The discovery of the SolarWinds hack at the end of 2020 and the recent ransomware attacks on the Colonial Pipeline Company and meatpacker, JBS, have brought to light how critically important cybersecurity is and demonstrated the disastrous consequences of a vulnerable IT infrastructure . While cyberattacks have been potential threat since we first went online, these latest high profile attacks have served to bring a sense of reality and seriousness of cyber attacks on America’s critical infrastructure and assets.
With the SolarWinds hack it was the realization that a foreign government entity had been roaming undetected in federal agency networks for about nine months that caused the shock. And with Colonial and JBS it was the sharp impact on the price and availability of essential commodities that gave these attacks added weight. In the five months following the public disclosure of the SolarWinds hack, these cyberattacks have effected real change in U.S. cyber policy such that by May 12, 2021 President Biden issued an Executive Order (EO) on Cybersecurity that charts a new course for national cybersecurity and the protection of federal government agencies.
This cybersecurity EO not only recognizes the increasing sophistication of the nation-state actors initiating the attacks but the “insufficient cybersecurity defenses” that have made public sector agencies more vulnerable to these attacks. However, it’s not just that the attackers have grown more sophisticated, or the lack of investment cyber defenses that keep pace with these attacks that make federal agencies more vulnerable to attacks, it’s compounded by the fact that federal agencies are creating, storing, and protecting more data than ever that resides in more places than ever.
As federal agencies have increasingly become more data-driven, they have built sophisticated data management environments to be able to move this data from the data center to the edge so that it can be used to drive the mission forward, whether that’s protecting the warfighter, supporting America’s farmers, or empowering medical researchers to solve the challenges of COVID-19. Not only is this data of great value to America’s adversaries, but the multi-cloud environments federal agencies rely on to store, move, and process this data creates more opportunities for exploitation.
“The Cybersecurity Executive Order couldn’t have come at a better time for federal agencies,” shared Cameron Chehreh, Federal Chief Technology Officer at Dell Technologies. “It’s a perfect opportunity for federal agencies to modernize their cyber postures and build defenses that protect not just the network but the devise, data, apps, and clouds that they rely on to deliver on today’s mission.”
Mismatched Cyber Defenses
In many ways the cyber defenses agencies depend on today are from a completely different era. Back at the dawn of the Internet age, it was perfectly feasible to protect an agency’s valuable assets using Intrusion Detection System (IDS), Intrusion Prevention System (IPS) , and a strategically placed firewall or two. “Back when agencies developed proprietary software in house and all data resided in a data center, and was only used in-network, that sort of configuration provided adequate security, explained Chehreh.
But today’s federal agency is very different. “In addition to generating so much more data today than ever before, agencies have become much less centralized,” explained Rob Davies, Chief Operating Officer at ViON. “Not only do they need to run multi-cloud environments in order to manage and move the petabytes of data it takes to deliver on today’s mission, but they’ve also made the move from proprietary tools to Commercial Off the Shelf (COTS) solutions to drive digital transformation, and have enabled access to data from phones, laptops, and tablets to support remote work.” In other words, with data being stored in many locations, moving in many different directions, and with agencies part of other organizations’ supply chains, there’s no longer only one point of entry and exit and one attack surface for cyber attackers to choose from, but thousands
Despite all these potential vulnerabilities Chehreh and Davies are confident that it is possible to secure today’s agency and their multi-cloud environments. First and foremost, the federal government has made security a priority for cloud solutions with the FedRAMP authorization process. “Since 2011 FedRAMP certification has provided trusted cloud services to federal agencies,” explained Davies. “This is a great foundation, but securing a multi-cloud environment requires more than simply validating the security of the cloud.”
Zero Trust, More Security
Zero Trust architecture is quickly becoming the de facto standard in securing multi-cloud environments. Zero Trust – which covers a variety of strategies to protect data at rest and in motion, at the edge, in the or core or in the cloud – works by limiting the “internal lateral movement” of a user. Zero Trust has received widespread acceptance because as well as supporting today’s work and IT environments, it doesn’t require a wholesale rip and replace of existing security infrastructure. Instead, Zero Trust works with existing security infrastructure and focuses on improving key areas over time. Typically the first two areas to be addressed are device security and identity management.
“Zero Trust has gained significant acceptance in the private sector as the most effective way to prevent a data breach or cyber attack because it provides a continuous process of authentication and validation,” noted Chehreh. “With a traditional network defense posture, once a user was validated, they were free to move about the network. But with a Zero Trust posture, not only can I decide if I’m going to let you into the network, but I can then decide where you have permission to go and what you can access. Zero Trust provides a much more granular level of control.”
In creating these zones of authentication and validation, Zero Trust architecture creates a defense-in-depth approach to security with a localized kill chain that contains a threat. This is important because that ability to contain a threat prevents widespread data exfiltration or alteration, preventing widespread data and reduces the likelihood of a long dwell time for an APT within a multi-cloud environment. While Zero Trust might be disruptive it offers the best path forward to federal agencies to secure data in a multi-cloud environment.
For federal agencies facing a 60 day window to comply with the Cybersecurity Executive Order, this fundamental change in approach might seem unachievable, but ViON’s Davies disagrees. “In the next 60 days agencies aren’t required to identify the technology they’re going to use or stand up a whole new solution,” he explained. “What agencies need to do in the next 60 days is to make a plan that starts with their data and specifically these two questions: Where does my data reside? Where does it travel?” For Chehreh the other important part of this planning stage is for agency IT teams to understand and rationalize the agency’s app portfolio. “Agencies can minimize risk and maximize reward by understanding what apps they have today, what apps they will be retiring, and what apps they are considering adding to their portfolio,” he added.
The other good news for agencies is that the private sector has led the way in Zero Trust adoption and has a lot of information to share about products, tools, and ways to make seemingly overwhelming tasks much simpler. “The key is to understand that moving to a Zero Trust posture is a marathon, not a sprint because you can make significant improvements in your agency’s security posture with a few small steps and then a few more small steps,” explained Chehreh. “Start with a roadmap that outlines not only what you want to achieve overall but who you need to get onboard to deliver success. It’s important to have business stakeholders involved in the process as well as IT stakeholders so you can not only demonstrate the business and mission value, but also identify interdependencies that may change how you execute on your new security posture. And it’s vital to apply a Zero Trust framework not just to technology – your devices, workload, network, and cloud, but also to your processes, and most of all your people.”
Chehreh also shared that the federal government’s commitment to implementing Zero Trust as the cybersecurity standard across all agencies has already resulted in both NIST and the NSA releasing guidelines on how to build a Zero Trust architecture. Of course, there are still other challenges to overcome. “Agencies might be overwhelmed by the idea of identifying where their data resides and where does it travel,” explained Davies. “However, with the right tools it’s not complicated to know where data is, identify it, and understand how it transits and provide the foundational blueprint for a Zero Trust posture. We have the tools for that at ViON and we’re here to help.”
Federal agencies will always face cybersecurity challenges and the threats will only increase in sophistication. As cyberspace evolves as an escalating the need to secure not only infrastructure, but also data will continue to be of paramount importance. The recent decision to advance Zero Trust as the centerpiece of the federal government’s cybersecurity strategy is a smart one for many reasons. A Zero Trust approach aligns with, and supports, the way the federal government operates today as a data-driven enterprise and the way it will evolve as AI and IoT become even more fundamental to driving American innovation and mission success.
At the heart of any data-driven organization is a multi-cloud environment. This complex web of private and public clouds that is needed to support the applications and workloads that are at the heart of mission success demand a Zero Trust architecture in order to operate at speed and scale. “Securing the mission today has never been more important,” concluded Davies. “It’s definitely a complex problem, but by investing in trusted partnerships we can solve these challenges and ensure the security of federal agencies together.”