TRUST JOURNEY REQUIRES MUCH MORE THAN JUST IDENTITY…" - STEVE FAEHL
According to Faehl, the authentication requirements have given agencies a better and easier “on-ramp” to zero trust, starting with identity. If authentication is centralized, it becomes much easier to begin enforcing zero trust controls within government agency networks.
"The zero trust journey requires much more than just identity," said Faehl. "But it’s a great, easy first starting point due to central authentication. What we’re also seeing is that as agencies have centralized authentication, they’re also able to onboard new capabilities faster."
He went on to say that because of the new capabilities authentication enables, resource access requests that previously took days to get approved now only take a few minutes. "It's about that centralized visibility," said Faehl. "But also about being able to move at the speed of mission."
Identify, Isolate, Segment
When asked how well-equipped today’s federal agencies are at identifying and isolating compromised segments of their IT environments – compared to how they were a couple of years ago – Faehl responded by explaining that agencies are learning, “You can’t wait until post-compromise to try and segment your environment.”
According to Faehl, proactive segmentation of compromised environments is a great way to keep adversaries at bay and to give agencies more time to respond as portions of infrastructure are affected at a time.
"That was one of the takeaways from the SolarWinds attack as well," said Faehl. "On-premises resources can be used to compromise cloud. And the cloud is generally a great source of recovery during cyber response. But if you don’t have the right segmentation for administrative roles between on-prem and cloud, that path can be compromised as well and prevent – what would otherwise be – a manageable recovery."
"AS WE’RE GOING FORWARD, SHOWING EVIDENCE AND SHOWING THE RESULTS OF STRATEGY WILL HELP AGENCIES MAKE MORE INFORMED DECISIONS. SO THAT’S SOMEWHERE THAT MICROSOFT IS INVESTING HEAVILY." - STEVE FAEHL
Faehl also believes that agencies have had a lot of progress around particular asset isolation, especially when automated endpoint detection and response (EDR) or other response tools are employed within their networks. "Where we see the most success is not where humans are making the decision to segment, but where that segmentation is automatically done based on risk."
Future of Microsoft’s government investment
As for how OMB zero trust policies are affecting Microsoft’s investment strategies in how it supports the government, Faehl explained that the company is working with the federal government to ensure that the strategies that they’re providing to agencies are aligned with the direction of OMB.
“As we invest in our zero trust strategies, we’re ensuring that we have good coverage and achievable results across all of the pillars of zero trust so that we’re not just focused in one area, but we can quickly align to whatever it is that an agency needs to provide them a path to success.”
Faehl explained that implementing the framework is an iterative journey and that Microsoft wants to not only provide stellar threat intelligence but also support agencies in understanding which areas are worth investing in first so that they get predictable outcomes.
“In this stage of the game, we’re really in a ‘prove it out phase’ with zero trust,” said Faehl. “As we’re going forward, showing evidence and showing the results of strategy will help agencies make more informed decisions. So that’s somewhere that Microsoft is investing heavily.”