Zero Trust – the best security outcome for enterprises and government agencies of all sizes.
October marks National Cybersecurity Month. But let’s be clear. Cybersecurity is a 24/7/365 thing. And NIST 800-53, as well as the White House’s cybersecurity executive order (EO), demand that Zero Trust Architecture (ZTA) should form the foundation of secure systems moving forward, whether in the cloud or not. So, the heat is on for both government and private organizations to get in line. Now.
The Senate Homeland Security Committee approved a FISMA reform bill that would strengthen CISA’s role in collecting agency reports on cyber incidents impacting federal systems. The bill is intended to “mitigate” the effects of recent cyber-attacks such as Microsoft Exchange that significantly affected federal agencies, with the goal of helping “federal agencies take more effective, measurable, and successful actions to address evolving cyber-threats,” according to committee leadership.
Zero Trust (ZT) is the term for a set of cybersecurity paradigms that focuses on users, assets, and resources rather than network-based perimeters. With ZT, trust is not automatically granted to assets or users based solely on their physical or network location or asset ownership. Instead, it provides least-privilege-per-request access to assets, embedding security in zones throughout the architecture rather than just at the perimeter. Essentially, no actor, network, or service operating outside or within the security perimeter is trusted. Instead, they must be verified to gain access.
ZT is not a new approach; rather, it has been evolving to address the gaps created from years of building infrastructure along organizational, operational, and doctrinal boundaries. Developing capabilities in silos create disconnects in the command structure and processes, precluding the creation of a comprehensive, dynamic, and near-real-time common operating picture (COP) that lies at the core of the situational awareness organizations need for effective decision making, rapid staff actions, and appropriate mission execution.
Here are your agency’s ZT goals. You have until 2024 to meet them.
The White House EO goes beyond Zero Trust to mandate that the federal government modernize IT infrastructure and security concepts and practices. It also puts significant new requirements on Federal agencies to deploy endpoint detection and response technologies on their networks and share cyber information with other agencies to comply with new cybersecurity event log-keeping requirements. For the private sector, the order uses the power of the federal purse to put in place “baseline” security standards in software sold to the government.
Brandon Wales, the acting director of the Cybersecurity & Infrastructure Security Agency (CISA), called the EO “an important step forward in bolstering our nation’s cybersecurity. Ransomware attacks against companies like the Colonial Pipeline and recent intrusions impacting federal agencies demonstrate our nation faces constant cyber threats from nation-states and criminal groups alike.”
By now, Federal agencies should have a plan to implement Zero Trust Architecture, according to the EO’s 60-day deadline, issued in May 2021. Those plans should incorporate migration steps recommended by the National Institute of Standards and Technology (NIST). By the end of FY2024, federal agencies must also hit five major Zero Trust transition goals:
- Identity: Agency staff must use an enterprise-wide identity to access the applications they use in their work. Phishing-resistant multi-factor authorization protects personnel from sophisticated online attacks.
- Devices: The Federal government needs a complete inventory of every device it operates and authorizes for government use so it can detect and respond to incidents on those devices.
- Networks: Agencies must encrypt all DNS requests and HTTP traffic within their environment, begin segmenting networks around their applications, and create a workable path to encrypting email in transit.
- Applications: Agencies must treat all applications as internet-connected, routinely subject their applications to rigorous testing, and welcome external vulnerability reports.
- Data: Agencies must establish a clear, shared path to deploy protections that use thorough data categorization. Agencies can take advantage of cloud security services to monitor access to their sensitive data and have implemented enterprise-wide logging and information sharing.
Zero Trust and CDM form the foundation of this new guidance. Automate what you can.
Zero trust and continuous diagnostics and mitigation (CDM) form the foundations of CISA’s recommendations, reflecting the agency’s consistent, interconnected approach to cybersecurity for federal agencies. They also recommend ongoing monitoring of devices connected to the network, adding new layers of defense to protect the exterior, and constantly verifying compliance with security standards and procedures, which is a central tenet of CISA’s CDM program.
Automation can dramatically cut the amount of time and effort that goes into CDM and reporting, as well as shorten the time it takes to execute multiple requirements, including:
- Comply-to-Connect (C2C): Ensuring patches and hardening are applied to devices before connecting to the internal network and updating continually with their status.
- DevSecOps Application Development – With DevSecOps software features, patches and fixes occur more frequently and with automation. Security is applied at all phases of the software lifecycle.
- Analysis & Confidence Scoring: These technologies continuously assess entities, attributes, and configurations to adapt and risk-optimize security policy for deployments. Confidence scores are leveraged in authorization activities.
Hardening can be, well, hard. Here are some tips.
If you have already done the work to meet NIST 800-53 guidelines, you are ahead of the game. The foundation has been laid; you can build or utilize other technologies.
If you are not there yet, here are some things to know:
- STIGs. Zero Trust means building a resilient environment, including meeting DISA’s Security Technical Implementation Guides (STIGs).
- CIS. The two fundamental principles of system hardening are to remove unnecessary functions and apply secure configuration settings. Unlike most security frameworks, the Center for Internet Security (CIS) provides prescriptive guidance for configuration settings and, in the CIS Benchmark guides, even provides the required remediation commands.
- Cloud. Moving to ZT security principles does not necessarily mean moving to the cloud. ZT can also be accomplished with on-prem systems.
- Auditing. Audit everything so you have artifacts that can stand up to scrutiny and allow you to go back to provide remediation and protection.
Hardening is foundational with Zero Trust. Automation helps.
Establishing Zero Trust goes beyond protecting your perimeter. You also need to put a metal detector at the entrance, secure the locker room, and provide continual surveillance.
And ZT is not a one-size-fits-all approach. Instead, the result will be a continuum of solutions and outcomes tailored to the agency, systems, and users. But one thread, in particular, is common to all solutions. As Aaron Faulkner, cybersecurity lead at Accenture Federal Services, states, “As federal information technology architecture is modernized, a holistic endpoint detection and response approach, executed correctly, will be critical for CISA to rapidly understand the government’s overall risk posture and mitigate vulnerabilities.”
Endpoint vulnerability detection, rapid response, and CDM are all big things to ask of humans, requiring countless person-hours (and headaches) to achieve. Automation can help. ConfigOS is SteelCloud’s patented STIG, CIS, and CDM automation tool. It has been proven in the most significant government agencies and every environment. Better yet, it removes human error from the equation and is recommended in the cybersecurity EO.
As you learn more about Zero Trust and other hardening approaches, you will want to know more about ConfigOS. It can save weeks of hardening time, not to mention the mental health of your technical team. Agencies need all the help they can get between now and their 2024 deadline, and SteelCloud is happy to deliver.