With the release of The National Cybersecurity Strategy, the Biden-Harris Administration is outlining how we must help defend our nation’s infrastructure and economy from ever-increasing and more nefarious cyberattacks. And, what I meant by “we” is the call for how tech firms can take on more cybersecurity responsibility. We must contribute to this initiative to improve software security, become more resilient and strengthen defenses as every American business and citizen now depends upon digital technologies.
Zero Trust security (never trust, always verify) is an essential piece of the five pillars outlined in this strategy. In fact, the Cybersecurity and Infrastructure Security Agency (CISA) has identity as the first pillar of its Zero Trust Maturity Model.
- Defend Critical Infrastructure
- Disrupt and Dismantle Threat Actors
- Shape Market Forces to Drive Security and Resilience
- Invest in a Resilient Future
- Forge International Partnerships to Pursue Shared Goals
Pillar One on The National Cybersecurity Strategy specifically highlights Zero Trust:
“Finally, the Federal Government can better support the defense of critical infrastructure by making its own systems more defensible and resilient. This Administration is committed to improving Federal cybersecurity through long-term efforts to implement a Zero Trust architecture strategy and modernize IT and OT infrastructure. In doing so, Federal cybersecurity can be a model for critical infrastructure across the United States for how to successfully build and operate secure and resilient systems.”
A Zero Trust security architecture begins with an identity-first security approach. Identities expand far beyond humans and extend deep into the infrastructures of organizations. These are machine identities that include devices such as computers, servers, networking, mobile, IoT and more as well as workloads such as cloud services, applications, containers, DevOps and others. When everything has a trusted identity, you can implement multi-factor authentication, data encryption, authorization and access control across hybrid multi-cloud environments. Identity and public key infrastructure (PKI) are foundational to Zero Trust.
Some other areas to highlight in The National Cybersecurity Strategy where identity plays an essential role:
Pillar 3 – Shape Market Forces to Drive Security and Resilience
Strategic Objective 3.2 – Drive the Development of Secure IoT Devices
Every IoT device needs a trusted identity that can be managed to ensure proper attestation, governance, authorization and access and encryption of data. Weak IoT security presents an easy entry point as many of these devices sit on the network perimeter.
IoT devices need to be onboarded with Zero Trust inspired capabilities with proper verification, network identification and renewal of device identity or credentials to ensure only trusted devices are permitted to be onboarded or connected to networks.
Strategic Objective 3.3 – Shift Liability for insecure software product and services
Software supply chain security is certainly still top-of-mind after the SolarWinds attack. Software developers must take security more seriously. One area for improvement is implementing code signing best practices built on trusted identity or PKI to ensure and verify the integrity and validity of the software code. Software customers and users must be able to trust the software they are using.
Modern software is interconnected with different open source and application interfaces and APIs integrated into every software product. The software supply chain is only as strong as its weakest link. To prove the integrity and security of the software, a Software Bill Of Materials (SBOM) needs to be created for each software package to verify and code sign before delivering the software. SBOMs also help identify vulnerabilities in the integrated components and open source software components for better mitigation. The previous Cybersecurity Executive Order as well as this new strategy enforces software vendors to be responsible and implement these security measures and secure coding principles to prevent exploits.
Pillar 4 – Invest in a Resilient Future
Strategic Objective 4.1 – Secure the technical foundation of the internet
Develop and drive adoption of solutions that will improve the security of the internet ecosystem
PKI has long played a critical role in internet security by providing public trust and encryption services for internet services that power business and other important online functions.
Core Internet Services like DNS and TLS are foundational for trust in the internet. However, DNSSEC (DNS over TLS, TLS 1.3, ECC and other security protocols and algorithms) is not as widely used despite inherent security challenges and the possibility of snooping and eavesdropping. This strategy document guides organizations to automate and enforce these security protocols and minimum set of best practices to secure the organization.
Strategic Objective 4.3 – Prepare for our Post-Quantum Future
The threat of post-quantum cryptography is coming and NIST has been working on many new quantum resistant crypto algorithms. Organizations can start preparing now by getting crypto agile so they can quickly find and update all crypto assets with minimal disruption while maintaining their security posture. Identifying and creating an inventory of all the digital assets and digital identities and end points across the organization should be the first step to preparing for the post-quantum world.
Strategic Objective 4.5 – Support Development of Digital Identity Ecosystem
The call to action here is to invest in verifiable digital identity solutions that promote security, accessibility and interoperability, financial and social inclusion, consumer private and economic growth. Digital identity technology like PKI will play a role by providing strong identity credentials to trust, verify and strengthen those identities.
While there is a lot more to digest in this strategy, our focus as a provider of identity and access management solutions is on digital identity management and how AppViewX can help organizations implement an identity-first security approach on their path to Zero Trust. We should also look to this strategy as call-to-action to start converging human identity and machine identity management into a more comprehensive identity governance and administration program that provides organizations with the identity visibility, control and management that is so desperately needed to defend against cyber threats.
As the Biden-Harris Administration called for tech vendors to unite, align and strengthen our cyber defenses, we must all do our part to provide solutions to keep us protected.