The US Government Moves to Zero Trust – You Should Too

TL;DR; The US Government is ramping up their security standards and is moving towards Zero Trust security. What are the implications for email security, password and encryption key management, data encryption, firewall and VPN use and identity management? Find out here. 

In March last year, US President Joe Biden announced a series of improvements for US Federal cybersecurity. These actions were prompted by serious cyberattacks on US companies, like the far-reaching Solarwinds or the Colonial Pipeline cases, the latter of which was a grim reminder that cyberattacks influence everyday life, as a major US oil pipeline was out of commission for a significant amount of time.

One of the leading principles in the Presidential Executive Order was a shift towards the principle of Zero Trust, which President Biden cited in the document. The principle states ‘Never trust, always verify’, meaning that there are no trusted environments, connections, or people but everything needs to be  verified and treated as having the potential to be compromised.

Now we have received more details about how the shift to Zero Trust will be put into practice in the Memorandum called Moving the U.S. Government Toward Zero Trust Cybersecurity Principles (M-22-09).

We wanted to take this opportunity and offer our views on what this memorandum means for (privileged) access management, secure business communications, encrypting communications, and managing and rotating passwords or cryptographic keys. All these points are mentioned in the memo.

Let’s dive in.

1. Perimeter security falls short of requirements in Zero Trust

This statement is at the core of the Zero Trust principle. Network perimeter security is based on the idea that your organization has trusted zones (the inside of the perimeter) and untrusted zones (the outside of the perimeter). In Zero Trust, there are no longer any implicitly trusted zones.

Even network segmentation is not enough. It makes sense but you should not rely only on segmentation.

A better way is to verify each session and each connection to a target - be it an application, server, network device, industrial control system (ICS) etc. - every time and per target. What’s more, access to targets should be restricted to the minimal level of privilege required to get the job done, aligning the connections with Just Enough Access (JEA) and least privilege principles.

When Zero Trust access is granted just-in-time (JIT) for the session, meaning that there is no permanent, long-standing, or broad authorization to access a target, you get the following three key benefits:

• Each session and identity is verified every time it’s made
• Access is restricted to the minimum level required to get the job done
• No broad access to large network segments

2. All traffic needs to be encrypted when in motion

Enterprises typically recognize the importance of protecting and encrypting external traffic. Since in the Zero Trust model no zone should no longer be implicitly trusted, organizations should apply robust encryption to all traffic.

Let’s look at emails and other data traffic separately.

Encrypting emails

As stated in the memo:

 ”It remains challenging today to easily and reliably encrypt an email all the way between any sender and any recipient.”

This is not a surprise, since although typical corporate emails are thought to be rather secure, they typically cannot fulfil the following requirements.

• The email is encrypted all the way from the sender to the recipient
• The emails are not exposed at the servers, nodes, or at any other point when transmitted – especially when sending them over public cloud
• Using roles that are based on data categorization - since ‘Secret’ information is more restricted than ‘Confidential’, only people with specific roles and authorizations should be allowed to view and edit such information
• Building super secure encrypted email ‘pipelines’ where the data never leaves your data centers
• Designing all this without making secure, encrypted email a pain to use or to deploy

But you’re in luck! We’ve written a Guide to Securing Critical Business Communications and Data Sharing to help businesses overcome exactly these types of challenges.

Encrypting data-in-motion

 Another quote from the memo:

“This includes internal traffic, as made clear in EO 14028, which directs that all data must be encrypted while in transit.”

Critical data flows inside internal networks both between servers and from clients to servers as well. Not encrypting internal traffic is another relic from the time when security perimeters were an acceptable standard.

But once again, in the Zero Trust model, you need to treat your internal network communications as if they were run over an external network.

We’d like to highlight the following points about encrypting internal traffic:

• All machine-to-machine (M2M) or application-to-application (A2A) traffic is encrypted with robust security protocols (like SFTP instead of FTP)
• All interactive sessions are encrypted, traced back to an individual, logged, and audited
• Mainframe file transfers are migrated to the latest security standards and apply robust encryption
• The most critical information that has long-term value (like military secrets, diplomatic correspondence, credit card numbers) is encrypted with Quantum Safe Cryptography (QSC) to protect it against the quantum threat

And these are just some of the points to consider. Fortunately, you are in good hands, since we at SSH have over 25 years of experience in the field of encryption. As the inventors of the Secure Shell protocol that is used to encrypt millions of communications every day, we have a deep understanding of this topic.

3. In Zero Trust, data categorization is a must

“[…] Government-wide guidance on categorizing data based on protection needs, ultimately building a foundation to automate security access rules. This collaborative effort will better allow agencies to regulate access based not only on who or what is accessing data, but also on the sensitivity of the data being requested.”

Every organization should be able to answer the following three questions:

• What is my critical data?
• Where is it?
• Who can access it?

Categorizing data will give organizations better tools to understand what level of protection to apply to which type of information. Let’s take an example from everyday life. You don’t keep your most valuable possessions in a shed nor do you protect them with the same level of security as your house. Inside the house, you might have a safe for your most vital items or documents.

The same goes for accessing data: the more important it is, the better the level of security surrounding it and the more sophisticated the solutions should be.

Vital business communications include:

• Sensitive emails
• Signing documents
• Collaborative workspaces for critical business information
• Collecting data from partners and/or customers with web forms

Critical targets like:

• Credit card data
• Government secrets
• Company intellectual property (IPR)
• Critical machinery or infrastructure in operational technology (OT)
• Network controllers, switches, and routers

It’s ok to send everyday business emails or access Office 365 applications by using built-in security. But when you send sensitive or classified information or access targets that are critical to your business, you need best-of-breed solutions to secure them.

We at SSH specialize in protecting critical data in motion, in use, and at rest. We can help you to, for example:

• Align access privileges, authorizations, and critical information sharing based on your organizations’ data categorization and the hierarchy of data criticality
• Define who has access to what, why, and with what level of privilege
• Audit, track, and also record all critical sessions
• Revoke access after the task has been done automatically - without manual steps

4. Centralize your identity management systems and privileged access management (PAM)

”Agencies must employ centralized identity management systems for agency users that can be integrated into applications and common platforms.”

Separate identity management systems (IAM/IDM) create inconsistencies and duplicate work and management overhead. For these reasons alone the above statement makes sense.

When you centralize the management of identities, you need to define the identities, their groups and authorizations only once and apply the logic organization wide.

The same goes for managing privileged access (superuser or power-user access to critical targets) that is primarily managed through roles. With a modern Privileged Access Management (PAM) solution, you integrate it with your IAM and map the identities to the right roles in PAM for role-based access control (RBAC).

In this setup, identities and their authorizations are managed centrally in IAM and privileged roles and their accessible targets in PAM. The PAM solution then stays in sync with any changes in your identities, keeping you always up-to-date with any changes.

In practice, when someone leaves a project and their authorizations are revoked from IAM, the privileged access disappears within a minute – automatically. In a similar fashion, if a new person joins a project, they get access to your critical targets but always limited by their role. Again, within minutes.

That’s joiners, movers, and leavers process made easy.

5. In Zero Trust, password and cryptographic key rotation is dead?

Ok, not quite. But you should start your journey towards that goal right now. Three quotes from the document.

”Password policies must not require use of special characters or regular rotation. These requirements have long been known to lead to weaker passwords in real-world use and should not be employed by the Federal Government.

Agencies are encouraged to pursue greater use of passwordless multi-factor authentication as they modernize their authentication systems”

For example, agencies should avoid relying on static cryptographic keys with an overly broad ability to decrypt enterprise-wide traffic, as even a brief compromise of such a key would defeat encryption across the agency."

Three key takeaways from this:

• Nobody enjoys rotating passwords. Now their use has been determined to be detrimental to security.
• The US Government recommends going towards passwordless authentication methods, beefed up with multi-factor authentication (MFA).
• The US Government also warns about dependence of static cryptographic keys, since they tend to grant too broad access to critical targets.

We completely agree with the passwordless recommendation and take it even further. As the memo implies, you should not only be worried about passwords but cryptographic keys, like SSH keys, that are widely used in any IT environment. In fact, SSH keys often outnumber passwords 10 to 1, and their numbers are often measured in hundreds of thousands in total.

If centralizing identity management makes sense, the same applies to centralizing the management of passwords and encryption keys in critical IT infrastructures. What’s more, if the recommendation is to adopt passwordless access, it just makes sense to adopt keyless access at the same time.

Passwordless and keyless access guarantees that you don’t leave static and permanent credentials behind as a security risk. It also eliminates the need to rotate or vault passwords and keys, and radically reduces their management overhead.

Learn more about how to centralize password and key management under a single pane of glass here.

6. Overreliance on VPNs and firewalls leaves you vulnerable

”Making applications internet-accessible in a safe manner, without relying on a virtual private network (VPN) or other network tunnel, is a major shift for many agencies that will take significant effort to achieve.”

VPNs have three major shortcomings in modern IT environments:

• They provide broad access to a large network segment once you get in.
• If you try to restrict and limit access – which is technically possible – you often create management nightmare scenarios, since VPNs and Firewalls were not originally designed to provide fine-grained access.
• They might have scalability issues with sudden traffic spikes.

The fact is that pure VPN/Firewall-based security controls were invented when security perimeter was all the rage. They are not built for the age of Zero Trust.

This doesn’t mean that they are useless. The point is that you can still use them as a security measure, as long as you have a solution that supports privileged restrictions in a granular fashion.

Proper workflows for approvals, detailed audit trails, and easy maintainability are some of the key criteria to look for in a Zero Trust-proof access management solution.

7. Immutable workloads

Immutable infrastructure has been around as a concept for a while but it hasn’t gained similar popularity as Zero Trust quite yet. However, when implemented correctly, it’s again one step in the right direction to reduce risks and complexity in IT environments.

This seems to be changing:

“Automated, immutable deployments support agency zero trust goals by allowing substantially improved least privilege architectures.”

This is true. In immutable environments, you deploy the environment but do not grant manual access or allow modifications to the configurations afterwards. Instead, if there is a need to make changes, you roll back the entire environment and deploy a new one to replace it.

Some of the benefits for access management include:

• Access to servers and workloads is reduced considerably
• Limiting such access is easier
• Centralizing access management becomes more straightforward
• Auditing and tracking become more streamlined and consistent

Other benefits:

• No various instances of servers that run different patches or software versions
• Each deployed environment is a coherent entity resulting in consistent and predictable behavior
• Allows adopting highly modern software development lifecycle approaches, like Continuous Integration/Continuous Deployment (CI/CD) and Infrastructure as Code (IaC) with super-short deployment times, massive scalability, and cloud-scale operations.

We at SSH have designed our Privileged Access Management solution PrivX to align with immutable architectures to minimize the complexity. It can be deployed to your environment without requiring any configuration changes to your existing architecture or using modern approaches like Infrastructure as Code (IaC). All in all, PrivX natively leverages existing cloud-native tools available in Amazon Web Services (AWS), Azure, and Google Cloud services.

Conclusion: Choose best-of-breed Zero Trust Access Management solutions

The US Government has set ambitious targets to improve their overall security posture, and such change does not happen overnight. Adopting the Zero Trust security framework is a shift from perimeter security and trusted zones to per-session/per-user/per-application verification and implicitly trusting no one.

Such undertaking has additional benefits. Passwordless, keyless, and highly automated and immutable environment are resilient, dynamic and scalable. Since they remove complexity, security touchpoints, and the overall management burden of critical environments. At the same time, they improve the velocity and consistency of your daily operations. There’s not a single organization in the world that would not benefit from this approach.

No service provider can deliver you the full Zero Trust security architecture. How we at SSH can help you is by offering best-of-breed solutions for encryption, secure information sharing (SIS) for businesses, password and encryption key management, passwordless and keyless authentication, privileged access management, and secure file transfers.

Start with our Zero Trust Solution portfolio or let’s talk.