Why the Federal Government Should Trust in Zero Trust
Digital transformation isn’t just for businesses – organizations everywhere including the federal government are getting on board. Take, for instance, the Pentagon’s $10 billion JEDI Contract, which gives Microsoft the right to provide enterprise level platform as a service (PaaS) and Infrastructure as a Service (IaaS) to the Department of Defense – a key element of the Pentagon’s ongoing work to modernize its infrastructure. While this is just one of many examples of digital transformation efforts happening in the federal sector, the mission is the same – to interconnect and scale operations.
However, while modernization initiatives are great for efficiency and can offer citizens new services, these efforts can also increase the attack surface – potentially opening up new points of vulnerability.
Why the Need for a Zero Trust Framework?
What does Zero Trust have to do with privileged access? If we look back at some of the most successful government agency cyber attacks, a majority of them involved compromising privileged credentials. One of the most widely reported attacks impacted the U.S. Office of Personnel Management (OPM), where an estimated that 21.5 million records containing personal information were stolen by attackers who got into the network with malware and escalated privileges to infiltrate several OPM systems. It was the escalation of privileges that made this attack so impactful and a well-documented lack of “security basics” that jeopardized the OPM’s ability to contain damage. The Committee on Oversight and Government Reform reacted to the OPM breach by recommending that the “OMB [Office of Budget and Management] should provide guidance to agencies to promote a Zero Trust IT model.”
Zero Trust is centered on the belief that organizations should “never trust, always verify.” With Zero Trust, the way to limit the damage of a data breach is continuous validation of each request for access, monitoring the users’ activity, segmenting critical tasks across privileged users and enforcing session termination when a privileged user attempts uncommon and risky tasks.
If we think about the two access pathways into an organization, there’s standard users who generally have low-level access to the systems they need to do their jobs – usually limited to the application layer. Then there’s the privileged user who often has unfettered access to the application layer, sensitive data and the mission critical Tier 0 assets. And when you add modernized infrastructure into the picture, Zero Trust extends from requiring the trust and verification of human users to non-human users as well. This includes applications interacting with operating systems via service accounts and business (and robotic) automation processes where software bots are connecting, storing and accessing sensitive data and applications.
The OPM breach and the many others like it are strong indicators that security has to evolve beyond helping to ensure that only trusted users can access the network to, in the case of a data breach, making it so attackers can’t cause significant damage to the organization.
How to Align to Zero Trust
Across the workforce of the United States, each employee has multiple business accounts. When you multiply those accounts (which can up be upwards of 30 or more) by the number of employees in a federal agency, you can understand the scale makes the level of risk concerning. Then as you couple that with the Digital Transformation efforts occurring in the Federal sector and the increasing number of non-human users that require privileged access, the risk increases exponentially.
Privileged Access Management (PAM) solutions not only help mitigate credential theft by isolating and vaulting passwords from users and systems, but they also align with Zero Trust strategies by integrating with multi-factor authentication solutions for continuous validation. Effective PAM solutions should provide continuous session monitoring and recording and enable the detection of the risky behavior through the use of analytics and session termination when unauthorized tasks occur.
CyberArk is a certified NIAP vendor, and is regularly working with federal agencies to help them better secure their critical infrastructure, reduce risk and protect against attackers and malicious insiders. To align with Zero Trust frameworks, we recommend:
- Implementing a risk-based approach to security
- Implementing continuous multi-step authentication and security to Tier 0 assets
- Securing core privileges on endpoints and endpoint devices
- Securing and monitoring the privileged pathway
- Implementing attribute-based granular access controls