January 26, 2022–The White House is expected to release a new strategy related to cybersecurity to address modern threats and vulnerabilities. Stemming from Executive Order 14028 on Improving National Cybersecurity, this strategy is expected to implement new standards and requirements for federal agencies built around the concept of zero-trust security.
What is zero trust, and how does it shape cyber defense? It will be the new paradigm around which IT, cloud systems, and information governance will revolve for government agencies.
EO 14028 and Cybersecurity in 2022
In response to the increasing number of infrastructure-threatening attacks experienced in the U.S, the President signed Executive Order 14028, “Executive Order on Improving the Nation’s Cybersecurity” to standardize how government and defense agencies and their private sector partners constitute the national digital supply chain.
After the SolarWinds and Colonial Pipeline attacks, which impacted critical national infrastructure and government agencies, the writing was on the wall that things needed to change. The SolarWinds hack resulted in a widespread fallout and dozens of compromised cloud systems, including those utilized by the Department of Homeland Security and the Energy Department. The Colonial Pipelines ransomware attack locked down a major energy producer for days and cost the company up to $4.4 million in ransom.
The significant vulnerabilities that attacks like these illustrate are that cloud computing and Software-as-a-Service (SaaS) products, while integral for modern operations, interact in complex and challenging ways that can open up vulnerabilities in critical systems.
Additionally, these systems, even those not directly related to U.S. agencies, are under attack by sophisticated, state-sponsored threat actors bent on disrupting not only government activity but national infrastructures, including energy, food and commerce.
To address these challenges, the executive order dictates that government and contractor systems will be expected to meet strict data management requirements falling under the general definition of “zero trust.”
What is Zero Trust?
The National Institute for Standards and Technology (NIST) Special Publication 800-207, “Zero Trust Architecture,” defines the concept for federal IT systems.
In this document, zero trust architecture (ZTA) is organized around several core tenets, including the following:
- All Data and Services are Resources: Networks are complex and diverse, with different hardware, software and data types. Under ZTA, all these components are considered resources that can serve as targets for attacks. Accordingly, all of these resources must fall under the protection of cybersecurity measures and zero trust principles.
- All Communications on a Network Are Secured: No matter where data travels or how it is transmitted, it must be considered a resource to secure. Under ZTA, no network resource is regarded as 100% secure, and as such, the maximum level of data security must be maintained at all times to guarantee confidentiality.
- Access is Granted on a Per-Session Basis: All users must authenticate each session to access resources, and authorization to access one resource never automatically grants access to other resources. Furthermore, all authorization is given according to the least privileges required by the user to perform their tasks.
- Access and Authorization are Dynamic and Environmental: A system should assess access capabilities and risk based on dynamic variables like user behavior, system state and other environmental attributes (location, risk assessments, etc.).
- No Resources Are Inherently Trusted: Even after a system is secured, continued monitoring and audits determine that these resources remain secure. A breach can happen at any time, so no resource is considered safe until proven so.
- Authentication and Authorization are Enforced at All Resources: Thorough IAM security will include regular and strictly enforced authentication and authorization for all resources. This includes re-authorization for specific resources and situations.
- Continuous Monitoring: The organization continually monitors IT security to detect threats, improve security and audit all systems.
Furthermore, ZTA views networks to the literal letter of its title:
- An enterprise network is not considered a trust zone
- An enterprise will not have complete control over devices on the network
- No resource on the network is trusted as-is
- The enterprise owns not all resources on the network, but rather third-parties
- Remote users should never implicitly trust networks
- Specialized security policies should be in place for resources moving between internal and external systems
Why Is Zero Trust Important in 2022?
While these requirements sound restrictive, it’s become necessary for IT admins and security experts to think of their resources from the perspective of an outside attacker. That is, they must see any potential vector for an attack as a place where authentication, authorization and auditing must take place.
Previous security approaches didn’t necessarily emphasize security in the way we needed them to. Under older paradigms, once a user accessed a system it was generally accepted that they were trusted. Likewise, security perimeters were often seen as something “out there,” keeping the horde of hackers out of a system but only superficially ensuring internal security.
This, of course, is the problem that the government found itself in with the SolarWinds hack. Because the SolarWinds Orion network monitoring tool was a trusted SaaS program, it wasn’t generally seen as necessary to maintain some security that wasn’t already put into place by SolarWinds themselves. So, there was no alarm when an infected patch update was released to all Orion systems.
Modern threat actors are utilizing sophisticated attacks, and these attacks aren’t focused on entering the system but staying in that system undetected. When the primary form of attack in 2021 (and seemingly for decades) are blunt, simple phishing attacks, it’s only a matter of time before a hacker gains access through legitimate credentials with no system of security measure any wiser.
But with the rise of Advanced Persistent Threats (APTs), where malicious software burrows into system resources, propagates, infects other systems and feeds data to external servers, internal security–zero trust–becomes a necessity.
Also note that APTs aren’t just an enterprise problem. In many ways, Cloud infrastructure and SaaS solutions have flattened the curve in terms of security vulnerabilities. If those systems are compromised, small and mid-sized businesses using tools like Microsoft 365 or AWS can suffer the same fate as Colonial Pipelines. And, with the glut of state-sponsored attacks occurring all over the globe, even regional companies are susceptible to attacks.
Are You Ready for the Next Year in Cybersecurity?
Times, and mindsets, are changing. Attacks are more sophisticated, which means you need more resilient systems and faster, more accurate ways to ensure compliance with equally-sophisticated compliance standards. The truth is that compliance and security frameworks, even those built around regular risk assessment, national security standards and zero trust architecture, are going to become just another cost of doing business. However, with Continuum GRC, they can become streamlined, cost-effective, and resilient ways to ensure you meet requirements and maintain secure systems.
Call Continuum GRC at 1-888-896-6207 or complete the form below.