The Office of Management and Budget recently released final guidance updating the federal government’s goal of moving toward a zero-trust security posture. The update illustrates an intentional shift in how the federal government wants organizations to conduct data transactions and contextualize user activity and network access.
Achieving a secure zero trust environment is not complete with one item or action, it requires a crucial shift in how government agencies and commercial enterprises view and execute network security, starting with contextualizing network activity.
To accurately add context to user behavior on the network, access must be rooted in a master concept of identity. The days of standalone perimeter-based security are gone. Today’s service edge is much further away from the network and could be a cell phone used on someone’s personal couch or a laptop used in a hotel room in the Caribbean. With the shift in how we’re working across the board, identity security must stay top of mind for all organizations. OMB’s guidance appropriately placed a focus on this element: attempting to bring systemic modernization to cybersecurity.
A pivotal component to the zero-trust executive order was improving information-sharing on cyber issues between the U.S. government and the private sector to standardize responses to cyber-attacks.
No one vendor can provide a complete zero trust security architecture. Agencies and organizations must work with multiple interoperating solutions or vendors to meet these mandates and provide comprehensive network security. As organizations leverage identity in the security process, they should seek comprehensive security solutions that provide least privilege, elevate privilege at the application layer, and that integrate with existing multifactor authentication tools.
Zero Trust and Identity
The new OMB requirements call for an agreement on identity as the foundation of zero trust. With the dissolution of the traditional network perimeter, identity has become the primary critical line of defense engulfing all users and devices.
For this reason, the executive order mandated all federal agencies use, among other tactics, multi-factor authentication and encryption strategies. However, MFA alone is not enough to keep pace with adversaries. A comprehensive zero trust architecture requires an organization to fully understand the master identities of users accessing the network – one user identity that can access data in multiple roles or locations.
A person can work in 14 different places, and the network needs to carry that user’s master identity with them, while shedding data accessing identities they no longer need. Limiting access to what is needed for a finite duration, and no longer than needed, will enable organizations to maintain operational security and still allow cross-organization communication. Implementing a master identity concept requires an intelligent identity and access security platform that can hold all elements of each user’s master identity.
Privileged access management (PAM) is a cornerstone of a zero-trust architecture and a key starting point for gaining visibility into a user’s master identity, removing assumed certainty once granted to users. PAM solutions like privileged password management, endpoint privilege management, and secure remote access bolster the verification elements in zero trust’s verify, trust, then verify again model.
The rise of these capabilities like least privilege and just in time (JIT) access is called out specifically by the National Institute of Standards and Technology on its list of executive order-critical software to assist agencies with identifying software for the initial phase of zero trust implementation. NIST recommends that the initial executive order implementation phase focus on standalone, on-premises software that has security-critical functions, or poses similar, significant potential for harm if compromised. Identity, credential and access management (ICAM) sits at the top of the list.
Controlling identity starts with privilege access management
Agencies have been quick to incorporate and implement ICAM and MFA strategies, viewing PAM as an additional layer of security. However, PAM should be incorporated at the initial phase alongside MFA and identity management solutions as a core piece of a zero-trust architecture.
Organizations today have multiple clouds to serve various purposes, increasing the attack surface. Utilizing PAM solutions to enforce least privilege, combined with a proper inventory of cloud assets, reduces the attack surface. If organizations aren’t aware of what data exists in each cloud with consistent accuracy, they can’t prioritize how they apply least privilege and the path they take to right-sizing entitlements.
IT personnel can use PAM tools to bridge security gaps as well. Some helpdesks have become overwhelmed with the submission of tickets during the surge of remote employees. In some cases, this added pressure allowed users to obtain more rights than they required to get their job done. PAM tools can restore least privilege access, keeping users and the helpdesk on track by ensuring resources are being accessed only by those users that truly need them.
Threats waged against data networks are too various for one-dimensional thinking and are only increasing. If security planning just targets one specific threat – for example, ransomware – it limits the scope of protection against other threats like phishing, malware, insider threats and more.
Security planning must evolve for the future as well; the future of zero trust will involve learning more about user behavior patterns. Systems will need to understand those patterns and implement security based on anomalies with each identity. For example, if a user accesses parts of the network they normally access from a trusted location at a normal time, then there isn’t a need for as many resources to verify that user as often during network engagement. However, a user attempting to access network data they don’t normally access from an unfamiliar location should become a red flag because there’s no proper context for what the user is doing. This access is high-risk and warrants additional methods of verification.
The traditional ways of protecting data networks are no longer adequate for today’s threat environment. Security reach can no longer be limited to the agency’s front door but must extend to wherever the user accesses the network. A true zero trust architecture will be a continuous state we work towards.
Agencies must place a heavy focus on identity, MFA and PAM within the confines of zero trust to always verify, never trust, and again, verify explicitly.
Josh Brodbent is regional vice president for public sector solutions engineering at BeyondTrust.