In the aftermath of the cyberattack on Colonial Pipeline that crippled the nation’s supply of oil and gas for almost a week, U.S. President Joe Biden, on May 11, 2021, signed an Executive Order. The order issued a slew of cybersecurity directives to companies on contract with the Federal Government.
Two terms that feature prominently in the order are data encryption and Zero Trust. Data encryption is a fundamental cybersecurity requirement, so it’s quite shocking that the latest order born out of a cyberattack had to call it out explicitly. However, this only goes on to show how lightly companies have taken data security in the past and continue to do so.
Almost every data security standard, law, or regulation was enacted to prevent cyberattacks. The PCI DSS standard for the credit card industry, HIPAA for the healthcare industry, the ISO standards for manufacturing, or the NERC Critical Infrastructure Protection (CIP) to protect North America’s electrical power grids all exist to thwart or recover relatively unscathed from cyberattacks and data breaches. And all of these laws have data encryption as their core tenet.
But how effective are these laws? The PCI DSS standard came to being in 2004, but since then, countless credit card companies have been hacked (Equifax and Capital One being the notable ones). The HIPAA was first signed into law way back in 1996; however, just since 2020, healthcare and health insurance data breaches have gone up by 50%. True, some of the companies affected weren’t compliant with the laws, but many of them were and still got attacked. Also true is the fact that after every attack, the law concerned undergoes a revision, only to have its shortcomings exposed in the next attack.
Let’s extend the above argument to Biden’s Executive Order on National Cybersecurity. Say every private company that the Federal Government deals with follows the order and encrypts all of its data – both at rest and in transit. Would that make the companies invincible to future cyberattacks?
The simple answer is NO.
In January 2021, the National Security Agency (NSA) released a cybersecurity product that recommended all private and government institutions to eliminate obsolete TLS protocol configurations (TLS 1.0, and TLS 1.1) by upgrading them to the latest version (TLS 1.2 or TLS 1.3). One statement in the product goes as follows:
“Using obsolete encryption provides a false sense of security because it seems as though sensitive data is protected, even though it really is not.”
Therein lies the catch. Organizations could be encrypting their data, but using weak or obsolete encryption defeats the purpose. While some IT systems still run on outdated data encryption, most OT (Operational Technology systems such as IoT, SCADA systems, sensors, actuators, and their controllers) use highly outdated encryption technology, making it an easy target for hackers. Hackers can use the vulnerable OT devices as a gateway to the core IT systems, and from there, steal sensitive customer data (though the opposite happened in Colonial – attackers got to the IT first).
How to ensure data encryption actually works?
The only way to make sure data remains truly encrypted is by using the latest encryption protocols. For data in transit, TLS 1.2 or 1.3 is the latest protocol. Upgrading to the latest encryption protocol involves reconfiguring clients and servers to negotiate only that protocol.
A crucial part of the protocol upgrade is TLS certificate upgrade. A sizable enterprise, especially Federal Government service providers, can have over a million TLS certificates, both server and client. And in most enterprises, the management of these certificates is still manual. Manually upgrading a million TLS 1.0/1.1 certificates to TLS 1.2/1.3 is a herculean task and could take an enterprise up to two years with a dedicated team. This is why most enterprises put off upgrading encryption protocols indefinitely – and face the obvious repercussions.
So what’s the solution?
Automating the upgrade process. The process has the following steps:
- Identify services that are using the older TLS versions
- Revoke the existing TLS 1.0/1.1 certificates
- Enroll TLS 1.2/1.3 certificates from a trusted CA onto the devices
- Enforce policies such that the device does not present (in case of a client), or negotiate (in case of a server) older TLS versions.
There are some certificate lifecycle management tools that automate the above process end-to-end. With these tools, enterprises can accomplish the upgrade in less than a week. AppViewX CERT+ is one such certificate lifecycle automation tool that’s worth looking into.
Zero Trust Security
The Colonial Pipeline breach has brought to the fore the necessity of Zero Trust architecture. Zero Trust works on the premise that threat insides both inside and outside the organization’s network perimeter (it’s also called “Perimeter-Less Security’).
In the present scenario, “inside threat” is not only limited to a careless or disgruntled employee but also nodes, devices, and services (collectively called machines). The attack on Colonial Pipeline and many attacks preceding it happened because an outsider exploited a vulnerability existing in a machine inside the network perimeter. In such cases, the actual threat is not the hacker but the vulnerable device.
One of the best ways to prevent internal machine vulnerabilities is by safeguarding their “identities,” i.e., certificates and keys. With the rise in new-age, ephemeral machines such as IoT devices and chatbots, there is an explosion of machine identities that increase the surface area for attacks.
Machine Identity Management
Machine identity management is the hot new term (even Gartner has recognized it as one of the top security trends in 2021), and for good reason. So far, the spotlight has always been on human identity management; in fact, most Identity and Access Management (IAM) tools consider and manage only human identities. But with machines taking over, it’s high time organizations attached as much, if not more, importance to machine identities as human identities.
Again, machine identity management boils down to the proper management of certificates and keys. Certificates need to be constantly monitored, renewed before their expiration, and revoked immediately in case of a compromise. Organizations should make sure they get certificates for their customer-facing applications only from trusted CAs and store private keys and sensitive certificates in an isolated HSM (Hardware Security Module).
Another tenet of Zero Trust security is minimum access privileges for both humans and machines. Some tools that automate certificate lifecycle management also provide role-based access controls (RBAC) to restrict user access granularly. Similarly, machine-to-machine access can be restricted by imposing granular rules and policies, which also certificate management tools do.
Proactively prevent data breaches and outages with automated machine identity management. Try AppViewX CERT+ or give us a call.