The White House recently released a memo, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles, outlining a new strategy to bolster the government’s cybersecurity, instructing federal agencies to adopt zero trust practices by the end of 2024. The White House has been making strides to increase cybersecurity measures over the past year. In May 2021, the administration released an executive order aimed at improving the nation’s cybersecurity.
Adding more fuel to the fire around the topic of cybersecurity are last year’s prominent attacks on Colonial Pipeline, JBS, SolarWinds, and the recent discovery of the Log4j vulnerability that impacted thousands of companies.
This latest memo serves as further proof of the administration’s commitment to ensuring U.S. government agencies are following the best cybersecurity practices. But what is zero trust, and what steps should federal agencies take to successfully implement this cybersecurity model? Let’s take a look.
What is Zero Trust?
An organization implementing a zero trust cybersecurity architecture means that no individual, asset, or software is trusted. Instead, every system and person must be authenticated, authorized, and continuously validated as having the right to be accessing what they are using.
According to the White House memo, “The foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access. It is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction.”
This aligns with the LookingGlass view – also held by many others across the information security community – that the old “castle and moat” approach to cybersecurity, where an organization focuses all its efforts on strengthening the perimeter, is no longer enough.
Under the memo, the new White House strategy for zero trust will require:
- Federal staff will have enterprise-managed accounts, allowing them to access everything they need to do their job while remaining protected from even targeted, sophisticated phishing attacks.
- The devices that Federal staff use to do their jobs are consistently tracked and monitored. The security posture of those devices is considered when granting access to internal resources.
- Agency systems are isolated from each other, and the network traffic flowing between and within them is reliably encrypted.
- Enterprise applications are tested internally and externally and can be made available to staff securely over the internet.
- Federal security teams and data teams work together to develop data categories and security rules to automatically detect, and ultimately block, unauthorized access to sensitive information.
Zero Trust is not a new concept by any means; in 2009, a former Forrester analyst, John Kindervag, introduced the concept. While the concept has been around for a while, implementing a zero trust architecture will be an enormous shift for many organizations and government agencies, because most organizations have built their entire infrastructure on the castle-and-moat approach. In fact, according to a 2020 survey, 40% of North American organizations have not even begun to work on incorporating a zero trust strategy into their cybersecurity program.
How to Get Started with Zero Trust
Cody Pierce, Chief Product Officer at LookingGlass, recently shared his thoughts about what the White House’s memo means for government agencies and government partners and contractors.
“One of the overriding themes of the White House Zero Trust Memo is to ‘treat all applications as internet connected.’ Internet-connected to me means two things: (1) identifying what you have that is internet connected, and (2) verifying that you don’t have unknown things connected to the internet,” says Cody Pierce.
This isn’t surprising: the first rule of cybersecurity is to know what you have; without knowing what you have, you don’t know what to secure or how. Cody’s second point is critical, though, especially in the age of the Internet of Things. It may be even more important these days to detect something that isn’t supposed to be connected to the internet because this identifies an attack vector you had not expected.
There have been notable breaches across various organizations and critical infrastructure sectors where assets that shouldn’t be connected to the internet end up connected and open to adversaries. Back in 2015, Beth Israel Deaconess Hospital experienced a major data breach and exfiltration of patient records because a technician connected a healthcare machine to the internet to download a patch and went on lunch break. This isn’t that different from today. For many companies, digital transformation or modernization efforts mean that staff can “spin up” resources like a test or development site when needed. But what happens if a developer stands up a dev site and forgets to shut it down or implement security controls before leaving for the weekend? Threat actors are constantly scanning networks to see if they can find assets connected to the internet that can access.
“Zero trust architectures expose the eventuality that everything is hyperconnected. In this world, then, how do we understand those connections and protect them? That’s going to be critical,” says Cody.
10 Next Steps for Government Agencies
Moving to a zero trust architecture involves changes to nearly every aspect of an enterprise’s security posture. That’s why the White House memo outlined next steps that are required of federal agencies:
- Government agencies have 30 days from the publication of the White House memo to designate and identify a zero trust strategy implementation lead.
- They must integrate (and enforce) multi-factor authentication (MFA) across applications involving authenticated access to Federal systems by agency staff, contractors, and partners.
- They should ensure their tools can execute protocols for authorization.
- Agencies must maintain a complete inventory of every device authorized and operated for official business. They need to prevent, detect, and respond to incidents on those devices.
- They must ensure that their endpoint detection and response (EDR) tools meet CISA’s requirements.
- Agencies must encrypt all DNS requests and HTTP traffic within their environment and begin executing a plan to break down their perimeters into isolated environments.
- They must treat all applications as internet connected. They need to routinely subject their applications to rigorous empirical testing and external vulnerability reports.
- They must increase their reliance on external perspectives to identify vulnerabilities that internal staff may not identify.
- Agencies need to make applications internet-accessible in a safe manner – without relying on a virtual private network (VPN) or other network tunnels.
- And lastly, they must develop and implement a data security strategy.
As Cody noted, one of the hardest parts of adopting a zero trust architecture is going to be identifying your assets. Many organizations have relied on firewalls at the perimeter and endpoint protection at the edge to protect them, while allowing devices on the network to operate with a lot of freedom. With zero trust, organizations will need to be able to define not only who can access what but also what assets or devices can access specific applications or systems – and verify the right to access continuously. Foundationally, this means having comprehensive visibility into all your assets.
“This visibility challenge has been and will continue to be the biggest issue for cybersecurity over the next 5, if not 10, years,” noted Cody.
If your organization needs help identifying all the assets in your network, from endpoints and servers to APIs and software, LookingGlass can help you map your attack surface to see what the adversary sees. Contact us today to find out more.