The U.S. federal government has been moving towards a zero trust architecture, and state and local agencies, as well as the private sector, have been following suit.
There have been several published resources from the Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology, the U.S. Department of Defense and others outlining key tenets of zero trust, with practical recommendations for how to implement the security architecture.
However, amidst all this published guidance, there are areas of cybersecurity that remain a challenge. Unless organizations account for these blind spots in their strategies, they will not be safe from threats despite their best zero trust efforts.
The Internet of Things and Operational Technologies
Federal agencies need to consider the growing estate of IoT devices and the convergence of IoT/OT networks as part of their network management and zero trust security architectures. As a result of digital transformation and modernization initiatives, there is a convergence of IT and IoT/OT that can introduce a gap in agencies’ zero trust security plans.
IoT/OT networks are traditionally managed separately due to the variety of devices and disparity (technologies and processes) between IT and OT networks. Typically, IoT/OT systems use varying operating systems (i.e. embedded in firmware, vendor-proprietary, etc.), communications protocols, and network management tools to maintain, update and patch these devices.
It’s common to have a limited set of management tools and few skilled staff to operate and maintain lifecycle management of these IoT/OT networks. As a result, devices may be exposed to vulnerabilities due to inconsistent patching/updates. Improperly configured networks and inadequate authentication controls are also common challenges related to IoT/OT.
Cloud infrastructure security
Another key area that must be addressed in zero trust security is the growing use of public cloud infrastructure. One of the challenges that agencies face is knowing who is ultimately responsible for maintaining and monitoring the security of cloud resources such as workloads, networks, applications, and services.
The Shared Responsibility Model is a security framework that outlines the responsibilities of both the cloud service providers and the consumer (e.g. government agency). However, there may still be potential gaps due to gray areas and lack of clearly defined roles, responsibilities and tasks related to managing cloud security. Furthermore, the dynamic, ephemeral and multi-cloud characteristics of agencies’ cloud environments compound the complexity of managing cloud infrastructure, as workloads may constantly be changing.
Post-Quantum Cryptography
Post-Quantum Cryptography initiatives are critical to address the threats posed by quantum computing. These threats are much closer than many realize.
Federal agencies will need to adopt new encryption standards to protect data and systems from advanced decryption techniques now and in the future. Cyber threat actors are taking the approach of “store now, decrypt later” -- posing a real threat to sensitive information even though data is encrypted, and quantum computing is relatively still in its early stages.
System owners must establish a comprehensive plan to inventory cryptographic assets and critical interdependencies and create an implementation plan to protect against the looming threat of cryptographically relevant quantum computers. This inventory must happen as soon as possible — agencies cannot wait until new PQC standards are finalized and published by government entities.
The guidance to implement zero trust across federal government has been transformative in improving agencies’ cybersecurity posture. As agencies continue to mature in their zero trust journey, addressing these blind spots should be part of the roadmap and implementation plans.
By establishing a comprehensive inventory of assets in IoT/OT, cryptography, and cloud resources, agencies can mitigate the threats posed in the environment. Collaboration and strong partnerships with CSPs and the security industry inform and improve cybersecurity as government increases reliance on the cloud and transformative technologies.
Miguel Sian is SVP of of Technology at Merlin Cyber, a provider of cybersecurity services for the U.S. public sector.