For the federal government, truly securing its IT infrastructures, networks, and systems requires embracing modern, cybersecurity frameworks and dogmas in a big way. One security architecture that government agencies are being strongly encouraged to adopt is zero trust.
Zero trust addresses security at all levels of an agency by refusing network access until anything attempting to use the network—APIs, nodes, people or, devices—is fully authenticated.
But fully protecting networks and embracing this framework requires comprehensive zero trust at every access point. According to Quest Software’s Federal Technology Director, Chris Roberts, “You can’t effectively secure something if you don’t know where or what it is.” In other words, a full inventory of assets and users is a critical first step. Without that, full security will remain elusive.
Here are four ways that federal government agencies can begin assessing and preparing their networks for zero trust adoption:
1. Know what data is in your network and who has permission to access it.
More than anything else, hackers want data they can use for purposes of extortion or to aid in launching even more lucrative cyberattacks on agencies. Cyberthieves will go after any type of data they consider potentially valuable, from classified military data to health and financial information of government employees and private citizens.
The first step in protecting that data is knowing what type of data you have, where it is located, and who has access to it. Doing this effectively requires good data governance—understanding exactly who has specific rights to view, access or manipulate the data based on their role, and whether the person is in a secure place to access the data. This involves cataloging the data and applying metadata to it. With this structure, it’s much easier to classify data properly and determine where it is at all times, who controls it, and who is authorized to access it.
That’s where role-based access comes in; only users with the right roles should be able to access the data. “There should be no assumptions about who I am or what my role is,” Roberts explained. “If I’m not a fuel tech on the runways, I have no business grabbing a gas tank and attaching it to an F-15. It’s the same with any type of data.”
2. Know your nodes.
Unlike the past, when nodes were basically endpoints, nodes today can be just about anything with an IP address on a network. That means not only PCs, tablets, and smartphones, but IoT devices like smart thermostats, security systems, and even intelligent Heating Venting and Air Conditioning (HVAC) systems. Smart hackers know how to infiltrate these devices. That means agencies must be able to scan them, patch them and block ports on the devices.
Protecting all nodes requires knowing every IP address and node and whether there is anything at the end of the IP address like a port scanner listening on specific ports. With that information, network administrators can proactively shut down certain ports. It’s virtually impossible to account for all nodes manually, but some tools help automate the process.
3. Know your APIs.
Older systems typically operated in closed network environments with defined perimeters, making security relatively straightforward. In these environments,ports generally covered all connectivity options. Modern architectures are different. Most are integrated with services built on open standards, running on the Internet in some type of cloud environment. Agencies also use more cloud-based services than ever before, from software-as-a-service (SaaS) to platforms and infrastructure as a service. These use APIs to provide interconnectivity. In most cases, APIs are baked into the applications and services agencies are using.
All of this means that it’s as important to apply zero trust to APIs as it is to apply zero trust to other parts of network security. It can get complicated, especially when agencies use external services or SaaS-based applications but aren’t aware of the APIs. Yet APIs are critical entry points today. To make sure you have a full inventory of APIs, Roberts suggests communicating with all vendors supplying technology to your environment. To really make sure, however, he also recommends using technology to deeply inspect every application.
4. Know your users.
Identity itself is a critical attack vector, prized by adversaries, who steal credentials to impersonate users and infiltrate networks or launch full-scale social engineering attacks. Most important, Roberts said, is knowing the authenticity of a user before authenticating the user. That means understanding what they do, whether they are coming from an accepted IP range or block of addresses, where they are geographically located, and how they are connecting.
That’s why so many organizations today have turned to tactics like multi-factor authentication (MFA) to verify identity, and behavioral analytics to get down to the details, such as how specific users use their mouse and keyboard. This information can form a baseline for how specific users behave over time. With this information, it’s easier to spot unusual behavior and when spotted, agencies can lock the user out, restrict their access or require an additional layer of authentication.
Yet many organizations make assumptions about secure identities that can lead to big problems. For example, it’s not uncommon for IT operators to assume that if users are listed on Active Directory, there is no need for additional security. While identity in Active Directory is critical, it’s more than a network authentication tool. At its core, it’s a relational database with username principles, machine IDs, and other directory-based information.
For hackers, the real prizes to be won through Active Directory or LDAP are domain controllers, because that’s where the database of user accounts is located. They can often get there by compromising domain administrators themselves. If the wrong people access privileged accounts, they can do real damage. They can reroute application changes or network paths, for example.
Preventing this requires privileged account management, which allows agencies to secure, control and audit privileged accounts by providing appropriate access. “It ensures that if you have domain administration account, you know exactly who will be using it, what time they can use it, or what location or machine they can use it on,” Roberts explained.