Phishing-resistant government systems are no longer a “nice-to-have,” but are now a federal mandate. Government agency information technology (IT) leaders are compelled to meet Zero Trust Architecture (ZTA) mandates.
As you can see from the sections quoted below, the Federal Government agency emphasis focuses on:
Zero Trust Architecture, which supersedes the prior notion that the “internal” portions of a network can be trusted. Threats can come from anywhere.
Securing cloud implementations, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).
Least-privilege access, in which each user (this was when users were assumed to be human) only has the privileges they require.
Section 3, Modernizing Federal Government Cybersecurity
(a) To keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, the Federal Government must take decisive steps to modernize its approach to cybersecurity, including by increasing the Federal Government’s visibility into threats, while protecting privacy and civil liberties. The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.
(b) Within 60 days of the date of this order, the head of each agency shall…
(ii) develop a plan to implement Zero Trust Architecture, which shall incorporate, as appropriate, the migration steps that the National Institute of Standards and Technology (NIST) within the Department of Commerce has outlined in standards and guidance, describe any such steps that have already been completed, identify activities that will have the most immediate security impact, and include a schedule to implement them…
(c) As agencies continue to use cloud technology, they shall do so in a coordinated, deliberate way that allows the Federal Government to prevent, detect, assess, and remediate cyber incidents. To facilitate this approach, the migration to cloud technology shall adopt Zero Trust Architecture, as practicable. The CISA shall modernize its current cybersecurity programs, services, and capabilities to be fully functional with cloud-computing environments with Zero Trust Architecture….
(i) Within 90 days of the date of this order, the Director of OMB, in consultation with the Secretary of Homeland Security acting through the Director of CISA, and the Administrator of General Services acting through FedRAMP, shall develop a Federal cloud-security strategy and provide guidance to agencies accordingly. Such guidance shall seek to ensure that risks to the FCEB from using cloud-based services are broadly understood and effectively addressed, and that FCEB Agencies move closer to Zero Trust Architecture.
Section 10, Definitions
(k) the term “Zero Trust Architecture” means a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses. In essence, a Zero Trust Architecture allows users full access but only to the bare minimum they need to perform their jobs. If a device is compromised, zero trust can ensure that the damage is contained. The Zero Trust Architecture security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity. Zero Trust Architecture embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting data in real-time within a dynamic threat environment. This data-centric security model allows the concept of least-privileged access to be applied for every access decision, where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access to resources based on the combination of sever.
The Bredemarket sales pitch
Can Bredemarket help you describe your zero trust architecture solution? If so, set up a free meeting with me to discuss your needs.
“SPIFFE and SPIRE provide strongly attested, cryptographic identities to workloads across a wide variety of platforms”
That wide variety of platforms is distributed.
“SPIFFE and SPIRE provide a uniform identity control plane across modern and heterogeneous infrastructure. Since software and application architectures have grown substantially, they are spread across virtual machines in public clouds and private data centers.”
Distinguishing between the two, the SPIFFE Project “defines a framework and set of standards for identifying and securing communications between application services, while the runtime environment SPIRE “is a toolchain of APIs for establishing trust between software systems across a wide variety of hosting platforms.”
Benefits
Forget all that. Let’s get to the benefits.
Enable defense in depth: Provide strongly attested identities to reduce the likelihood of breach through credential comprise
Reduce operational complexity: Consistent, automated management of identity reduces the burden of devops teams
Interoperability: Simplifies the technical aspects of full interoperability across multiple stacks
Compliance and auditability: Enables mutually authenticated TLS and multiple roots of trust to meet regulatory requirements
Use at Uber
But does anyone use it? Yes. Take Uber:
“We use SPIRE at Uber to provide identity to workloads running in multiple clouds (GCP, OCI, AWS, on-premise) for a variety of jobs, including stateless services, stateful storage, batch and streaming jobs, CI jobs, workflow executions, infrastructure services, and more. We have worked with the open source community since the early stages of the project in mid-2018 to address production readiness and scalability concerns.”
Now this is admittedly a whole new world for me, far afield from the usual 12345 and gummy arguments where I usually reside. But since bots will soon outnumber people (if they don’t already), we had all better learn it.
There is a difference between a writer and a content creator. It becomes obvious when you read WordPress’ recent post, “How to Slop Your Content in Five Steps.”
With one glaring exception, the Bredebot project. This is a highlighted experiment to see how far a well-prompted bot will go.
So my specific response to these steps is to consider the gap analysis in step 2. Bots are good at such analysis, but they have to be watched in case they don’t get their facts straight.
But I won’t give Claude the permission to write and post articles, or even any permissions on WordPress. This is a security issue, after all; how do YOU control site access for non-human identities?
In fact, I may not even use Claude for step 2, even if it’s the cool kid this week last I checked. I may use Gemini…or a thousand Bangladesh techies…or a million Pentiums…or Mika.
How you work with outside content creators
But what about you?
Before answering, take the five steps above and change the name “Claude” to Barney…or Bredemarket.
Would you give Barney or Bredemarket that power over your website?
Maybe…or maybe not.
How Bredemarket works with you
In the case of Bredemarket, I usually do NOT have direct access to my clients’ websites, sending them Word documents instead. And in the one instance where I did have website access, I left every one of my drafts in draft mode.
And when I perform a gap analysis, I present my client with choices and ask the client to choose the topic, or at least approve my suggested topic.
Because your website is not mine, or Mika’s…or Claude’s.
If you were involved in computing in the 1990s, you knew all about firewalls and their ability to block outside threats. The firewall protected a safe enclosed area.
The first line of defense against external threats to computer systems and networks is a firewall. Whether a computer is in a corporation, government agency, university, small business, or home, if it is connected by a network to other computers, its resources, plans, and data are at risk–and so is the reputation of its owners. A firewall can help reduce that risk to an acceptable level.
Firewall technology is a set of mechanisms that collectively enforce a security policy on communication traffic entering or leaving a guarded network domain. The security policy is the overall plan for protecting the domain. Embodied in hardware, software, or both, a firewall guards and isolates the domain…
And yes, we really believed this.
Now we don’t. Because our remote servers have expanded into something we now call the “cloud,” our computing devices now include souped-up telephones, and everything is provided “as a service.” There is no longer an inside and outside, and threats can come from anywhere.
On Monday I will share a post on Zero Trust Architecture, which repudiates the firewall model.
You know that the video I shared earlier begged to be expanded into a television show. And that for the proper setting, the show itself would market products in a way that is illegal today; yes, the show would be sponsored by Marlboro.
Google Gemini.
So without further ado…
“Product Marketer For Hire,” Sunday at 9pm: “The Stranger”
The introduction to the television show “Product Marketer For Hire.”
(Sharp-eyed Inland Empire residents will notice that this depiction is entirely fictional, since the real “Main Street,” officially known as Euclid Avenue, is much wider and less dusty than the street depicted here. Allow me artistic license.)
As the Ontario townsfolk were gathered on the street in late afternoon, a mysterious stranger rode into town. He was a most unusual man. For one, he was smiling, unlike the other strangers that have come before him. For another, his brown/tan/black official western wear issue (Montgomery Ward catalog, pages 333-334) was rudely interrupted by a blue patch with a “B” on it. There was something else odd about him, but no one spoke of it.
The mysterious stranger rode up to the saloon, dismounted his horse, and walked in.
Scene 2: The Saloon, Ontario
The mysterious stranger slowly walked to the bar and took a seat as the bartender eyed him warily.
(Hey, Inland Empire residents, I got that one right.)
As he sipped his drink, the stranger couldn’t help but notice the older man in a gray jacket staring at him. As everyone in the saloon quietly watched, the older man slowly walked toward the stranger.
“Sir,” said the older man.
“Yes?” asked the stranger.
The older man gestured toward the stranger’s belt. “Those aren’t guns you have in those holsters.”
The stranger paused. “No, they’re not.”
“In fact,” the older man scoffed, “they look like pencils.”
The stranger nodded. “Yes they are.”
The older man’s face betrayed the slightest smirk. “Why” – he paused – “would a man carry PENCILS in his holster?”
As the older man and the others in the saloon broke out into grins, the stranger eyed them all with a serious expression. He paused before responding.
In a loud voice the stranger replied. “Business.”
Everyone looked puzzled at that unexpected response.
After a long pause, the older man turned back to the stranger. “Sir,” he asked, “exactly what kind of BUSINESS are you in?”
Bredemarket 