Strengthening identity-based security with zero trust

Cyber adversaries continue to target weak access controls to infiltrate agency networks and take control of user accounts. In fact, more than 80% of all attacks involve credential use or misuse in the network, according to cybersecurity experts. As a result, like with other relevant cyber events, visibility is key. To protect against credential-based attacks, agencies must ensure that all access requests are consistently vetted before allowing any connections to enterprise or cloud assets.

Agencies can do this by deploying well-managed identity-based security systems using zero trust. These systems form the foundation for a zero trust architecture and will be crucial as agencies adopt cloud-based infrastructure and applications.

Zero Trust security is one of the most effective ways for agencies to control access to their networks, applications and data. The zero trust model combines a wide range of preventative techniques and technology, including identity verification, behavioral analysis, microsegmentation, endpoint security and least privilege controls to deter would-be attackers and limit their access to critical infrastructure in the event of a breach.

The federal government has moved to accelerate the adoption of zero trust principles, as described in The President's Executive Order 14028, "Improving the Nation's Cybersecurity," and outlined in the Office of Management and Budget's Federal Zero Trust Strategy.

The OMB Strategy is a well-conceived, thoughtful approach to a complex problem. OMB's strategy envisions adopting a zero trust architecture to strengthen identity practices across federal agencies. In fact, identity is one of the five pillars that underpin the Zero Trust Maturity Model released by the Cybersecurity and Infrastructure Security Agency. The other pillars include a focus on devices, networks, applications and data.

The Identity section of the OMB Strategy is critical. However, it can be strengthened by integrating three emerging and related concepts. These include the need to:

● Use risk-based conditional access to trigger multi-factor authentication (MFA) only when required to achieve the true "never trust" principle of zero trust. On the one hand, this strategy can reduce friction for low-risk, permitted use. On the other hand, it can increase barriers against unpermitted use, which includes dynamically providing suspicious users with a new MFA challenge within a permitted session. This is an important capability considering identity-based attacks that abuse legitimate credentials.

● Extend identity requirements to unmanaged systems or legacy systems that cannot typically use MFA. By monitoring and using credentials, including single sign-on (SSO), tied to users and applications of those systems that can directly force an MFA, a risk-based conditional access model can be set up to examine behavioral signals of identities (in real-time) at the identity store and to determine anomalous activity that may require the monitoring system to trigger an MFA.

● Enforce the principle of least privilege at the identity level. Least privilege limits the scope of any system, effectively reducing the impact (or "blast radius") of a breach. Identity-based segmentation monitors a user or application by using its credential and is not based on the physical location or deployment model. This can include where and how the credential is used, behavioral usage analysis and other factors.

The OMB strategy clarifies that certain MFA requirements apply to staff, contractors, partners and public users. However, the strategy should more explicitly mandate such coverage for privileged users and service accounts (i.e., non-human accounts), which frequently fall outside of such controls and are abused by threat actors. This is especially important when factoring in legacy devices that remain in use despite IT modernization initiatives.

Furthermore, OMB's strategy notes that "agencies should aim ultimately to use a single identity system that serves all internal users." Such a system could have certain positive attributes, notably simplicity of administration. However, persistent issues with network architectures used today by some primary identity providers raise questions about whether a more federated, community-driven approach to identity would offer more robust security.

A universal security management of identity is the real priority—not a singular identity platform. The essential requirement for robust identity is visibility across:

● All credentials (e.g., users, privileged users, service accounts, etc.);

● Credential attack path / scope across all infrastructure (e.g., cloud, on-premise, etc.); and

● Credential usage scenarios (e.g., Microsoft Active Directory or SSO providers).

OMB recognizes the need to strengthen identity hygiene. In fact, the OMB strategy directs CISA to "make available to agencies one or more services to privately compare user passwords against known-weak and known-breached data, to help agencies protect against reused stolen credentials." To that end, there is a need for systems that identify not only weak or compromised passwords but also stale accounts, which are inactive accounts that pose security risks to an agency. Privileged accounts require special attention due to their scope and potential impact, as evidenced by several notable breaches over the past year.

As OMB stated, their strategy is a starting point, not a comprehensive guide to a fully mature zero trust architecture. However, as agencies work to protect their critical infrastructure from cyberattacks, following OMB's strategy along with comprehensive maturity models and reference architectures will provide the right guidance for planning and implementing their long-term security architecture migrations.