How Human Security Testing Helps the U.S. Government’s Zero Trust Mandate
Some may be surprised to learn the federal government is implementing Zero Trust faster than the private sector. A recent survey of security leaders across the public and private sectors finds 72% of federal agencies have made progress in implementing a Zero Trust framework compared to 55% of companies globally. The additional $50 million allocated to the Technology Modernization Fund in the recently signed Consolidated Appropriations Act of 2023 provides even more resources to enable the federal Zero Trust transition.
One major reason for the progress is a May 2021 Executive Order that pushes federal agencies to speedily embrace the “never trust; always verify” cybersecurity paradigm of Zero Trust. As the 72% figure suggests, the federal government has made significant progress toward achieving the goal of that executive order. The final, more detailed Zero Trust strategy, released by the White House Office of Management and Budget (OMB) in January 2022, identifies five primary cybersecurity goals to be achieved by October 2024 and is helping agencies defy the common stereotype of government sluggishness.
At this point, the federal government hasn’t mandated Zero Trust for government contractors. Yet this significant revamp of the federal government’s approach to cybersecurity will surely impact the thousands of companies holding government contracts. Organizations need to align as soon as possible with the federal Zero Trust strategy in both their own operations and their government offerings; it seems likely that those who are quickest to do so will see new business opportunities as federal agencies upgrade their technology products and services to enable the new approach.
As organizations shift to Zero Trust architecture, they must acknowledge any and all of their software may be accessible from outside their organization. This makes it more important than ever for external security testing to identify any vulnerabilities and verify that their Zero Trust deployment is effective.
What is Zero Trust?
The previously predominant cybersecurity model is perimeter-based, in which firewalls and VPNs create a barrier around an organization’s IT environment. Within the secure perimeter, users and devices are generally trusted and free to access many internal applications and systems without significant additional checks. VPN-based approaches often have very little system security checking and are not tied as tightly to a user as we would hope. Because trust is broadly granted, the stakes of a breach are very high, and both external attackers and malicious insiders can use the approach’s default trust to pivot laterally within the network to cause additional harm. The perimeter can be highly resource-intensive to maintain and monitor, particularly with the proliferation of connected devices and remote access.
In a Zero Trust model, no user or device is implicitly trusted, and a breach is assumed likely at any time. Users are denied access to everything but the bare minimum necessary to perform their job, which ensures maximum security and contains damages. Zero Trust aims to fully authenticate, authorize, and encrypt every request as though it originated from an open network. Identity hand-offs rather than a perimeter become the primary security tool.
The OMB’s implementation of Zero Trust outlines five goals (aligned with the five pillars of the Cybersecurity and Infrastructure Security Agency’s Zero Trust Maturity Model) to be achieved by October 2024.
- Objectives for the Identity pillar include using Single Sign-On (SSO) and multifactor authentication (MFA) for agency staff.
- Under the Devices pillar, the Federal government will completely inventory their owned and operated devices and be able to detect and respond to incidents on those devices.
- Agency tasks under the Networks pillar include encrypting DNS and HTTP traffic and subdividing network perimeters around applications.
- The Applications and Workloads involve treating all applications as connected to an open network, routinely subjecting agency applications to rigorous empirical testing, and welcoming external vulnerability reports.
- The Data pillar requires agencies to implement protections based on “thorough data categorization,” enterprise-wide logging and information sharing, and cloud security services to monitor access to their sensitive data.
The Zero Trust model has many strengths compared to the previous perimeter-based approach. Its adoption will ultimately bring increased security and likely ease the IT maintenance burden on organizations. However, Zero Trust brings new risks by exposing applications and systems to the open internet that have never been outside the comfort of an ostensibly secure perimeter. During this transition, it is particularly vital to continuously check and verify your new configurations, authentications, tools, and dependencies.
How do Vulnerability Disclosure Program programs fit in?
The core of a successful Zero Trust solution is strong enterprise identity and access control. Beyond that, organizations, whether government agencies or the contractors they partner with, must understand their networks' vulnerabilities to implement this new approach to cybersecurity fully.
The OMB guidance highlights that “agencies should scrutinize their applications as our nation’s adversaries do,” which means inviting “external partners and independent perspectives to evaluate the real-world security of agency applications.” Further underlining this, the guidance explicitly calls for agencies implementing Zero Trust to “maintain an effective and welcoming public Vulnerability Disclosure Program for their internet-accessible systems.”
How HackerOne aligns with a Zero Trust mandate
At HackerOne, we empower the world to make the internet safer by closing the gap between what organizations own and what they can protect. By blending the security expertise of ethical hackers with asset discovery, continuous assessment, and process enhancement to find and close gaps in the ever-evolving digital attack surface, we help our customers keep their systems safe.
Our model is deeply aligned with a Zero Trust approach, relying on the world’s largest community of independent ethical hackers to continuously check, verify, and examine an organization’s attack surface to understand where vulnerabilities may lie. Under the old perimeter security paradigm, within which everything was assumed safe, an organization did not necessarily need to security test all software because it was supposed to be protected by a firewall or other perimeter. But in a Zero Trust world, organizations must assume that any and all software is accessible from the outside, and security testing must therefore be all-encompassing.
This is especially important during the transition to Zero Trust. Most organizations do a phased rollout of Zero Trust, implementing their new Zero Trust tools for identity verification and system security and then moving an application at a time outside the perimeter. Our products and platform allow organizations to turn to the ethical hacking community as partners to verify their Zero Trust approach as it is deployed, identifying misconfigurations, exposed subdomains, and broken dependencies. Organizations can update the scope of their testing as they go, inviting a fresh look at the latest applications to roll out under the Zero Trust approach. In this way, HackerOne helps ensure that a Zero Trust implementation is successful by identifying and addressing vulnerabilities across the attack surface, giving organizations complete confidence their systems are secure.
Once the transition to a Zero Trust architecture is largely complete, it remains vital to receive and respond to vulnerability reports. HackerOne is the industry leader in enabling organizations to run successful external Vulnerability Disclosure Program programs, which are vital for modern organizations to continuously test their systems, understand where their weaknesses are, and stay ahead of threats.
OMB’s recognition of the importance of Vulnerability Disclosure Program programs in a Zero Trust strategy is a crucial step forward in helping organizations better understand their attack landscape and protect their assets. HackerOne is ready to be a key part of your Zero Trust solution.