Zero Trust Architecture: What to Know About the Latest Cybersecurity Executive Order and How to Implement It

Without a zero trust architecture in place, your business might suffer a setback of $4 million or more due to cybercrime. That’s how much the Colonial Pipeline recently paid out after hackers shut down their oil delivery infrastructure and held its restoration for ransom (reference at bottom). The reality is, this is just a drop in the bucket when it comes to risks and losses overall, but it’s why cybersecurity and zero trust are again in the national spotlight.

On May 12, the President acknowledged the importance of protecting public and private sectors from incidents like these, by signing an executive order to improve the nation’s cybersecurity. One of the order’s main callings is for organizations to adopt a zero trust architecture.

 In this post, we’ll examine some goals of this executive order and how it seeks to improve cybersecurity for both public and private entities.

But first, let’s recap zero trust and why it’s critical to protecting more than just sensitive data.

What is zero trust architecture?

A zero trust architecture is made up of systems that verify every user, device, application, etc. that tries to access a business’ IT resources. In networking, this involves creating micro-segments or perimeters within each network, and continuously verifying who and what is granted access.

The philosophy behind zero trust architecture is fundamentally this: trust nothing, because threats are everywhere, always.

Here’s a brief rundown of zero trust’s guiding principles:

• Always verify — Treat every user, device, application, etc. as untrusted, and always verify to determine access.
• Deny by default — Assume that your environment is already under attack, and continuously monitor for anomalies and malicious activities.
• Grant least-privilege access — Allow users, devices, applications, etc. access to only the minimum resources needed to perform their jobs.

Zero trust isn’t a turnkey solution, nor does it rely on a single technology. Instead, it involves transforming network security by taking a holistic approach to safeguard every network interaction. This includes implementing hardware, software, and virtual solutions built with security in mind — from Trusted Platform Modules (TPMs), to multi-factor authentication and user access rights — as well as transforming security processes in your organization.

For a closer look at zero trust architecture and its origins, read our previous post.

Does zero trust architecture matter that much?

Zero trust architecture is key to protecting both public and private sector organizations. Though it can be more difficult to measure how attacks impact less tangible things like public safety or brand reputation, the cybersecurity risks are apparent just by looking at monetary losses.

In 2020, cybercrime cost businesses and consumers billions of dollars in the United States alone. In California for example, total financial losses reported as a result of cybercrime totaled more than $621 million, with leading types of crime including phishing, extortion, data breach, identity theft, and misrepresentation, among others. Other states including Colorado, Ohio, and New York ranked with staggeringly high losses as well, which ranged from $100 million to over $400 million.

Aside from causing financial damages, cyberattacks can open the door to allowing very sensitive info to fall into the wrong hands, which can jeopardize public safety and economic stability. Just imagine what malicious actors could do with classified government information or access to public or private infrastructure.

• In early 2020, the major IT firm SolarWinds was attacked by hackers using malicious code. They successfully created a backdoor to access information and systems belonging to 18,000 SolarWinds customers, which include Fortune 500 companies and government agencies. The attackers were able to spy on customers and infect even more with malware.
• In early 2021, hackers attacked on-prem versions of Microsoft Exchange Server using zero day exploits (flaws that haven’t yet been patched by the vendor). They were able to access email accounts and install web shell malware that gave them ongoing admin access to victims’ servers. It’s reported that more than 250,000 organizations have been affected worldwide.
• In May 2021, hackers gained access to the Colonial Pipeline and shut down oil delivery. For six days, the 5,500-mile-long pipeline was offline. Because it carries 45% of the fuel used on the U.S. East Coast, fuel prices skyrocketed before a $4.4 million ransom payment was made to unlock the compromised systems and restore fuel flow.

These attacks and others could have been prevented — or at least dramatically reduced through better containment — with zero trust architecture in place.

For example, if a hacker attempted to embed malicious code into a device, this device would already be trusted in a traditional network security model. This implicit trust would allow the malicious code to go unnoticed, giving the hacker remote access to sensitive information and systems. But with zero trust architecture, implicit trust is eliminated. In this example, the hacker might still be able to remotely access the device, but micro-segmentation would deny access to other devices, and continuous monitoring and analytics would alert company staff to the anomalous activity. In essence, zero trust would contain the threat and help the organization pinpoint the system that requires attention, without having to suffer potentially catastrophic losses.

For all of these reasons, comprehensive cybersecurity is a must-have for organizations. The President’s executive order aims to help catalyze the rapid adoption of better cyber protection methods such as zero trust.

What does the cybersecurity executive order do?

The Executive Order on Improving the Nation’s Cybersecurity seeks to improve protection for federal government networks, and in turn encourage private entities to do the same for their own networks. To achieve these goals, the executive order focuses on three major areas:

• Removing barriers to threat information sharing Until now, contractual barriers often prevented companies from sharing information with the government about cyber threats that compromised their security. The executive order removes these barriers, and also requires companies to share information regarding security breaches that could impact government networks.
• Bringing stronger cybersecurity standards to the federal government
  Systems have historically become compromised due to outdated security models and best practices. The executive order seeks to modernize cybersecurity for the federal government, through the adoption of secure cloud services, zero trust architecture, and multi-factor authentication and encryption. The order attaches a specific time period (see below) by which federal agencies must develop plans for implementing these approaches.
• Improving software supply chain security
  Software is inevitably shipped with vulnerabilities that can pose significant danger of being exploited. The executive order combats this by establishing baseline security standards for software developed and sold to the government. The order calls for the creation of a pilot program for an ‘energy star’ type of label that will allow organizations to easily determine whether software has been created securely. Additionally, the order creates a concurrent public-private process to foster secure software development; incentivizes the market with federal procurement; and requires developers to maintain greater software visibility and make security data publicly available.

Specifically regarding zero trust, the order states that within 60 days, the head of each federal agency must develop a plan to implement zero trust architecture. The order also states that within 90 days, the Cybersecurity and Infrastructure Security Agency (CISA) must assist the Secretary of Homeland Security and the Administrator of General Services to develop a federal cloud-security strategy and issue appropriate guidance to government-wide agencies. In all, these efforts will modernize the federal government’s cybersecurity as agencies move to cloud services and require more comprehensive network protection.

With the federal government leading the charge, the President hopes that private sector organizations will follow by implementing their own zero trust architectures and best practices. The executive order encourages these efforts through additional steps and resources, which include:

• Creating a review board— The order calls for the creation of a cybersecurity safety review board. This board will be responsible for analyzing cyber incidents and making concrete recommendations that will improve security.
• Creating a playbook — The order requires the creation of a standard playbook for responding to cyber incidents. This playbook will ensure government agencies can take uniform steps to identify and mitigate threats, and will also serve as a template for private sector entities to create their own playbooks.
• Enabling better detection — The order calls for enabling government-wide endpoint detection, response systems, and information sharing to improve detection of cybersecurity incidents on government networks.
• Creating log requirements— The order calls for improving investigative and remediation capabilities, through the creation of cybersecurity event log requirements for federal departments and agencies.

How can you implement zero trust?

Remember that implementing a zero trust architecture isn’t as simple as deploying a piece of hardware or software. Because the threat landscape is constantly evolving, you need to take a holistic approach in transforming your security from the inside out. Despite the risks that seem to loom larger with every passing day and make you anxious to fortify your networks, keep in mind that achieving zero trust is a gradual process. Here are some tips to help you overcome common challenges:

• Implement gradually — Zero trust is a reimagining of your network security model, so you need to implement it gradually at the process level. This will help you identify what needs urgent attention while also preventing you from making widespread changes that can create security gaps.
• Perform routine maintenance — From a security standpoint, your requirements are constantly changing (adding customers, adjusting user access rights, etc.). Routine maintenance ensures that you don’t leave vulnerabilities on your network when, say, a new customer requires user group access, or one of your employees moves to a different department.
• Consider employee productivity — If you’re a little too ambitious to implement zero trust, you could end up causing issues that affect your employees’ ability to do their jobs. Again, take time to gradually implement your zero trust architecture, so that you don’t inadvertently lock out an entire department or blacklist the wrong mail server.

• Zero trust equipment and applications — Without the right infrastructure components in place, zero trust is only an idea. Bring it to life by deploying equipment and applications that can enforce multi-factor authentication, verify identities, and allow access only as needed.
• Identity and access management for all equipment — A critical component of zero trust is being able to determine who needs access to your infrastructure. Because you need to limit admission on a need-to-know basis, your design and security teams need the appropriate tools that will allow them to map user access, and also precisely identify users and applications.
• Complete and cloud-enabled security stack — Gone are the days of simply plugging into firewall devices for total security. With cloud models and distributed networks and staff, you need end-to-end security offered by segmentation capabilities, and also solutions such as Secure Access Service Edge (SASE). These give you the ability to provide secure, least-privilege access, whether users try to connect from HQ or using airport Wi-Fi on another continent.
• Infrastructure edge platform to isolate, and connect it all — In order to bring everything together and remain in control of your solutions, you need a robust and secure edge platform. Not only will this help you securely fuse together your zero trust architecture components, but it will provide you with protected out-of-band management of your infrastructure. A truly powerful edge platform will also accommodate additional workloads to help detect, analyze, and automatically respond to threats.

Questions? Contact us with your concerns about zero trust or to see a free demo.

Colonial Pipeline ransom:
https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636