Find Out Who and What Is Accessing Your Digital Assets

Federal agencies need to know who’s inside in order to determine who belongs.

Your browser doesn’t support HTML5 audio

Ready or not, zero trust is coming to your agency soon. The Office of Management and Budget’s Memorandum M-22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles,” indicates that all federal agencies must “achieve specific zero trust security goals by the end of Fiscal Year 2024.”

There are two foundational parts of zero trust. The first is knowing what data and other digital assets you have and where they are. The other is knowing who and what (e.g., cloud-based services) can access each of those assets.

Cybersecurity practitioners are already painfully aware of how challenging these are to achieve. That’s especially true as perimeters morph or vanish and resources are increasingly distributed and decentralized.

To meet OMB’s zero-trust deadlines, federal agencies must prepare as soon as possible to maintain control and visibility over who and what is accessing their digital assets at all times.

That who and what includes human users as well as service accounts and other nonhuman users, plus the computing devices themselves. Here are the most important steps you should take now to get started.

Related Content:

What federal technology will need to be replaced to create a zero-trust environment?

Five questions to ask as you start your zero-trust journey.

Fact or fallacy: Sorting out concerns about zero trust.

 

Take Inventory of All Digital Assets

First, know what your digital assets are, who and what should access them, and how that access should occur.

For zero trust, the pertinent types of digital assets include systems, services and data. Asset management technologies can compile and maintain inventories of these, including cloud-based services and other externally hosted systems, services and data.

However, data inventories are often limited to structured data, such as databases; inventorying ad hoc data is a challenge at best. Focus on identifying what sensitive data your agency has instead of trying to track it all. For that sensitive data, determine where it is permitted to be at rest, in transit and in use.

Once you’ve identified the digital assets of interest and their permitted locations, you can determine who or what should be able to access each of those assets.

Ideally, your agency will use centralized account management and role-based access control, along with attribute-based access control, to grant access based on defined roles and relevant attributes. These can include endpoint device health, device location, and time of day and day of the week.

Whenever possible, base privileges on roles, and minimize additional access or privileges to individual accounts.

Click on the banner below to learn more about cybersecurity solutions.

Confirm Identities Before Issuing Credentials

Federal agencies already perform identity proofing for employees, contractors and other people who need access to internal cyber systems and services or to federal facilities.

Identity proofing includes background checks and other means of verifying that each person truly has the identity that they claim. This is done before a person is issued a Personal Identity Verification card.

However, identity proofing is probably not in place for all users. For example, your agency might use cloud-based applications for collaboration with others outside the federal government. If those applications should be within the scope of zero trust, then those users may need to have their identities proofed.

Similarly, citizens needing certain high-value digital services in a zero-trust architecture might have to prove their identities first. The sooner your agency decides which identities need to be vetted, the more time you’ll have to make the necessary changes.

READ MORE: Protect your data in the cloud.

Minimize the Likelihood of Anyone Using Another’s Credentials

Agencies already create a separate account for each person who needs access to systems and services. This promotes accountability, but there are some common weaknesses attackers can exploit.

First, there are often shared accounts for certain situations — for example, a single service account used by numerous endpoints, with the same password across endpoints. A compromise of any of those endpoints could expose the password granting access to all of them. Agencies should minimize or eliminate shared accounts for both human and nonhuman users.

Second, strong multifactor authentication (MFA) is becoming a necessity for human user access. At least one of the factors should have a physical component, such as a biometric scan or a cryptographic token.

Short Message Service messages should not be used as a factor because of attackers’ relative ease in obtaining them; see the National Institute of Standards and Technology’s SP 800-63-3, “Digital Identity Guidelines,” for more information on SMS. Having strong MFA for people minimizes the possibility of an attacker reusing someone’s credentials.

Finally, in addition to people and services, zero-trust architectures require credentials for devices. Authenticating the identity of user endpoints, servers, network equipment and other computing devices is essential for knowing what is accessing your agency’s digital assets.

An example of a device credential is a unique, secret cryptographic key stored in the device’s Trusted Platform Module.

DISCOVER: Federal agencies deploy endpoint detection and response tools to identify intruders.

Constantly Monitor and Log All Activity to Identify Potential Issues

With identify proofing, individual accounts and strong MFA in place, it’s most likely that account compromises will involve attackers using malware to gain remote access and control over user endpoints.

In addition to using typical anti-malware controls, it’s critically important to perform constant monitoring of all account activity to identify anomalies that might indicate someone isn’t who they claim to be.

Agencies should also monitor devices to ensure they stay secure — that means fully patched and properly configured, with all security controls enabled and no malware or other unauthorized software present.

Monitoring should also include logging. It’s particularly important to verify and log user, device and service identities, and to track what’s being accessed and done using each identity.

By logging identity information throughout the enterprise, it’s relatively straightforward to audit activity and determine what any given identity has been used for.

Once you’ve identified the digital assets of interest and their permitted locations, you can determine who or what should be able to access each of those assets."

Act Immediately When Something in the Security Posture Changes

With zero trust, just because you’ve already trusted a person, service or device doesn’t automatically mean you should continue to do so. Many zero-trust implementations require all accounts to reauthenticate periodically during sessions, thus confirming again that the claimed identity is legitimate.

If a person, service or device should no longer have access, for whatever reason — from a person leaving the organization to a device being stolen — the associated credentials should be revoked immediately and all existing sessions terminated.

Similarly, it may be prudent to temporarily suspend credentials if anomalous activity is detected, such as a user attempting to log on from an unusual and suspicious geographic location.

More On Authentication, Identity Management, Remote Access,