Cybersecurity advice from a 19th-century undertaker: address vulnerabilities and create trust
Almon Brown Strowger was an undertaker in 1878 in Kansas City, Missouri. In Strowger’s day, telephone calls required speaking to a switchboard operator who connected the calls to the desired persons or businesses.
Strowger discovered he was losing business to a competitor in town when a friend of his died and he was not contacted. It turned out his competitor’s wife was a switchboard operator and diverted all undertaker requests to her husband’s business.
Instead of dealing with the switchboard company, Strowger put switchboard operators out of work. After years of development, Strowger received a patent for a direct-dial automatic switching system.
He saw switchboard operators as a vulnerability to his business and removed a barrier to his customers, creating a trust relationship. Switchboard operators were not inherently bad, but Strowger’s story is an analogy for the proliferation of IT ecosystem vulnerabilities. Industry advancements in firewalls, intrusion detection and prevention, proxy servers, and more served as critical capabilities until they became vulnerabilities.
Cybersecurity evolves from patching vulnerabilities, to countering threats, to establishing trust
As malicious actors began exploiting software vulnerabilities, organizations responded with rapidly deployed software patches. The vulnerability-based approach to cybersecurity emerged, which in addition to patching software, created a strong network boundary to prevent adversaries from accessing vulnerable software. In this approach, the security appliances at the network boundary create a “trust zone.” When a user gains access into the trust zone and is inside the network, all resources are available.
While patching vulnerable operating systems, applications, and network devices is important, it is not sufficient. The adversary still frequently penetrates the trust zone.
In response, organizations have added such capabilities as security operations centers, cyber threat- and intelligence-based warnings, and rapid incident response, focusing cybersecurity efforts on identifying and responding to malicious actors. Of course, these capabilities are in addition to patching vulnerable software. We call this new phase of cybersecurity, where cyber defenders actively respond to threats, the threat-based approach.
Much like Strowger’s situation, cybersecurity is ultimately about establishing a trusted data exchange connection.
Today’s information ecosystem extends far beyond an organization’s network boundary through tools like virtual private networks (VPNs). But they are insufficient to address today’s challenges like the proliferation of Internet of Things (IoT) devices, cloud computing, mobile phones, and an exponentially larger workforce remotely accessing network resources.
Much like Strowger’s situation, cybersecurity is ultimately about establishing a trusted data exchange connection. We are now in the “trust-based” phase. Establishing trust between two resources anywhere within the enterprise is the desired end state. We design and implement Zero Trust Architectures (ZTAs) to meet today’s challenges.
What is trust-based cybersecurity? Breaking down NIST’s Zero Trust Architecture framework.
A trust-based approach requires shrinking the trust zone as close to the resource as possible. For today’s cyber defender, limiting an adversary’s freedom to laterally move throughout the enterprise greatly enhances the protection of an organization’s critical cyber resources.
To help organizations and businesses understand how to implement a ZTA, the National Institute of Standards and Technology (NIST) released a draft publication outlining seven tenets. The tenets help organizations establish a roadmap to achieve Zero Trust. They are:
- Identify all data sources and computing services as resources.
- Implement secure communication between all resources regardless of location.
- Only grant resource access on a per-session basis.
- Ensure all resources are checked dynamically for specific characteristics to determine policy compliance.
- Ensure all devices are monitored to ensure they are in the most secure state possible.
- Establish dynamic resource authentication and authorization through Identity, Credential, and Access Management (ICAM) before granting access.
- Design the enterprise security architecture to collect as much information as possible about network infrastructure and communications to improve security posture.
According to NIST, all data sources, including the identities of users logging into the network, and computing services are resources. This can be challenging if the organization does not have situational awareness and an understanding of all its resources. To have a successful transition to ZTA, organizations must have an effective approach to gaining cyber awareness of their enterprise resources and implement effective tools to protect those assets.
Mapping capabilities to tenets: how SAIC delivers on ZTA
Cybersecurity professionals cannot transition to a trust-based approach and implement a ZTA with a single product.
SAIC offers all the components necessary to migrate our customers toward a ZTA. We are the exclusive reseller of Stealth™ to the federal government, which can implement the first four tenets provided by NIST for ZTA without requiring a hardware investment. Stealth enables our customers, through software-based microsegmentation, to move all resources into a secure Community of Interest (CoI).
This ensures customers only access resources on a per-session basis, and that access adheres to the policies assigned to each resource. Stealth also encrypts all communication between resources based on the FIPS 140-2 encryption standard and approved through the National Information Assurance Partnership (NIAP), the federal government program which validates that a COTS product can protect data at the highest standard.
To achieve the next two tenets, SAIC has integrated additional tools into Stealth to ensure all network devices are at their highest security state. These additional tools integrate with Stealth under SAIC’s Trust ResilienceTM portfolio of ZTA capabilities. Some of these integrated tools include end-user device comply to connect, identity management, and identity governance.