The Cybersecurity and Infrastructure Security Agency (CISA) believes having a solid zero trust strategy will make it harder for bad actors to penetrate cloud environments and infiltrate the software supply chain. To help better prepare for cyberattacks, CISA is revamping the Continuous Diagnostics and Mitigation program (CDM) to incorporate zero trust principles.
According to CISA leaders, most breaches happen due to inadequate identity management.
When zero trust is implemented correctly, federal agencies can contain the impact of one compromised user and prevent hackers from moving laterally within the network.
“There is a lot of misinformation about zero trust,” CISA’s Cyber Defense Specialist Daniel Bardenstein said at ATARC’s Disrupting Cyberattacks with Zero Trust event last week. “It won't make all the vulnerabilities go away, it’s not going to stop all of the malicious hackers at the door but it makes it a lot safer if something happened in the first place, very much limiting the scope of the potential damage.”
Applying zero trust principles also helps agencies get a better handle on network visibility, said CISA TIC Senior Technical Advisor John Simms.
During the ATARC event, Simms discussed the importance of the relationship between zero trust and Application Programming Interfaces (APIs).
“Looking at how you can apply practical zero-trust principles to API connections through firewalls and gateways but also authentication is going to play a very pivotal role of reducing the footprint of that being a favorable attack surface,” Simms said.
Bardenstein also discussed the role zero trust is playing in the CDM program, a system originally developed by the Department of Homeland Security that helps government agencies monitor their networks for malicious or suspicious activity.
“CISA is working to revamp the CDM program and evolving it but [we’re] also looking at deploying zero trust capabilities and enriching CISA’s ability to get good visibility to support protecting departments and agencies in such a way that also supports the maturity and implementation of zero trust within the departments and agencies,” Bardenstein said.
Simms, one of the CDM program’s original programmers, said when CDM originally launched it was about ongoing authorization and continuous monitoring.
“As the program evolved and as we started looking at cloud and zero trust there has been a recognition that we have to look at how CDM capabilities can support federal zero trust strategy and the applications of zero trust within the federal environments,” Simms said. “We released the zero trust maturity model not as a deliverable for the executive order but rather to shape what we could convey to agencies in terms of how CDM can support asset management and other areas within the zero trust pillars.”
Bardenstein and Simms have several recommendations for improving federal agencies' overall cyber hygiene. They said asset and vulnerability management are key components.
“If there is a new exchange vulnerability, how quickly can your organization answer the question, where are all of our exchange servers and which ones are vulnerable to this particular vulnerability? The speed at which you can answer those questions isincredibly important,” Bardenstein said.
According to Simms, agencies have to look at how prioritization plays a role in how they apply cybersecurity practices in order to maintain proper cyber hygiene.
“If we take it a step further and look at the prospect of what mature zero trust implementations look like I think resiliency has to play a significant role in that so that it’s not necessarily one size fits all but what we can properly secure the systems and data that really matter,” Simms said.