In a previous post I looked at the Biden Administration Executive Order 14028 – Improving the Nation’s Cybersecurity, including its championing of Zero Trust Architecture (ZTA) and least-privilege access.
During the Biden Administration, the Office of Management and Budget issued a related memorandum, M-22-09 (PDF), that dictated a particular approach. Again, ZTA was emphasized.
And the OMB proposed an action plan:
This memorandum requires agencies to achieve specific zero trust security goals by the end of Fiscal Year (FY) 2024. These goals are organized using the zero trust maturity model developed by CISA. CISA’s zero trust model describes five complementary areas of effort (pillars) (Identity, Devices, Networks, Applications and Workloads, and Data), with three themes that cut across these areas (Visibility and Analytics, Automation and Orchestration, and Governance).
Naturally I’m interested in the identity part.
Agencies must employ centralized identity management systems for agency users that can be integrated into applications and common platforms.
Agencies must use strong MFA throughout their enterprise.
MFA must be enforced at the application layer, instead of the network layer.
For agency staff, contractors, and partners, phishing-resistant MFA is required.
For public users, phishing-resistant MFA must be an option.
Password policies must not require use of special characters or regular rotation.
When authorizing users to access resources, agencies must consider at least one devicelevel signal alongside identity information about the authenticated user.
Did the Federal Government accomplish the OMB M-22-09 identity objectives?
Sort of.
While some agencies mostly moved to centralized systems, some legacy systems didn’t transition.
Authentication moved away from weak MFA (such as sending an SMS to a device as the second factor).
Device signals aren’t fully implemented. Using one example, dynamically blocking access in real-time if a virus is detected is NOT fully operational. But this is challenging when you consider all the computers, smartphones, and other devices (including Internet of Things devices) that are managed.
But the government said (in a 2024 Impact Report) that the government performed well.
In effect, OMB M-22-09 is now a legacy document since the 2024 deadline has passed. But it’s still referenced, somewhat, in government cybersecurity efforts.
Are you meeting your prospects’ zero trust needs?
If Bredemarket can help you with strategic and tactical analysis, content, and proposals that address the zero trust architecture, set up a free meeting with me to discuss your goals.
Phishing-resistant government systems are no longer a “nice-to-have,” but are now a federal mandate. Government agency information technology (IT) leaders are compelled to meet Zero Trust Architecture (ZTA) mandates.
As you can see from the sections quoted below, the Federal Government agency emphasis focuses on:
Zero Trust Architecture, which supersedes the prior notion that the “internal” portions of a network can be trusted. Threats can come from anywhere.
Securing cloud implementations, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).
Least-privilege access, in which each user (this was when users were assumed to be human) only has the privileges they require.
Section 3, Modernizing Federal Government Cybersecurity
(a) To keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, the Federal Government must take decisive steps to modernize its approach to cybersecurity, including by increasing the Federal Government’s visibility into threats, while protecting privacy and civil liberties. The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.
(b) Within 60 days of the date of this order, the head of each agency shall…
(ii) develop a plan to implement Zero Trust Architecture, which shall incorporate, as appropriate, the migration steps that the National Institute of Standards and Technology (NIST) within the Department of Commerce has outlined in standards and guidance, describe any such steps that have already been completed, identify activities that will have the most immediate security impact, and include a schedule to implement them…
(c) As agencies continue to use cloud technology, they shall do so in a coordinated, deliberate way that allows the Federal Government to prevent, detect, assess, and remediate cyber incidents. To facilitate this approach, the migration to cloud technology shall adopt Zero Trust Architecture, as practicable. The CISA shall modernize its current cybersecurity programs, services, and capabilities to be fully functional with cloud-computing environments with Zero Trust Architecture….
(i) Within 90 days of the date of this order, the Director of OMB, in consultation with the Secretary of Homeland Security acting through the Director of CISA, and the Administrator of General Services acting through FedRAMP, shall develop a Federal cloud-security strategy and provide guidance to agencies accordingly. Such guidance shall seek to ensure that risks to the FCEB from using cloud-based services are broadly understood and effectively addressed, and that FCEB Agencies move closer to Zero Trust Architecture.
Section 10, Definitions
(k) the term “Zero Trust Architecture” means a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses. In essence, a Zero Trust Architecture allows users full access but only to the bare minimum they need to perform their jobs. If a device is compromised, zero trust can ensure that the damage is contained. The Zero Trust Architecture security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity. Zero Trust Architecture embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting data in real-time within a dynamic threat environment. This data-centric security model allows the concept of least-privileged access to be applied for every access decision, where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access to resources based on the combination of sever.
The Bredemarket sales pitch
Can Bredemarket help you describe your zero trust architecture solution? If so, set up a free meeting with me to discuss your needs.
There is a difference between a writer and a content creator. It becomes obvious when you read WordPress’ recent post, “How to Slop Your Content in Five Steps.”
With one glaring exception, the Bredebot project. This is a highlighted experiment to see how far a well-prompted bot will go.
So my specific response to these steps is to consider the gap analysis in step 2. Bots are good at such analysis, but they have to be watched in case they don’t get their facts straight.
But I won’t give Claude the permission to write and post articles, or even any permissions on WordPress. This is a security issue, after all; how do YOU control site access for non-human identities?
In fact, I may not even use Claude for step 2, even if it’s the cool kid this week last I checked. I may use Gemini…or a thousand Bangladesh techies…or a million Pentiums…or Mika.
How you work with outside content creators
But what about you?
Before answering, take the five steps above and change the name “Claude” to Barney…or Bredemarket.
Would you give Barney or Bredemarket that power over your website?
Maybe…or maybe not.
How Bredemarket works with you
In the case of Bredemarket, I usually do NOT have direct access to my clients’ websites, sending them Word documents instead. And in the one instance where I did have website access, I left every one of my drafts in draft mode.
And when I perform a gap analysis, I present my client with choices and ask the client to choose the topic, or at least approve my suggested topic.
Because your website is not mine, or Mika’s…or Claude’s.
If you were involved in computing in the 1990s, you knew all about firewalls and their ability to block outside threats. The firewall protected a safe enclosed area.
The first line of defense against external threats to computer systems and networks is a firewall. Whether a computer is in a corporation, government agency, university, small business, or home, if it is connected by a network to other computers, its resources, plans, and data are at risk–and so is the reputation of its owners. A firewall can help reduce that risk to an acceptable level.
Firewall technology is a set of mechanisms that collectively enforce a security policy on communication traffic entering or leaving a guarded network domain. The security policy is the overall plan for protecting the domain. Embodied in hardware, software, or both, a firewall guards and isolates the domain…
And yes, we really believed this.
Now we don’t. Because our remote servers have expanded into something we now call the “cloud,” our computing devices now include souped-up telephones, and everything is provided “as a service.” There is no longer an inside and outside, and threats can come from anywhere.
On Monday I will share a post on Zero Trust Architecture, which repudiates the firewall model.
“I think too much knowledge is actually bad in tech: you’re biased.”
Why does this quote affect me so deeply? Because with my 30-plus years of identity/biometric experience, I obviously have too much knowledge of the industry, which is obviously bad. After all, all a biometric company needs is a salesperson, an engineer, an African data labeler, and someone to run the generative AI for everything else. The company doesn’t need someone who knows that Printrak isn’t spelled with a C.
Google Gemini.
In this post I will share three of the “biases” I have developed in my 30-plus years in identity and biometrics, and how to correct these biases by stripping away that 20th century experience and applying novel thinking.
And if that last paragraph made you throw up in your mouth…read to the end of the post.
But first, let’s briefly explore these three biases that I shamefully hold due to my status as a biometric product marketing expert:
Independent algorithmic confirmation is valuable.
Process is valuable.
Artificial intelligence is merely a tool.
Biometric product marketing expert.
Bias 1: Independent Algorithmic Confirmation is Valuable
But how do prospects know that these algorithms work? How accurate are they? How fast are they? How secure are they?
My bias
My brain, embedded with over 30 years of bias, gravitates to the idea that vendors should submit their algorithms for independent testing and confirmation.
From a NIST facial recognition demographic bias text.
This could be an accuracy test such as the ones NIST and DHS administer, or confirmation of presentation attack detection capabilities (as BixeLab, iBeta, and other organizations perform), or confirmation of injection attack detection capabilities.
Novel thinking
But you’re smarter than that and refuse to support the testing-industrial complex. They have their explicit or implicit agendas and want to force the biometric vendors to do well on the tests. For example, the U.S. Federal Bureau of Investigation’s “Appendix F” fingerprint capture quality standard specifically EXCLUDES contactless solutions, forcing everyone down the same contact path.
But you and your novel thinking reject these unnecessary impediments. You’re not going to constrain yourself by the assertions of others. You are going to assert your own benefits. Develop and administer your own tests. Share with your prospects how wonderful you are without going through an intermediary. That will prove your superiority…right?
Bias 2: Process is Valuable
A biometric company has to perform a variety of tasks. Raise funding. Hire people. Develop, market, propose, sell, and implement products. Throw parties.
How will the company do all these things?
My bias
My brain, encumbered by my experience (including a decade at Motorola), persists in a belief that process is the answer. The process can be as simple as scribblings on a cocktail napkin, but you need some process if you want to cash out in a glorious exit—I mean, deliver superior products to your customers.
Perhaps you need a development processs that defines, among other things, how long a sprint should be. A capture and proposal process (Shipley or simpler) that defines, among other things, who has the authority to approve a $10 million proposal A go-to-market process that defines the deliverables for different tiers, and who is responsible, accountable, consulted, and informed. Or maybe just an onboarding process when starting a new project, dictating the questions you need to ask at the beginning.
Bredemarket’s seven questions. I ask, then I act.
Novel thinking
Sure all that process is fine…if you don’t want to do anything. Do you really want to force your people to wait two weeks for the latest product iteration? Impose a multinational bureauracy on your sales process? Go through an onerous checklist before marketing a product?
Google Gemini.
Just code it.
Just sell it.
Just write it.
Bias 3: Artificial Intelligence is Merely a Tool
The problem with experienced people is that they think that there is nothing new under the sun.
You talk about cloud computing, and they yawn, “Sounds like time sharing.” You talk about quantum computing, and they yawn, “Sounds like the Pentium.” You talk about blockchain, and they yawn, “Sounds like a notary public.”
My bias
As I sip my Pepperidge Farm, I can barely conceal my revulsion at those who think “we use AI” is a world-dominating marketing message. Artificial intelligence is not a way of life. It is a tool. A tool that in and of itself does not merit much of a mention.
Google Gemini.
How many automobile manufacturers proclaim “we use tires” as part of their marketing messaging? Tires are essential to an automobile’s performance, but since everyone has them, they’re not a differentiator and not worthy of mention.
In the same way, everyone has AI…so why talk about its mere presence? Talk about the benefits your implementation provides and how these benefits differentiate you from your competitors.
Novel thinking
Yep, the grandpas that declare “AI is only a tool” are missing the significance entirely. AI is not like a Pentium chip. It is a transformational technology that is already changing the way we create, sell, and market.
Therefore it is critically important to highlight your product’s AI use. AI isn’t a “so what” feature, but an indication of revolutionary transformative technology. You suppress mention of AI at your own peril.
How do I overcome my biases of experience?
OK, so I’ve identified the outmoded thinking that results from too much experience. But how do I overcome it?
I don’t.
Because if you haven’t already detected it, I believe that experience IS valuable, and that all three items above are essential and shouldn’t be jettisoned for the new, novel, and kewl.
Are you a identity/biometric marketing leader who needs to tell your prospects that your algorithms are validated by reputable independent bodies?
Or that you have a process (simple or not) that governs how your customers receive your products?
Or that your AI actually does unique things that your competitors don’t, providing true benefits to your customers?
Bredemarket can help with strategy, analysis, content, and/or proposals for your identity/biometric firm. Talk to me (for free).
By the way, here’s MY process (and my services and pricing).
Only one of Bredemarket’s clients has given me nearly-unfettered privileges in its WordPress and LinkedIn accounts.
Yes, this seemingly violates the principle of least privilege, but it turns out I needed the enhanced WordPress access.
I initially had the ability to write drafts, but this did not allow me to fully incorporate graphics into my draft posts. So I obtained the higher privilege, but never used it to post anything.
I could, and did, post on my client’s LinkedIn account, but even that was coordinated.
The company eventually paused its activities, and my access to its WordPress and LinkedIn accounts (and other accounts) was no longer necessary, and those privileges eventually were rescinded.
But this was unusual. For most of my clients, I throw my work over a wall, and the client takes it from there.
Google Gemini.
Which is as it should be. After all, I shouldn’t be self-approving my client blog posts. What’s next, approving my payments?
When I posted (twotimes) the fact that International Mobile Equipment Identity (IMEI) numbers are NOT a reliable way to ascertain the identity of a user, I was pooh-poohed.
I was working with these sectors back when I was at MorphoTrak.
“There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience advances a national policy to strengthen and maintain secure, functioning, and resilient critical infrastructure. This directive supersedes Homeland Security Presidential Directive 7.”
Bredemarket 