President Biden’s Executive Order Stresses the Importance of Identity & Access Controls
On the heels of the potentially devastating Colonial Pipeline ransomware attack, President Biden quickly signed an executive order aimed at “Improving the Nation’s Cybersecurity”. While the Oval Office is limited in its ability to legislate cybersecurity protections, the order did mandate a number of important changes within the Federal Government and its private sector contractors and suppliers. It declared that, as a matter of national and economic security, all Federal Information Systems must do better to prevent, detect and remediate cyber attacks on our digital infrastructure.
A key part of the initiatives outlined in the extensive and wide-reached executive order is the adoption of a Zero Trust Architecture in the Fed, especially with regard to cloud computing technology. The order defines Zero Trust as:
A security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses.
In essence, a Zero Trust Architecture allows users full access but only to the bare minimum they need to perform their jobs. If a device is compromised, zero trust can ensure that the damage is contained. The Zero Trust Architecture security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity.
Zero Trust Architecture embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting data in real-time within a dynamic threat environment. This data-centric security model allows the concept of least-privileged access to be applied for every access decision, where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access to resources based on the combination of sever.
Zero Trust and the Human Attack Surface
Let’s pick this definition apart a bit. First off is the admission that threats exist inside traditional network boundaries. Others have called these insider threats, but not all human actions have malicious intent. In fact, most security incidents result from human error. The simple truth that “to err is human” means that every bad decision contributes to an organization’s human attack surface.
Next is Zero Trust’s reliance on real-time information to determine system responses. Defending the human attack surface requires leveraging security data on every end user’s past actions, access level, and attack frequency to build a unique Human Risk Score for each user.
Central to the Zero Trust model is limiting a user’s access to the bare minimum they need to perform their jobs. This amounts to a tacit acknowledgement that identity is the new perimeter. Firewalls don’t protect an organization anymore. Nor does VPN, intrusion detection, or any other technology that locks down your data. This is because identity and access are what’s being compromised. The bad guys are tricking your employees.
According to the 2021 Verizon DBIR, 61% of breaches stem from weak or stolen credentials. More than 11B accounts have been stolen… and counting. These become the entry point for most ransomware, account compromise, and IP theft incidents.
The President’s executive order explains that Zero Trust requires granular risk-based access, among other controls, and that the concept of least-privileged access to be applied for every access decision. This is an admission that not all employees are created equal when it comes to cybersecurity. Some are riskier than others. Elevate Security’s Human Risk Scores for every user can be shared via API and applied by Identity & Access Management solutions. The scores provide valuable security context that can be used to make intelligent decisions about each user’s authentication and authorization. Security teams, incident response centers, and help desk personnel can take informed action based directly on each user’s level of risk, including:
- Should I require this user to use MFA? Or other authentication controls?
- Should this high risk user be given access to a particular sensitive resource?
- What policy settings should be enabled for my low risk users? My high risk users?
The Colonial Pipeline attack exposed to the entire nation the daunting threat that ransomware poses to both public and private infrastructure. It spurred the Biden Administration to take concrete action. While gas pumps ran dry and fuel prices spiked, many wondered for the first time how something like this could happen. We in cybersecurity understand all too well.
It’s time to harden the “last mile” of our cyber defenses so stubbornly difficult to defend: the human attack surface. Until we do more to address this unprotected front, the threat of ransomware incidents equal or worse than Colonial looms large.