The Office of Management and Budget (OMB) recently released a Federal Zero Trust Strategy in support of the Executive Order on Improving the Nation’s Cybersecurity to push the adoption of zero trust principles across civilian agencies’ enterprise security architecture.
The content of the executive order and the OMB memorandum is worth examination in its entirety however here we highlight some sections that has direct impact in how our Identity and Access Management (IAM) is implemented, deploy, and managed.
In the OMB memorandum, under the section “”Identity””, the vision is that agency staffs should use enterprise-managed identities to access applications they use. In particular, they should use phishing-resistant MFA to protect personnel from sophisticated online attacks.
As part of the actions to fulfill this vision, agencies must use strong multi-factor authentication (MFA) throughout their enterprise, which must be enforced at the application layer instead of the network layer. Additionally, when authorizing users to access resources, agencies must consider at least one device-level signal alongside identity information about the authenticated user.
As for phishing-resistant authenticators and approaches to MFA, the federal strategy points to the World Wide Web Consortium (W3C)’s open “Web Authentication” standard along side with FIDO2 as effective approaches to meet the requirements of the Federal Zero Trust Strategy.
One of the implications of the Federal Zero Trust Strategy is that it creates options for agencies to use FIDO instead of authentication based on Personal Identity Verification (PIV) or public-key infrastructure (PKI).
Spectra is Algemetric’s IAM solution for machine-to-machine communication (M2M), much needed in a wide variety of IoT scenarios. Spectra implements FIDO2’s standards: WebAuthn and CTAP for establishing the role of trusted administrators for creating and managing IAM for IoT applications. Spectra provides extensive IAM controls for M2M following zero trust principles. Additionally, Spectra is designed based on approved public-key cryptography in a data-centric fashion, which does not required PKI and does not depend on the security of the network.
Spectra was designed to contemplate zero trust principles for the get-go. Spectra the result of a powerful combination of data organization, advanced cryptographic protocols, and features satisfying modern IAM requirements.