Isolation and zero trust in the federal government: Avoiding technical debt

In January 2022 the Office of Management and Budget published its M-22-09 memorandum on zero trust that mandated compliance with specific goals by the end of fi...

This federal administration has been one of the most active in history in its approach to federal cybersecurity. From the White House’s May 2021 Executive Order on Improving the Nation’s Cybersecurity through to its National Cybersecurity Strategy announcement this March, it has kept up pressure on federal officials to impose stricter security measures. It has also provided more detail on some of the measures in the executive order, especially around its zero trust architecture (ZTA) strategy. In January 2022 the Office of Management and Budget published its M-22-09 memorandum on zero trust that mandated compliance with specific goals by the end of fiscal 2024.

Those goals span five main pillars: Identity and access management, protection of devices and network security, along with the protection of both applications and data. In short, federal agencies must blanket their whole technology stack in ZTA protection.

The browser: An attacker’s doorway into agency systems

This is a watershed moment for the federal government, which is moving quickly to reduce threat vectors from as many areas as possible. ZTA involves a fundamental rethink of security architecture. When many federal government systems were created, cybersecurity thinking still imagined data, infrastructure and users on one network in which everything was trusted. A “ring of iron” approach used firewalls and internet gateways to shield everything inside it.

The evolution of the browser, along with hybrid working practices and cloud computing, requires a new cybersecurity mindset. The network has exploded into a diverse array of hybrid cloud systems accessed from myriad locations, often via a web browser.

The browser is now a key ingress point for attackers who constantly mount more sophisticated attacks. Threats no longer come only from obscure, suspicious sites with Russian or Chinese domain names. They might come from legitimate sites like Microsoft’s Office 365 application, or via GitHub. Attackers use well-known domains that allow user-uploaded content, making it difficult for traditional firewalls or internet gateways to detect them. Cyber criminals and nation-state actors have also become more nimble, morphing their techniques with new attacks such as HTML smuggling (used in the SolarWinds attack) that are more difficult to spot. Our researchers have found that over half of all organizations encounter advanced web threats at least once each month.

AI is exacerbating online threats by empowering malicious actors. Forrester highlighted generative AI as a key risk in its Top Cybersecurity Threats In 2023 report. With the technology, attackers are now able to generate phishing emails at scale using Chat GPT, for example.

The threat extends beyond generative AI into more traditional machine learning models. A review of scientific literature on offensive AI uncovered its potential usage in six attack phases: target reconnaissance, access and penetration, attack concealment, exploitation and action on objects. For example, AI could create target profiles at speed and scale far beyond existing capabilities, and could crack security captchas. AI-powered malware could ‘learn’ how to evade detection and spread itself through an organization by analyzing existing network behavior.

Trust nothing

ZTA flips the ‘trust everything inside the network’ model, instead trusting nothing and no one. Every user and device must prove its security, even when logged onto systems inside the core network, and all traffic from external systems is treated as potentially malicious, even when those systems appear legitimate. This strategy prevents attackers — including those using AI-powered malware — from gaining a foothold on federal agency systems via browser sessions.

Implementing these protections will be a challenge for federal agencies that are already grappling with daunting modernization challenges. The Government Accountability Office’s recent update on system modernization found that while agencies recognized the importance of bringing some of their systems into the modern era, work is ongoing.

Federal IT systems are often decades old and serve vast numbers of people. Upgrading them is a major undertaking, and federal agencies operate on strict budgets. They represent a sunk investment and a rip-and-replace approach often isn’t possible. Agencies have tried to front them with next-generation firewalls but they can’t stop the current wave of evasive and adaptive threats.

How isolation technology helps

Now agencies are turning to isolation technology that they can layer atop existing systems to provide an entirely new level of protection. Isolation applies an air gap between the government IT system and the internet, meaning that browsers are never directly connected to the outside world. Instead, all content is scanned and tested before it reaches the federal agency. Links are checked for malicious intent, and attachments are run in a sandbox environment to analyse their behaviour.

This is how government agencies can implement zero trust principles at the user level, by treating all traffic as potentially malicious. It’s also relatively easy to implement. Rather than expensive refactoring projects on monolithic legacy applications, they can simply use redirects to divert all external traffic via the service provider’s FedRAMP-certified environment.

Isolation technology removes internet-born attacks including AI-powered malware as threat vectors. In doing so, it also makes hybrid work safer. With the pandemic forcing many agencies to adopt remote working practices, isolation technology provides a secure environment for online browsing from external locations. It also allows employees to access the internet without revealing their identity or location. This is particularly useful for those that deal with sensitive information or need to keep their activities confidential.

Finally, isolation technology doesn’t just alleviate the cost of expensive application upgrades; it also saves federal agencies money in other ways. Isolating web traffic to the service provider’s secure cloud environment saves network bandwidth. It also reduces the number of false positives compared to legacy cybersecurity approaches, saving staff hours and allowing employees to focus on other important tasks. The DoD estimates that it will save $300 million by protecting users through browser isolation.

Isolation technology is now an official part of the federal government’s recommended approach to ZTA. CISA has specifically mentioned browser isolation technology in its 2021 Capacity Enhancement Guide, and also recommends isolation in its Zero Trust Maturity Model.

Funding ZTA approaches

Even though the investment in isolation technology is modest, agencies still struggle to find budgets for ZTA-based improvements. There are useful funding sources. The Technology Modernization Fund, authorized in 2017, funds agencies modernizing their systems. The government has provided $225 million in funding for this program via the annual budget, along with a further $1 billion through the American Rescue Plan. CISA’s Continuous Diagnostics and Mitigation program also provides tools to help participating agencies improve their security posture, while other programs specific to the defense industrial base support ZTA services.

The user is always the weakest link in any security system. Attacks powered by AI make them even more susceptible to attack while also making malware more difficult to detect if it does make it inside a federal agency. Isolation technology helps to harden that link by providing a secure browsing environment. This reduces the risk of employees inadvertently downloading malware or other malicious content that can compromise agency data and systems — and it does so cleanly, quickly, with minimal changes to existing architecture. Simple and effective solutions like this will be invaluable as agencies navigate a new era of online threats.

Darrin Curtis is vice president of public sector at Menlo Security. 

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories