After another year of ransomware and supply chain attacks, Microsoft is talking up its role in helping to put US President Joe Biden’s May Executive Order on cybersecurity into practice.
Microsoft is one of 18 cybersecurity companies that was selected to work with the National Institute of Standards and Technology (NIST) to develop Zero Trust designs that federal agencies can implement under Executive Order 14028.
Instead of focusing on hardening the network perimeter, Zero Trust assumes that an organisation has already been breached and includes a design that acknowledges data needs to be protected both within and outside the network, across managed and unmanaged devices.
Other vendors in the Zero Trust consortium include Amazon Web Services, Appgate, Cisco, F5, FireEye, IBM, McAfee, MobileIron, Okta, Palo Alto Networks, PC Matic, Radiant Logic, SailPoint Technologies, Symantec, Tenable, and Zscaler. Google and its BeyondCorp zero trust initiative is notably absent.
Biden’s order demanded CISA and NIST to create benchmarks for organisations managing critical infrastructure. It followed the SolarWinds hack targeting primarily federal agencies and US tech companies, the Exchange email server attacks, and the Colonial Pipeline ransomware attack. The SolarWinds attack, in particular, highlighted the need for zero trust, with the attacks occurring amid the mass shift towards remote work during the pandemic.
The vendors in the project will be working with NIST’s National Cybersecurity Center of Excellence (NCCoE) to “develop practical, interoperable approaches to designing and building Zero Trust architectures” that are commercially available from US cybersecurity firms.
Microsoft has previously identified five scenarios where zero trust can help agencies meet Biden’s order, including endpoint detection and response, multi-factor authentication, and continuous monitoring.
Azure Active Directory is central to Microsoft’s plans for most of the five scenarios, which includes SaaS applications, legacy applications, protecting remote sever administration tools, and cloud segmentation. Azure also plays a key role in ‘micro-segmentation’ of the network.
While Biden’s order only applies to federal agencies, the White House did encourage the private sector to take “ambitious measures” in the same direction.
Microsoft notes its proposed example solutions will include commercial and open-source products.
Separately, the Linux Foundation has thrown its support behind Biden’s order to develop a Software Bill of Materials (SBOM), or a “formal record containing the details and supply chain relationships of various components used in building software.”
The Zero Trust proposals from vendors are meant to align with NIST SP 800-207, Zero Trust Architecture, which was developed through meetings with Federal Chief Information Officer (CIO) Council, federal agencies, and industry.