In early May 2021, the president of the United States issued an executive order on cybersecurity. Though it will take some time for executive branch agencies to develop formal rules, the order itself includes a lot of what I consider best practices in cybersecurity, including the use of multi-factor authentication (MFA) and Zero Trust, mentioned by name.
The call for the adoption of cybersecurity best practices makes a lot of sense. Recently, we broadly discussed how MFA could be leveraged to mitigate security risks. In the past six months alone, we’ve seen a substantial increase in headline-grabbing security incidents: SolarWinds in December 2020, Microsoft Exchange vulnerabilities in March 2021 and, most recently, the DarkSide ransomware attacks. Even the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released an alert on the exploitation of Pulse Connect Secure Vulnerabilities drawing attention to the growing problem of increasing security threats.
The movement away from a traditional network access model toward the powerful combination of Zero Trust bolstered by MFA can significantly limit the ability of malware to do harm. Unlike traditional tools like VPNs, a Zero Trust approach ensures that information assets remain dark to all except authorized users.
This means that data can be seen only by users who are strongly authenticated and who have been granted access. Effectively, this approach is a strong form of the principle of least privilege: verify, then trust.
The move toward Zero Trust contrasts with the traditional network access model — like a VPN, for example. Traditionally, once a user is on the network, they can see all assets that are routable on the network.
This is dangerous. Although the user may not be able to get past the login, if they can get an application to present a login screen (or begin any other form of login challenge), they can get that application to execute code, which means vulnerabilities can be exploited. That, right there, is a violation of least privilege.
Seriously, why would you ever grant visibility to non-authorized users? Such visibility could be exploited by malware. So, don’t do it.
The Biden Administration, including the Department of Homeland Security’s CISA, think it’s dangerous too. The executive order urges the Federal government to secure cloud services using a Zero Trust architecture and mandates deployment of multi-factor authentication and encryption within a specific time period. The order continues to outline timelines for this implementation, giving 180 days to adopt an MFA solution.
November 8th is fast approaching, folks.
What Can You Do Right Now?
Start by getting educated on what Zero Trust is, what that means for your agency, and MFA helps mitigate these risks. Alleviating today’s cybersecurity challenges and moving fully toward Zero Trust with one simple tool isn’t an option that exists just yet. But a good first step is an MFA tool. When combined with Zero Trust access, it grants access only to those users who have been strongly authenticated and who actually need access. For all others, the assets remain dark, which means that they cannot be scanned for vulnerabilities or attacked.