Zero Trust: From Buzzword to Boardroom to Your Device
The Coming Clusterf**k Is Here

Bowman: Open the pod door, Hal.
Bowman: Open the pod bay doors please, Hal.
Open the pod bay doors please, Hal.
Hello, Hal, do you read me?
Hello, Hal, do you read me? Do you read me, Hal?
Do you read me, Hal? Hello, Hal, do you read me?
Hello, Hal, do you read me? Do you read me, Hal?
Hal: Affirmative, Dave. I read you.
Bowman: Open the pod bay doors, Hal.
Hal: I'm sorry, Dave. I'm afraid I can't do that.
Excerpted from Transcript of the Film 2001 A Space Odyssey *

How many times have we sat in front of a dark, blank screen; or a locked screen; or trying to resolve the CAPTCHA puzzle, and felt just like Astronaut Dave Bowman outside the spaceship and the computer that runs the whole show won't let us back in the spaceship?  To me, this scene has always represented the quintessential computing experience.  And the universal adoption of Zero Trust will, I am afraid, only continue the trend.

Zero Trust is, first and foremost, a Conceptual Framework for securing a network that has many different classes of users requesting permission to enter the network and access network resources.  Such a network would be the website of the IRS.  And, in an early foray in Zero Trust, the IRS announced in November that to log on to your IRS account the taxpayer would need a selfie to prove the taxpayer's identity. 

When accessing the tools listed above, taxpayers will be asked to sign in with an ID.me account. People who already have IRS usernames may continue to use their credentials from the old system to sign-in until summer 2022, but are prompted to create an ID.me account as soon as possible.

Anyone with an existing ID.me account from the Child Tax Credit Update Portal, or from another government agency, can sign in with their existing credentials. To verify their identity with ID.me, taxpayers need to provide a photo of an identity document such as a driver's license, state ID or passport. They'll also need to take a selfie with a smartphone or a computer with a webcam. Once their identity has been verified, they can securely access IRS online services.

My first reaction to reading this news was pretty much Ah, Jeez... I hate selfies of me self.  At 66 years old, I don't want to be reminded that I am no where as attractive a human being as when I was 26.  That was not, however, why the plan was dropped as abruptly as it was instituted.  The ID.me portal didn't work.  Indeed, if you read some of the complaints made against ID.me at the Better Business Bureau website, you can see that the ID.me portal has a plethora of problems, and was a bad choice to begin with.  Furthermore, ID.me systems are implicated in the California EDD fraud cases.  Kudos to the Biden Administration for immediately pulling the plug on technology that doesn't work, instead of letting the disaster fester for days like both of the previous two administrations often would. An in-depth Bloomberg report on ID.me is available here.

What prompted all this was the announced beginning of the implementation of NIST Special Publication 800-63-3: Digital Identity Guidelines, first published in June 2017, and updated March 2020.  It is in the March 2020 update of these guidelines where we hear the winds of Zero Trust blow.

Digital identity is the unique representation of a subject engaged in an online transaction. A digital identity is always unique in the context of a digital service, but does not necessarily need to uniquely identify the subject in all contexts. In other words, accessing a digital service may not mean that the subject’s real-life identity is known. Identity proofing establishes that a subject is who they claim to be. Digital authentication is the process of determining the validity of one or more authenticators used to claim a digital identity. Authentication establishes that a subject attempting to access a digital service is in control of the technologies used to authenticate. Successful authentication provides reasonable risk-based assurances that the subject accessing the service today is the same as that which previously accessed the service. Digital identity presents a technical challenge because this process often involves proofing individuals over an open network, and typically involves the authentication of individual subjects over an open network to access digital government services. There are multiple opportunities for impersonation and other attacks that fraudulently claim another subject’s digital identity.

So what the heck is all this ZERO TRUST noise all about, anyway? 

Microsoft published a white a paper on its implementation of Zero Trust in November 2021.  A pdf is available here.  This is a good overview of the core principles of Zero Trust.  Then, February 8, 2022, Microsoft released its Zero Trust Guidance Center.  Here, Microsoft succinctly stated the basic underlying precepts of Zero Trust:

Today, organizations need a new security model that effectively adapts to the complexity of the modern environment, embraces the mobile workforce, and protects people, devices, applications, and data wherever they are located.

This is the core of Zero Trust. Instead of believing everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originated from an uncontrolled network. Regardless of where the request originates or what resource it accesses, the Zero Trust model teaches us to "never trust, always verify."

The interesting part of that statement is that Zero Trust assumes the client computer requesting network access has already been compromised and infected.  This all might start to sound familiar to faithful readers of The Dispatches from the Front..

Crowdstrike makes the point that Zero Trust operates as if there is ONLY ONE NETWORK.

Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data. Zero Trust assumes that there is no traditional network edge; networks can be local, in the cloud, or a combination or hybrid with resources anywhere as well as workers in any location.

What moved Zero Trust from a buzzword for security snake oil salespeople to pitch, to an issue that mainly affected large enterprises both public and private, to the IRS demanding selfies for a citizen to log on to their account — if only temporarily — is the January 26, 2022 publication of MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES, from Shalanda D. Young, Acting Director, OFFICE OF MANAGEMENT AND BUDGET, SUBJECT: Moving the U.S. Government Toward Zero Trust Cybersecurity Principles.  A PDF is available here.  There has been positive response to this directive across the business community.  The belief is that only the Federal Government has the reach and clout to use market forces to make implementation of Zero Trust a reality throughout what we might now call our Digital Political Economy.

Every day, the Federal Government executes unique and deeply challenging missions: agencies safeguard our nation’s critical infrastructure, conduct scientific research, engage in diplomacy, and provide benefits and services for the American people, among many other public functions. To deliver on these missions effectively, our nation must make intelligent and vigorous use of modern technology and security practices, while avoiding disruption by malicious cyber campaigns.

Successfully modernizing the Federal Government’s approach to security requires a Government-wide endeavor. In May of 2021, the President issued Executive Order (EO) 14028, Improving the Nation’s Cybersecurity, initiating a sweeping Government-wide effort to ensure that baseline security practices are in place, to migrate the Federal Government to a zero trust architecture, and to realize the security benefits of cloud-based infrastructure while mitigating associated risks.

What this directive states, as I view it, is if BIG GIANT CORP or Cute Little Mom & Pop wants to be a vendor, a supplier, a managed services provider, or just fix the HVAC, to Uncle Sam, then that entity will now adhere to the principles of Zero Trust.  And everybody wants to do business with the government.  [ed. I have managed a GSA sales contract. Some of the best business I ever did.]  And, therefore, as year 2022 progresses, the commercial websites we sign on to are going to be forced to require more stringent means of identification and verification.  Zero Trust assumes just because you know the username and password to Taylor Swift's IRS account, does not mean that you are Taylor Swift.  So more hoops to jump through at any number of log in screens.  Right off the bat, more use of 2 Factor Authentication (2FA) is in our future.  Also, more time wasted feeling lost in CAPTCHA hell. 

Back to us citizens trying to simply log on to a US government website.  There is a bipartisan move in the Senate to ban the use of facial recognition of any kind in government.  The  Facial Recognition and Biometric Technology Moratorium Act of 2021 [pdf] declares with no ambiguity that the purpose of the proposed legislation is:

To prohibit biometric surveillance by the Federal Government without explicit statutory authorization and to withhold certain Federal public safety grants from State and local governments that engage in biometric surveillance.

That's pretty clear.  No facial recognition in American government no way;  no where; no how. 

What makes the whole ID.me affair rather suspicious is that (1) It's a commercial entity that would profit greatly from such a GSA contract; (2) the Federal Government already has its own secure logon website for US government use. Problem is that is not in use across the board — NOT YET.  Since 2017, login.gov, the product of GSA Technology Transformation Services, has "has provided federal government websites with strong authentication and identity proofing since 2017.  With one account, the public can easily access participating online government services securely and seamless."  Thus, the entire ID.me affair was pointless and wreaks of corruption. I am sure the truth is that some inspector general saw it and had one of those WTF moments that seem like an epiphany; and then deep sixxed the whole Id.me fiasco before it got out of control.  Just my guess. 

Here's the GSA's pitch for login.gov:

Login.gov has a wide range of support for various authenticator types for securing accounts.

• Flexible multi-factor authentication. Login.gov has a wide range of support for various authenticator types for securing accounts.  

• Human-centered design. Created out of user needs, rather than government complexity. Our service is in alignment with the 21st Century Integrated Digital Experience Act (21st Century IDEA).

• Enabling wonderful user experiences. With one login.gov account, users are no longer required to remember different passwords for each government service they access.

• Privacy protecting security. Login.gov adheres to the latest security standards established by top security organizations such as the National Institute of Standards and Technology. Our service is in alignment with the Cybersecurity National Action Plan.