Unpacking the U.S. Cybersecurity Executive Order
Amid the 2021 wave of frequent, high-profile ransomware attacks on U.S. organizations, the White House issued its “Executive Order on Improving the Nation’s Cybersecurity.” Section 3 of the order states:
“The federal government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.”
There are several important implications in this section that will have lasting impact on the cybersecurity industry as a whole.
Zero Trust Architecture
The Zero Trust cybersecurity model implements the elusive concept of “never trust, always verify.” While the concept has been around for longer than most practitioners realize, the recent uptick in cybercrime and the responding push by various security analysts and vendors has put the idea back in the spotlight.
The executive order directs government agencies to move towards a Zero Trust model, but the effects will be much further reaching. As government agencies rush to implement Zero Trust, enterprises working with these agencies are expected to follow suit to protect both the government and their own infrastructure. This will accelerate the already-in-progress shift to Zero Trust security.
Unfortunately, malicious actors don’t discriminate between federal agencies and the private sector. Whether your organization is a small business trying to get off the ground or an established one with millions of dollars’ worth of federal government contracts, it’s essential for it to follow the best practices and implement Zero Trust Network Access (ZTNA).
A Move Towards the Cloud
I remember when as-a-service cloud solutions were first introduced. Most vendors had two sets of offerings — one in the cloud and another in the form of an appliance for government agencies that were cloud averse. Those days are long gone: Today many cloud providers have their own government-sanctioned, FedRamp-compliant cloud solutions.
This executive order is asking the federal government to embrace and implement cloud XaaS solutions, be it SaaS, IaaS or PaaS. Due to federal regulations, government agencies were the last holdouts to cloud transformation, and this order is removing that hurdle.
Whether your organization is using cloud services like AWS, Azure or Google Cloud, or is running its own private cloud, it is important to plan and implement security guard rails in your architecture from the beginning.
Centralized Management
Note that the order is asking for a centralized and streamlined access to analytics. While this is not directly mandated in the order, this screams cloud delivered management services. After all, what better way to centralize and streamline access to a resource than by putting it on the cloud? However, there are many pitfalls associated with this approach.
IT Supply Chain: A Word of Caution
The recent pandemic has shown how interconnected the global supply chain really is. We are seeing delays and increased costs in everything from electronic chips to bicycle parts. Security admins should also consider the interdependencies of security in their IT supply chain.
Recent high-profile attacks like that on SolarWinds reiterated the old adage that any system is only as strong as its weakest link. Many multinational enterprises were impacted because they were using SolarWinds’ technology. Malicious actors infiltrated the supply chain of SolarWinds and inserted a backdoor into their product. When customers downloaded the Trojan Horse installation packages from SolarWinds, it gave hackers access to the partners’ environment. This was a sophisticated attack: the cybercriminals even randomized their code in order to bypass the traditional scanners looking for known indicators of compromise (IOC).
Unfortunately, one of the downsides of moving to the cloud is the dependency on other vendors’ infrastructure and security practices. This issue becomes even more relevant as the cloud infrastructure becomes more complex and interconnected.
Security admins would be wise to audit their partner infrastructure, especially XaaS ones, to ensure that they are not inadvertently integrating with a vulnerable environment.