Who can be trusted in a global pandemic? The safe answer is no one.
A dramatic culture change has altered the way nearly everyone on the planet is working, as nations seek to institute social distancing policies and massive organizations look to implement remote-friendly environments. Government employees and contractors are now logging into systems and accessing sensitive data from personal devices. As such, a critical question has arisen: are all endpoints secure to mitigate these new access patterns?
Adversaries around the world are keenly aware of these challenges and are already acting to take advantage of the strain. Further, we have determined with high confidence that phishing campaigns will likely make use of lures aligned with health guidance, containment and infection-rate news.
Government agencies face a surge of threats perpetrated against an unplanned remote workforce. It’s a “new normal” that could last for months or even until 2021 and requires swift action. Previously, many in the public sector might have believed that the idea of implementing “zero trust authority” was simply a new buzz phrase to be implemented sometime in the future, but with a changing cyber landscape, implementation should be an immediate priority.
What is Zero Trust?
Zero Trust Architectures (ZTA) are a holistic approach to a contextual-based security architecture for protecting all customers’ computer assets, applications and data, regardless of who or where the user is, or where assets are located. The fundamental concept is “don’t trust anybody or anything operating inside or outside your network at any time.''
To use Zero Trust successfully, organizations must be able to continuously validate, with confidence, that both the user and the endpoint/mobile/cloud workloads have the right identity, privileges and attributes for access. Zero Trust takes into account continuous, real-time attributes encompassing user identity, organizations’ associations, endpoints, networks and more before allowing or maintaining user access to an organization’s networks, applications and data. In the Zero Trust world, the concept of inside or outside of the customer’s network does not exist. Since threats and security posture attributes are temporal by nature, attribute collection and selection of who gets access to what must be a continuous, near real-time process.
Government and Zero Trust
Adoption of such transformative technology can be intimidating, but crucial initial steps are already being made in government.
Since 2018, the National Institute of Standards and Technology and the National Cybersecurity Center of Excellence have been working closely with the Federal Chief Information Officer Council and other federal agencies to address the need for Zero Trust Architectures. Events, such as the Zero Trust Architecture Technical Exchange Meeting, hosted by these organizations with the purpose of bringing together industry and government to discuss Zero Trust, are imperative to the acceptance and adoption of the model throughout the federal space.
Due in part to these events and actions taken by organizations such as NIST, an increasing number of government agencies have begun to adopt the Zero Trust security model in an effort to better protect their sensitive networks and move away from outdated processes. I expect — and hope — to see increased adoption in this critical time our government’s data are as vulnerable as ever.
The right implementation
All security frameworks trusted by the government - from the U.S. NIST CyberSecurity Framework to the more global in nature U.S. DOD Cybersecurity Maturity Model Certification or the U.S. NIST Zero Trust Architectures Frameworks - start with identifying the computer assets you are protecting (remote, local, or in the cloud) and protecting what they are connected to. Smart agencies will consider these four steps when rapidly implementing an iterative ZTA roll out to support the reality of the New Normal:
1. Leverage cloud native solutions to support the surge and continued remote workload growth and an API-first approach to enable easier integration and for automation to be more cost-effective.
2. Know who or what is remotely or locally connecting to your business assets. These are typically endpoints (mobile, laptops, desktops, cloud) that require continuous understanding of their security posture (prevention, detection), and having the ability to perform remote surgical incident response and support as needed.
3. Use a common multi factor identity management and access solutions integrated into your DevOps and on board / off boarding human resources process.
4. Actively hunt across all your workloads, endpoints and networks as adversaries will continue to evolve.
While the COVID-19 pandemic has presented an immediate need for swift action, government agencies should always be prepared for the unexpected and do everything in their power to protect their critical networks, data and endpoints. As adversaries will continue to evolve and adapt to benefit from any circumstance, the public sector in response must adopt secure and modern practices to stay one step ahead and protect the nation’s most secure information.
Let’s make the “new normal” a more secure environment - and rebuild trust from the ground up.
Curt Aubley leads strategy and solutions for CrowdStrike’s public sector and healthcare strategy group.