Federal agencies are facing the most critical catalyst of stronger cybersecurity in a long time. Unfortunately, it’s taken a long time—and several disruptive supply-chain breaches—to elevate access security and zero trust to requirements with the force of law. But, it’s better late than never.
On May 12, 2021, President Biden threw down the gauntlet. Executive Order on Improving the Nation’s Cybersecurity (EO 14028) charges federal agencies to take immediate steps to fortify the nation’s cybersecurity to protect critical infrastructure, supply chains, and government networks. “Critical infrastructure,” includes transportation, commercial facilities, energy, chemical, and nuclear plants among the 16 sectors defined by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
So, what has privileged access management (PAM) got to do with protecting the nation’s infrastructure and supply chains?
Glad you asked.
Security directives rarely provide detailed guidance on how organizations should implement the requirements they set forth. EO 14028 is no different.
To that end, the Executive Order assigned the National Institute of Science and Technology (NIST) the task of developing guidelines to help Federal Civilian Executive Branch Agencies (FCEB) deploy the necessary security controls and procedures. NIST, in turn, published several recommendations, including “Security Measures for “EO-Critical Software” Use Under Executive Order (EO) 14028,” which aligns with best practices from CISA, NIST SP 800-63, and NIST SP 800-207.
All these security frameworks align with a zero trust security model, supported by privileged access management.
Learn more about zero trust in our free eBook Zero Trust for Dummies
In the Executive Order, the President shined a bright light on software security, recognizing the need to secure access to software and supporting systems to prevent supply-chain breaches. This is a first for federal government security requirements. What helped spur this recognition, of course, is an uptick in software-related supply-chain incidents, notably SolarWinds, Microsoft Exchange, and the Colonial Pipeline attacks.
As the Order outlines in Section 4, “the security and integrity of ‘critical software’—software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources)—is a particular concern.”
A key trait of supply chains that appeals to nation-state actors and cybercriminals is the number of entities involved. There’s a good chance of finding one with weak access controls, unmanaged service accounts, hard-coded credentials in software, and staff susceptible to social engineering or phishing.
In its 2020 Data Breach Report, the Identity Theft Resource Center (ITRC) highlighted that “supply chain attacks are increasingly popular with attackers since they can access the information of larger organizations or multiple organizations through a single, third-party vendor.” Put another way, the more entities involved in a supply chain, the more likely a threat agent is to find a way inside, elevate credentials to become a superuser and take down the entire chain.
How does PAM help to address this challenge?
PAM secures access to sensitive applications and computers, servers, virtual instances, and containers they run on, across on-prem, cloud, or hybrid infrastructure. Before systems in a supply chain can connect and share information, they must authenticate with PAM controls. PAM then grants access. PAM then monitors all privileged activity and maintains an immutable audit trail.
Especially important in extended supply chains with numerous parties and automated systems, PAM supports just-in-time privilege elevation workflows to control who can run EO-critical apps and commands, when, and for how long.
PAM removes implicit trust for privileged access by implementing the principle of least privilege. Instead of implicitly trusting a user with a valid credential, PAM verifies privileges at every step in your workflow, from granting and delegating access to elevating and approving access. In this way, PAM is essential for implementing a zero trust framework.
Delinea is a PAM leader with a modern, cloud-based solution that defines the boundaries of access. Federal agencies and federal contractors rely on Delinea to address the requirements of Executive Order 14028. Learn more about how Delinea PAM supports the NIST Security Measures for Executive Order 14028 in our recent whitepaper.
Learn more about our solutions, and get a free trial of Server Suite or Cloud Suite.