How-to Guide for Compliance with the National Security Memo on Cyber
From IC Insider Thales Trusted Cyber Technologies
By Gina Scinta, Deputy CTO, Thales Trusted Cyber Technologies
On January 19, 2022, the White House issued a National Security Memorandum (NSM) to improve the cybersecurity of National Security, Department of Defense, and Intelligence Community Systems. Under the memorandum, National Security Systems (NSS) must employ network cybersecurity measures equal to or greater than those required of federal civilian networks in Executive Order (EO) 14028, which was issued in May 2021.
Compliance with the EO 14028 is moving forward in all due haste, and the NSM is just part of what needs to be addressed to ensure adherence to overall federal security guidelines. The NSM gives agencies 180 days to implement multifactor authentication and encryption for data-at-rest and data-in-transit in national security systems per requirements also listed in EO 14028.
EO 14028 and the NSM are both key initiatives in the Biden administration’s effort to protect federal computer systems – cloud-based, on-premises, or hybrid – from the raft of security hacks and ransomware attacks plaguing U.S. infrastructure.
To accomplish this, the NSM piggybacks on several decisive steps outlined in EO 14028 to improve cybersecurity for NSS:
- Adopt a zero trust architecture
- Secure cloud services
- Employ multifactor authentication
- Encrypt data-at-rest and in transit
Let’s take a closer look at how these items make up the foundation for compliance with the new NSM and EO 14028.
Zero Trust Architecture Planning
Of the steps outlined above, perhaps the best way for agencies to protect their data from attacks is by implementing a zero trust architecture.
Zero trust starts by understanding that networked devices should not be trusted blindly, even if they have been verified and connected to a managed agency network. The safest place to start is to assume that networks either have been or will be compromised. From there, it’s essential to put a zero trust plan into effect.
To begin zero trust planning, it’s important to have a data-centric approach to security. Files containing sensitive information, and anything else requiring protection, must be adequately addressed regardless of where the data resides – on premises, in the cloud, or in a hybrid environment. This should be an automatic operation, with sensitive data identified as soon as it enters an agency’s IT ecosystem. This data should be secured with policy-based protection across the data lifecycle.
The importance of securing cloud services
Of the many areas in which the federal government stores sensitive data, cloud services are the most prevalent. The Thales 2021 Data Threat Report indicated that 55% of federal agencies store more than 40% of their data in public clouds—and that 44% of that cloud-stored data is sensitive. However, the report indicates that over half of the sensitive data stored in the cloud is not encrypted.
Agencies must apply solutions to simplify the data security landscape. This applies to multiple cloud and legacy environments as well as cloud-oriented digital transformation applications.
Data security solutions should be able to protect data moving between clouds and out of the cloud to on-premises environments, using centralized data security solutions across multiple cloud platforms. Keep in mind that most cloud service providers (CSPs) have a “shared responsibility” view of security. These providers are responsible for securing the infrastructure that runs their cloud services. Data owners are responsible for protecting the confidentiality, integrity, and availability of their data in the cloud.
CSPs generally offer native data security solutions to their users. However, data owners need to determine the sensitivity level of their cloud-stored data and apply the most appropriate security measures to protect said data. For example, in cloud deployments where security is less critical, agencies may choose to rely on a CSP’s native encryption and deploy additional cryptographic key management services (Bring Your Own Key). Or, for deployments where the highest level of security is required, agencies may choose to deploy Bring Your Own Encryption tools to their cloud environments.
As mentioned at the outset, the NSM says specifically that, within 180 days, “agencies shall implement multifactor authentication and encryption for NSS data-at-rest and data-in-transit.” That requires data protection solutions that can integrate with existing IT infrastructures, providing comparable levels of security from the core to the cloud to the edge. In this way, agencies can meet immediate data protection requirements while being able to scale a trusted security framework for future needs.
In essence, multifactor authentication ensures that a user is who they claim to be. The more factors used to determine a person’s identity, the greater the trust of authenticity. Because multifactor authentication requires multiple means of identification at login, it is generally considered to be the most secure method for authenticating access to data and applications.
The best solutions for multifactor authentication address numerous use cases, assurance levels, and threat vectors with unified, centrally managed policies, all managed from a central platform delivered in the cloud or on-premises. Methods of authentication should include context-based authentication combined with step-up capabilities, out-of-band authentication, one-time password and X.509 certificate-based solutions. Authentication methods should be available in numerous form factors, including smart card, USB token, software, mobile app, and hardware tokens.
Data-at-rest encryption with privileged user access controls can considerably improve security. It not only protects data-at-rest, but also encrypted workloads in the cloud. Role-based access policies enable a zero trust architecture by controlling who, what, where, when and how data can be accessed. Granular access controls enable administrative users to perform their duties while restricting access to encrypted data.
Optimal data-at-rest encryption solutions should be able to deliver granular encryption and role-based access control for structured and unstructured data, whether that data resides in file servers, databases, applications, or storage containers.
The NSM requires agencies to use NSA-approved Quantum Resistant Algorithms or Commercial National Security Algorithm (CNSA) Suite. This means that agencies need to verify with their vendors that these future-proof algorithms are in use or develop a plan to transition to approved encryption solutions.
It is absolutely essential to protect network transmitted data against cyber-attacks and data breaches. This calls for high-assurance network encryption, with secure, dedicated encryption devices to protect data-in-transit. To truly be called “high assurance,” devices must use embedded, zero-touch encryption key management; provide end-to-end, authenticated encryption and use standards-based algorithms.
Agencies should look for network encryption solutions that provide a single platform to encrypt everywhere— from network traffic between data centers and the headquarters, to backup and disaster recovery sites, whether on premises or in the cloud. High-assurance network data encryption enables an organization to have the confidence that its data will be useless in unauthorized hands.
Logging data access to identify potential threats
Agencies need awareness into who and what is accessing sensitive data, including privileged users who may be assuming the identity other users. An ideal way of monitoring that type of activity is by maintaining a log of the time, place, and individuals accessing the data, as well as what action took place.
Logs offer deep visibility into data access, which can alert administrators to unauthorized access attempts to protected data. Such logs can also be used to understand typical access patterns when combined with other infrastructure and access information. For example, consider a user that typically accesses information in small quantities inside a local network. If that user suddenly starts accessing large amounts of data remotely, that could constitute a threat, which should generate an alert and prompt an investigation.
Securing Cryptographic Keys
To successfully secure sensitive data, cryptographic keys used to encrypt and decrypt data must be secured, managed and controlled by your organization – not by a third-party solution or cloud provider. Unfortunately, with the growing number of siloed encryption solutions, agencies might end up with inconsistent policies, and different levels of protection, which in turn could drive up security costs.
Security of the encryption keys is absolutely critical to successfully deploying encryption to defend information. These keys must be secured separate from software, and stored in a tamper-resistant hardware security module.
Such so-called enterprise key management solutions let agencies manage encryption keys from a central location, which enables granular access control. Enterprise key management should enable the management of key lifecycle tasks like key generation, rotation, destruction, and offer role-based access control to keys and policies, and robust auditing and reporting.
The end of “castle and moat” thinking
At the surface, the requirements of the May 2021 EO 14028 and the NSM may have seemed like a ground-breaking call to action. The reality, however, is that many agencies have already been hard at work creating systems to protect the federal infrastructure from security violations, ransomware attacks and other disruptive measures by bad actors.
What it does indicate, however, is a fundamental change in federal cybersecurity philosophy from a “castle and moat” approach, where each agency applies cyber strategies to secure itself from attack, to a cross-agency approach that enables the federal infrastructure as a whole to benefit from the most advanced technologies and strategies to minimize the threat of cyber attack.
Cybersecurity protection for IT infrastructure, and data security in particular, is a process that should be approached pragmatically and purposefully. It is tempting to buy into solutions like the cloud as a means to address security concerns. But as previously noted, cloud security is a shared responsibility. Cloud providers only ensure security of the cloud; security of information in the cloud is still expected to be the domain of each individual organization.
It’s not practical to build a cybersecurity strategy to prevent breaches. If we’ve learned nothing from the events of the past several years, we at least should know that breaches will inevitably happen. So the proper course of action is to create a cyber strategy that acknowledges that likelihood, and to plan on ways to mitigate the damage from the attack and recover as quickly as possible. That means having backup strategies and a way to secure data so that it cannot be used by anyone gaining access to your system without appropriate authorization.
The administration is to be credited for understanding that security does not mean putting an imaginary moat around the castle of your agency. Security threats are changing all the time, as is the way people access the data they need to do their jobs. After all, you can’t put a moat around a cloud.
Take steps now to comply with the range of requirements suggested in both the EO 14028 and the more recent National Security Memorandum. You can be confident that your infrastructure will be prepared to handle the fallout from any unwanted incursions – and you’ll keep your mission-critical data from being compromised.
About Thales TCT
Thales Trusted Cyber Technologies, a business area of Thales Defense & Security, Inc., protects the most vital data from the core to the cloud to the field. We serve as a trusted, U.S. based source for cyber security solutions for the U.S. Federal Government. Our solutions enable agencies to deploy a holistic data protection ecosystem where data and cryptographic keys are secured and managed, and access and distribution are controlled.
For more information, visit www.thalestct.com
About IC Insiders
IC Insiders is a special sponsored feature that provides deep-dive analysis, interviews with IC leaders, perspective from industry experts, and more. Learn how your company can become an IC Insider.