Recent cyberattacks on critical infrastructure have elevated cybersecurity in the national discourse. For everyday citizens all the way to Congress and the White House, cybersecurity is top of mind.
To maintain the public’s trust – and protect our nation – a paradigm shift is needed in cybersecurity, experts say. Government agencies and critical infrastructure providers need to adopt a model in which nothing – no device, person, or action – is inherently trusted. The Biden administration’s recent cyber executive order (EO) reinforces this notion, calling on Federal agencies to move to zero trust security architectures.
With a zero trust model, security is woven throughout the network – with users, endpoints, applications, and files on the network and in the cloud monitored and authenticated at every access point. In contrast, traditional network security fortifies the perimeter, which aims to keep threats outside of the network from getting in. But once users – or bad actors – clear the perimeter, they are free to move about the network, and take whatever they can find when they leave.
Shift the Security Paradigm
With Federal agencies undergoing large operational shifts, including the migration to cloud technology based on Cloud Smart mandates and the sudden shift to remote working due to the pandemic, users and their endpoints, data, and applications have moved outside of the physical walls of an agency. This broadens potential attack surfaces and exposes vulnerabilities across disparate perimeters. Traditional perimeter security simply isn’t enough to protect multiple environments against today’s cybercriminals.
But implementing a zero trust architecture isn’t about buying a product; it’s about changing a mindset throughout an agency.
“There’s a huge misconception that zero trust is a ‘thing’ that can be purchased and implemented as a one-time exercise to create a secure environment,” notes Glen Pendley, deputy chief technology officer at Tenable. “Zero trust is a philosophy. It’s a journey that doesn’t have an end.”
Never Trust, Always Verify
To understand the breadth of a zero trust architecture, CIOs need to start thinking about trust as a vulnerability – and cyber attackers are really good at exploiting vulnerabilities. Just like software that needs to be patched, trust needs to be authenticated – and fortified.
When viewed in this light, technology teams can begin to identify where trust is built into their systems and networks – from access points, to firewalls, to applications, to internal file structures. Teams can then build additional security around those vulnerabilities with tools like multi-factor authentication, identity and access management, and encryption software.
Gain Visibility Across the Threat Landscape
To start addressing the trust vulnerability, agencies first need to gain visibility into everything – and everyone – that touches every aspect of the network. After all, you can’t protect what you don’t know is there.
“For agencies just starting out, the first step is to identify the systems and data that comprise their environment, the roles and responsibilities of the people touching those systems, and where cybersecurity vulnerabilities may arise,” Pendley says. “Based on that, they can develop a clear security plan by quantifying what their mission critical systems are, then developing and implementing privileged access to those systems. It’s truly a step-by-step process, just like learning how to walk before you learn how to run.”
Close a Prominent Weak Link
With visibility comes understanding of who needs access to what, which is where Active Directory comes into play. Active Directory verifies credentials and defines user access rights, and is often configured based on trust.
“Active Directory is so critical to the environment that in almost every major breach over the last several months, including the SolarWinds hack, it was the first thing attackers targeted in order to move laterally within the system,” Pendley observes.
Agencies must do some basic cyber hygiene by cleaning up Active Directory and mitigating misconfigurations. This goes a long way to remove the inherent trust that exists in Active Directory.
“Ninety-nine percent of cybersecurity is taking care of the basics,” Pendley says.
It’s then critical for agencies to audit and maintain Active Directory, and enable the evaluation of users’ rights. By viewing trust as a vulnerability, agencies can establish user rights and enforce privileges based on individual identities. Users can only go where they are credentialed to go based on their role, and can’t go where they don’t have permission.
Security tools can also be implemented on Active Directory, allowing technology teams to detect lateral movement and privilege escalation with rights abuses. Tools such as Tenable.ad can continuously monitor for risky user activity that could indicate a compromise.
Cybercriminals will always try to find a way past vulnerabilities, which is why zero trust should be viewed as an ongoing journey, not a destination. Once visibility is achieved and the trust vulnerabilities addressed, technology teams must remain vigilant, which can be achieved with real-time monitoring.
Real-time assumes continuous monitoring, but adds the ability to gather, analyze, and alert teams to events when they happen. Agencies need to monitor and validate assets, their interdependencies, level of access, and how they interact with the network. With that visibility and understanding, anomalies, and suspicious behavior become easier to see – and stop.
While these tasks may seem daunting, zero trust is truly a journey worth taking. “Be persistent,” Pendley advises. “If agencies continue to do what has historically always been done – they’ll be the one in the news.”