United States Government Executive Order for National Cybersecurity

“The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.”

Yesterday the Biden administration signed an Executive Order (EO) to improve the Nation’s cybersecurity. Initially directed towards protecting federal government networks and functions, the requirements and their impacts will also inevitably lead to an improvement in the Cyber Resilience of private sector organizations, particularly those deemed to be delivering Critical Infrastructure (CI), such as utilities, financial services institutions, healthcare providers, and cloud and communications service providers. According to the White House briefing associated with the EO, “the Colonial Pipeline incident is a reminder that federal action alone is not enough. Much of our domestic critical infrastructure is owned and operated by the private sector, and those private sector companies make their own determination regarding cybersecurity investments. We encourage private sector companies to follow the Federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.”

The EO itself is comprehensive and ambitious, defining milestones for delivery from one month to a year for complete delivery of the program and the required improvements. The EO covers the following areas:

• Accelerated adoption of secure cloud services (SaaS, PaaS, and IaaS)
• Adoption of Zero-Trust Architectures (ZTA)
• Adoption of Multi-Factor Authentication (MFA) and Encryption
• Improvement of Detection of Threats and Incidents, in particular in the establishment of a baseline for Endpoint Detection and Response (EDR) capabilities
• Centralization and streamlining of cybersecurity data
• Improvement of investigative capabilities in order to ensure effective and accurate incident response
• Measures to improve transparency and security of software within the supply chain
• Improvements to information sharing relating to breaches and threats
• Establishment of a Safety Review board to ensure that lessons are learned and mitigations clearly documented and adopted
• Establishment of a consistent playbook for incident response

If you are paying close attention you will see that the first few areas relate to requirements to improve controls and architecture, and the final few requirements pertain to processes. However, the single factor underpinning every single improvement is the need for accurate, reliable, timely and insightful information from increasingly complex, transient, and heterogeneous computing environments. In particular, in the highly dynamic and heterogeneous future state enabled by the secure cloud services-based architecture envisaged by the EO.

This blog focuses, in particular, on the importance of taking a data-driven approach to application security. In particular, in establishing and maintaining an accurate view of application risk and scope, and in ensuring controls are replied in an accurate and efficacious manner (with ‘proper configuration’ as referenced within the EO itself). 

All the controls in the world are of little value if they are not applied to the correct assets in an effective manner.

The Fundamentals of the NIST Cyber Security Framework (CSF) and Special Publication on Zero Trust (800-207)

The EO clearly articulates the importance of NIST in establishing standards and guidelines for the execution of improvements defined within this EO. In some circumstances, this will involve the establishment of new standards, but in many cases this will involve the reinforcement of existing standards, special publications (in particular 800-207 for ZTA) and best practices.

One of the key areas our customers’ consistently find critical on the road to addressing cyber resilience and Zero Trust are the requirements defined within the Identify (ID) function of the NIST CSF, in particular, within the Asset Management category (ID.AM). 

This section identifies the following key requirements that underpin almost any requirement to increase Cyber Resilience:

1. Systems within the organization are inventoried.
2. Software platforms and applications are inventoried.
3. Organizational communications and dataflows are mapped.
4. External Information systems are catalogued.
5. Resources are prioritized based upon their criticality. 

This starting point for any cybersecurity architecture cannot be underestimated, and in a world where cloud adoption is accelerated the requirements defined within ID.MA must be automated and data-driven. Without the ability to inventory, map and prioritize then it is impossible to ensure your controls fully address the security of your critical business functions. 

Looking at specific examples of control requirements within the EO’s scope:

1. Zero Trust Architecture.  It is impossible to establish an effective Zero Trust Architecture without an accurate baseline of application inventories, dataflows, and dependencies. Furthermore, an accurate data-driven inventory allows organizations to recognize dataflows that expose the organization to additional risks (for example, databases accessed directly from public networks) which should not be enshrined within a Zero Trust policy.
2. Improvements in the Detection of Threats. The ability to detect threats is dependent upon the capability to recognize each new system and applications entering an environment. Often those systems are not well documented, or necessarily running the EDR software required, and therefore a method of monitoring the network environment for unauthorized systems is critical. 

Application Relationship Management (ARM) enables organizations to identify the assets within their environments, map dependencies and dataflows, prioritize resources based upon their business function and dependencies, and establish a set of security controls and baselines to ensure they are adequately protected and observed for anomalies and deviations. Application Relationship Management is fundamental to the establishment of Cyber Resilience as defined by NIST CSF.

Control Implementation Versus Efficacy of Control – Realizing the True Zero Trust Architecture

The EO references Zero Trust, Segmentation, and Least Privilege as methods of reducing attack surface. However, the ability to meet any of these requirements depends heavily upon the ability to define effective security policies (or “Proper Configuration” as specified within the EO itself).

Following the Colonial Pipeline incident, there has been some debate within the media about legacy control architectures (for example, appliance based firewalls between Industrial Control Systems and Corporate environments) and modern distributed control architectures such as Zero Trust (ZTA). While ZTA does provide many benefits in terms of building resilience, protecting critical functions, and restricting lateral movement of threats (which have been common across the Solarflare malware trojans, zero day Exchange breaches, and the Colonial ransomware breach) to focus purely upon the enforcement architecture is to miss the point entirely. Few organizations associated with Critical Infrastructure delivery omit policy enforcement points between their industrial control environments and corporate networks (from which ransomware attacks generally propagate) and yet ransomware attacks are still penetrating to impact the critical infrastructure. This is because in today’s complex environments, organizations struggle to configure the security policies delivering the Zero Trust enforcement through the lifecycle of the business, so replacing a static legacy firewall ruleset with a static ZTA ruleset is going to expose exactly the same weaknesses in the security architecture. To quote the EO, Zero Trust Architecture “requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses.”

Application Relationship Management (ARM) enables organizations to manage Zero Trust, Segmentation, and Least privilege configurations through the lifecycle of an organization’s applications by continuously re-evaluating the application’s properties and dependencies and allowing organizations to understand when their baseline changes. vArmour’s Conform technology also provides a single security management plane to program Zero Trust enforcement agents adopted across modern heterogeneous environments (which will be based upon a combination of K8s network policies for PaaS, EDR agents, Security Groups within cloud IaaS, and SDNs across Private Clouds) without increasing complexity or requiring more segmentation-specific endpoint agents.

The Impact of Accelerated Cloud Adoption and the Shared Responsibility Model

A final interesting aspect of the EO is the requirement to modernize and accelerate the transition to secure cloud architectures, an extension of the FedRAMP initiative. This move recognizes the inherent security capabilities provided by modern cloud architectures, and also explicitly cites the need to ‘build in’ ZTA architectures to this initiative. Anyone familiar with the Shared Responsibility model for cloud security will also understand that while modern cloud environments provide a wealth of modern security controls (for example, Security Groups and Network Policy capabilities to enforce segmentation requirements), it remains the responsibility of the tenant to ensure that the configurations and policies require to secure applications within the cloud are correct throughout the application’s lifecycle.

Our approach at vArmour has been to focus on risk, configuration, and policy efficacy in order to enable organizations to accelerate their adoption of secure cloud architectures where policy enforcement capabilities are built-in.

Putting it All Together

The Executive Order “Improving the Nation’s Cybersecurity” is a timely and welcome directive which will have broad impact throughout the US federal government, US private sector institutions and the world. It is an ambitious response to the global threat landscape, providing leadership and defining specific solutions to today’s problems. Front and center within this policy is the need to migrate to secure cloud architectures utilizing a Zero Trust Architecture. At vArmour we wholeheartedly endorse this approach, and believe that the underpinnings of this transformation provided by Application Relationship Management will not only facilitate an accelerated adoption of the new architecture but also assist in the improved intelligence and communication capabilities required across federal and private sectors.