Confirm Identities Before Issuing Credentials
Federal agencies already perform identity proofing for employees, contractors and other people who need access to internal cyber systems and services or to federal facilities.
Identity proofing includes background checks and other means of verifying that each person truly has the identity that they claim. This is done before a person is issued a Personal Identity Verification card.
However, identity proofing is probably not in place for all users. For example, your agency might use cloud-based applications for collaboration with others outside the federal government. If those applications should be within the scope of zero trust, then those users may need to have their identities proofed.
Similarly, citizens needing certain high-value digital services in a zero-trust architecture might have to prove their identities first. The sooner your agency decides which identities need to be vetted, the more time you’ll have to make the necessary changes.
Minimize the Likelihood of Anyone Using Another’s Credentials
Agencies already create a separate account for each person who needs access to systems and services. This promotes accountability, but there are some common weaknesses attackers can exploit.
First, there are often shared accounts for certain situations — for example, a single service account used by numerous endpoints, with the same password across endpoints. A compromise of any of those endpoints could expose the password granting access to all of them. Agencies should minimize or eliminate shared accounts for both human and nonhuman users.
Second, strong multifactor authentication (MFA) is becoming a necessity for human user access. At least one of the factors should have a physical component, such as a biometric scan or a cryptographic token.
Short Message Service messages should not be used as a factor because of attackers’ relative ease in obtaining them; see the National Institute of Standards and Technology’s SP 800-63-3, “Digital Identity Guidelines,” for more information on SMS. Having strong MFA for people minimizes the possibility of an attacker reusing someone’s credentials.
Finally, in addition to people and services, zero-trust architectures require credentials for devices. Authenticating the identity of user endpoints, servers, network equipment and other computing devices is essential for knowing what is accessing your agency’s digital assets.
An example of a device credential is a unique, secret cryptographic key stored in the device’s Trusted Platform Module.
Constantly Monitor and Log All Activity to Identify Potential Issues
With identify proofing, individual accounts and strong MFA in place, it’s most likely that account compromises will involve attackers using malware to gain remote access and control over user endpoints.
In addition to using typical anti-malware controls, it’s critically important to perform constant monitoring of all account activity to identify anomalies that might indicate someone isn’t who they claim to be.
Agencies should also monitor devices to ensure they stay secure — that means fully patched and properly configured, with all security controls enabled and no malware or other unauthorized software present.
Monitoring should also include logging. It’s particularly important to verify and log user, device and service identities, and to track what’s being accessed and done using each identity.
By logging identity information throughout the enterprise, it’s relatively straightforward to audit activity and determine what any given identity has been used for.