"GAO Highlights Interoperability Challenges With Zero Trust"

According to a Government Accountability Office (GAO) briefing document aimed at lawmakers, many federal agencies will find it difficult to design zero trust systems because the various products required to fully realize the strategy do not always function well together. Under guidance issued by the Office of Management and Budget (OMB) to comply with a May 2021 cybersecurity executive order, federal agencies are required to implement Zero Trust Architectures (ZTA) by the end of fiscal year 2024. President Joe Biden issued the order in response to the SolarWinds hack, which also involved Microsoft's Active Directory Federation System and the use of legitimate credentials to move laterally within victim networks. A ZTA requires authorization from a central point, also known as a trust algorithm, for individuals or devices attempting to access specific resources in a network. According to GAO's spotlight document, implementing a zero trust system to make such permitting decisions may involve technology to manage credentials, analyze threat intelligence and activity logs for unusual activity, monitor endpoints for malware, and encrypt data. Since there is no single ZTA solution, ZTA implementation calls for the integration of existing technologies as well as newer technologies. These technologies may not be designed to work together, especially in organizations with significant investments in traditional technologies. In order to emphasize the challenge, the GAO document cited work from the National Institute of Standards and Technology (NIST). GAO reported that organizations attempting to implement ZTA have encountered difficulties. A NIST project aimed at building and showing examples of ZTA using products and technologies from various vendors found that many Identity, Credential, and Access Management (ICAM) and endpoint protection technologies could not be integrated into a functional ZTA. This article continues to discuss the interoperability challenges with zero trust highlighted by a new GAO spotlight document. 

NextGov reports "GAO Highlights Interoperability Challenges With Zero Trust"