On May 12, 2021, President Biden signed Executive Order 14028 on Improving the Nation's Cybersecurity. The purpose of the EO is to improve the nation's cybersecurity posture and address evolving cyber threats to federal networks and critical infrastructure.
The critical infrastructure referenced in the EO covers sixteen sectors that includes commercial enterprises too. Some of the 16 sectors are: financial services, public utility, agriculture, chemical, energy etc..
So at the surface EO 14028 may seem only applicable to the federal infrastructure but, there are vast implications for the commercial side too.
The First Pillar: Identity
The EO makes a reference to the NIST publication SP 800-207: Zero Trust Architecture. Based on this architecture, CISA, the Cybersecurity and Infrastructure Agency, developed a Zero Trust Security Maturity Model.
After the EO was signed, the NIST also created a white paper, CSWP 20: Planning for a Zero Trust Architecture: A Planning Guide for Federal Administrators.
Both the NIST white paper and the CISA maturity model, refer to Identity as the first tenet and first pillar respectively. And there is a reason for that.
Vishal Masih, Chief Cybersecurity Architect at Zephon, who has spent more than two decades in Identity and Access Management, explains:
"Identity is considered the security perimeter because it is the primary factor that determines who is allowed access to an organization's resources and systems. By verifying the identity of users, organizations can determine their level of access to sensitive data and systems and control the actions they can take. With the rise of cloud computing, mobile devices, and remote work, the security perimeter has shifted to identity. Organizations now have to secure access to sensitive data and systems regardless of where users are located or what devices they are using."
Strong identity management also provides organizations with the most bang for their buck when it comes to their cybersecurity investments because user onboarding, offboarding, provisioning, deprovisioning, password management, and all the associated Help Desk calls, are the most time consuming, costly and labor intensive operations in an organization. By centralizing and automating that, organizations not only reduce those costs but their productivity goes up too, as less time and effort are spent on managing these activities, while employees get the access they need quicker. Another big cost saving is when management finally gets the visibility, through identity analytics, into the effective usage of products vs the licensing procured.
"From our experience, most organizations already have an authoritative source of user data and a central user directory. Our clients have been able to accomplish a lot with what they already have in-house, without procuring expensive products", says Vishal.
Implementing Zero Trust Identity Security
In 2022, the team at Zephon was engaged in a Zero Trust Security Assessment for a federal agency. As part of the exercise, the team not only had to identify the current gaps the organization had against a Zero Trust Architecture, but also design and recommend a plan for the agency to gradually mature with respect to the CISA Zero Trust Maturity Model.
Identity, being the first pillar, was of initial focus. The maturity plan had to comply with the directives of the EO 14028 too.
The steps below, were included by Zephon in the plan provided to the agency, and can serve as a model for any organization looking to mature their identity security:
Deploy phishing resistant MFA (examples include hardware tokens, biometric authentication etc.)
Implement SSO tied to the MFA method in step 1
Use risk-based authentication where the risk is contextual instead of just scores
Centralize your identity management system. Automate your user and NPE lifecycle management.
Run periodic access certifications. This however, does not negate the continuous authentication and continuous authorization requirement
Use attribute-based access control (ABAC) instead of role-based access control (RBAC) where the attributes are not only user derived, but also based on the device and the resource being accessed. This maps to context-based risk authentication (NIST 800-207).
Do not enforce a password policy that requires periodic rotation or special characters. Change should be based on evidence of compromise. Common passwords should still be blocked (NIST SP 800-63B).
Deploy a method to collect and utilize User Entity Behavior Analytics (UEBA) when making authentication and authorization decisions, and as indicators of compromise (IoC).
Audit, audit, audit - Audit everything that goes on in your environment. You need this for compliance, tracking, evidence, risk awareness, troubleshooting and decision making.
Provide user self-service secure password recovery and account lock/unlock capability based on the recommendations list above.
Non-Person Entity (NPE) account credentials should be vaulted in a secret manager. The account should be tied to device identities where possible..
Target privileged access first. A Privileged Access Management (PAM) system based on the recommendations above is a good place to start.
Practice the policy of “Least Privilege” everywhere and review it regularly. If a privilege has not been used (thank you auditing), remove it. High risk privileges can be requested, approved and assigned for a specific activity or duration, and revoked when done. Automate this process if possible.
The Zero Trust Security Architecture has other tenets too reflecting differently in different models. These usually fall under Device, Network, Application and Data,
To learn about best practices for these tenets or pillars of Zero Trust Security feel free to reach out to us here https://www.zephon.tech/contact.
To schedule a no-cost consult with Zephon for your specific needs, click here.