Tuesday, December 6, 2022

Biden’s Zero Trust order unites Big Tech under national security

Microsoft’s accommodations to President Joe Biden’s executive order to hinder cyberattacks on the U.S. will support public and private sectors in establishing the right infrastructure for a bolstered up Zero Trust network security model.

After a full year of ransomware and supply chain attacks, Microsoft is one of 18 cybersecurity firms selected to work in synchronization with the National Institute of Standards and Technology (NIST) to establish network security model, Zero Trust Network, or Zero Trust Architecture, under Presidential Executive Order 14028. 

“The Federal Government must bring to bear the full scope of its authorities and resources to protect and secure its computer systems, whether they are cloud-based on promises, or hybrid…security must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT)),” the order stated. 

With the emergence of the remote work wave, the cybersecurity sector is witnessing an influential lack of business investments, leading to a substantial struggle for enterprises to secure their networks while dealing with security challenges.

Last week, Biden conducted a meeting with some of the biggest names in the tech industry over cybersecurity concerns due to the latest attacks led by cybercriminals on the U.S.’ infrastructure, making it delicate and vulnerable to hacks. 

The meeting included Big Tech leads, Apple, Google, and Microsoft, on the current cybersecurity raised issues, in hope that the U.S.’ technology leads will present the Biden Administration with some long-term solutions and means to prevent the occurrence of any future cyber breaches on the country’s infrastructure.

The Zero Trust Network is a security concept structured on the hypothesis that firms should not blindly trust any factor – whether it is inside or outside its perimeters – and instead must assert a connection verifying every element trying to connect to the organization’s system before giving full access.

Zero Trust’s reliability lies in how it presumes that the organization is already exposed to breaches, instead of fixating its goals on strengthening the network’s framework. By doing so, the model implements a design acknowledging data requirements to simultaneously secure the data internally and externally through managed and unmanaged devices. 

Some of the biggest names in the industry assigned to the Zero Trust Network including Amazon Web Services, Appgate, Cisco, F5, FireEye, IBM, McAfee, MobileIron, Okta, Palo Alto Networks, PC Matic, Radiant Logic, SailPoint Technologies, Symantec, Tenable, and Zscaler.

In May, Biden signed the executive order to grow the federal government’s cyber-infrastructure.

The presidential order will oversee the government’s deviation to zero-trust as the main service provider setting the necessary infrastructure for secure networks with obligatory two factor-authentication (2FA) – an additional layer of security used to ensure individuals’ real identity to gain access.

The order came as a direct result of the Solar Winds supply chain breach involving the SolarWinds Orion system, targeting U.S. lead federal agencies, alongside some of the U.S. tech companies, such as Microsoft. 

While the focus was on Solar Winds, Microsoft’s Exchange email server hack and the Colonial Pipeline attack also played a huge role in the order’s execution.

The Zero Trust Network’s scope will be synchronized with the NIST’s National Cybersecurity Center of Excellence (NCCoE) to “develop practical, interoperable approaches to designing and building Zero Trust architectures.” 

It is worth specifying that the project’s approaches will solemnly rely on the commercially available strategies from U.S. cybersecurity firms. 

In the past, Microsoft set the first brick by demonstrating five possible scenarios where zero trust can be adopted to assist agencies in complying with the executive order.

The company’s plan will be built around EO’s 14028, covering five key scenarios cloud-ready authentications apps, web apps with legacy authentication, remote server administration, segment cloud administration, and Network micro-segmentation. 

An essential factor in the Big Tech giant’s schemes heavily relies on Microsoft’s Azure Active Directory, while its suggested proposals will also cover commercial and open-source products. 

This includes endpoint detection and response that detects and investigates suspicious behavior, security measure multi-factor authentication that requires two or more proofs of identity, and threat intelligence approach continuous security monitoring (CSM) that computerizes the monitoring of information security controls.

Even though the White House immensely encourages the private sector taking the lead in promoting “ambitious measures” to secure their networks, Biden’s order will only apply to U.S. federal agencies. 

In parallel, since the executive order acknowledges the vitality of open-source software, the Linux Foundation – alongside open-source communities – rose to the President’s cybersecurity challenge. 

The Foundation revealed a new open-source software signing service, “The Sigstore Project.” It aims to enhance software supply chain security by empowering a flexible adoption of cryptographic software, supported by transparency log technologies. 

Certificate transparency log auditors are software elements that can validate if a certificate is noticeable in a log. This takes place by periodically validating log proofs. 

If the log is not registered or accessible, any connections to sites with such certificates can be declined due to suspicious behavior.

The order’s Zero Trust proposals from various tech vendors align with the NIST SP 800-207. This special publication is a set of cybersecurity measures and guidelines that emphasize the core components of Zero Trust principles.

The NIST SP 800-207, alongside Zero Trust Architecture, was unfolded throughout the meeting with the Federal Chief Information Officer (CIO), serving as a central resource for information on Federal IT, with federal agencies and the tech industry.

To maintain the security of our future, alongside our digital era, the implementation of technology in our day-to-day lives will only grow by the second. If technological elevation lands in the hands of malicious people, the current cyberattacks would just be a teaser as to what could come our way. 

With President Joe Biden going the extra mile to actively enhance and boost digital security by seeking help from Big Tech leads, this could bring the U.S. one step closer to securing the country’s digital security while addressing cybersecurity improvements for a secured future.