How Beyond Identity Addresses the Executive Order on Improving Cybersecurity
On May 12, 2021, President Biden issued an Executive Order on Improving Cybersecurity to address the growing cyber threat our nation faces. This is no surprise. High-profile ransomware attacks keep dominating the news, proving how vulnerable infrastructure and supply chains can be.
Financially motivated hackers and nation-state adversaries won’t be stopping any time soon. And so the Executive Order aims to ensure that the “prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.”
The Order provides guidance so the federal government can make “bold changes and significant investments” to its security infrastructure while partnering with the private sector to accomplish this goal. This means there will be a ripple effect affecting providers of SaaS, infrastructure PaaS, and IaaS who work with the government.
As such, we wanted to offer our perspective on the Executive Order, particularly as it relates to Zero Trust authentication.
Key Sections We Can Help With
In total, the Order defines cybersecurity policy in eight sections. It also requires that NIST define new standards to ensure compliance for the agencies and cloud service providers the government will increasingly be using.
This blog covers three sections from the Executive Order where Beyond Identity can help you today. Each section title is self-explanatory. Rather than summarize the sections, we provide suggestions on how to follow the Executive Order’s guidelines.
Our goal is to future-proof your organization and help you embrace this Executive Order for all things related to secure authentication, ransomware prevention, and Zero Trust architectures.
Section 3: Modernizing Federal Government Cybersecurity.
The Executive Order says Zero trust is essential here. According to NIST SP 800-207:
Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established.
With Beyond Identity, Zero Trust depends on eliminating passwords as a form of authentication. And because with a password, anyone can login from any device, strong authentication should include validating the device being used to access a given resource. Even with legacy multi-factor authentication (MFA), two problems remain.
- Legacy MFA relies on passwords and other weak factors, meaning it can be easily bypassed.
- MFA doesn't allow you to restrict the device being used to access resources or give any insight into the security level of the device before granting access.
Beyond Identity eliminates passwords and binds the user's identity to the device, ensuring both are cryptographically validated for every login transaction. Thus we can positively validate the user and device and ensure it is connected to an authorized identity. We also understand the risk posed by the device being used to access applications and can deny that access when risk tolerance is exceeded.
If you’re looking into Zero Trust initiatives, here’s what Beyond Identity provides:
- Strong, passwordless MFA that doesn’t rely on passwords or any weak factors (like one-time codes, SMS verification, or out-of-band verification).
- Verification of the identity behind the device and assurance that the device is secure enough to access a specific resource, stopping unauthorized users and insecure devices from accessing critical, organization-owned resources.
- Risk/compliance policy-based access control allows continuous enforcement of strong authentication and device trust.
- Immutable record-proving compliance requirements around authentication and access control. Within NIST 800-53B, we satisfy the following controls:
- 3.1 Access Control Family
- 3.7 Identification and Authentication Family
- 3.20 Supply Chain Risk Management Family
You need stronger technology to authenticate users. Beyond Identity will check every user and every device, every time with strong, industry standard asymmetric cryptography.
Section 4: Enhancing Software Supply Chain Security.
Every organization that produces software applications and computing infrastructure for the government (or any other organization) is a possible attack vector for adversaries. We learned this very clearly with the SolarWinds hack.
Beyond Identity can tie every piece of software that is developed and submitted to the code repository back to an identity in a cryptographic way that provides a complete record of source code provenance.
We help with two critical tasks:
- Cryptographically bind the keys required to access infrastructure like Continuous Integration and Continuous Deployment (CICD) pipelines and code repositories to a validated identity.
- Bind the cryptographic keys used to sign source code to a user identity to ensure you know exactly who’s checking code into the repository.
We can deny the ability to check in code based on whether it is associated with a known and approved corporate identity. We can also ensure that developers are only submitting code from devices that are authorized and that the device meets risk policies at the time of authentication, mitigating the addition of malware from a home computer, for example.
Section 6: Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents.
As part of a responsive playbook, Beyond Identity supports the basic functions of NIST: identify, protect, detect, and respond.
- Identify: We cryptographically bind devices with user identities so organizations can positively identify who has access to cloud resources and what device they can use.
- Protect: We allow for the creation of precise risk policies that guarantee only protected assets can authenticate to resources and applications. We ensure that not only the identity is permitted to receive information, but that they can receive it on the device being used. This allows organizations to customize their security and compliance policies to meet risk tolerance in every situation.
- Detect: We detect unauthorized and incompatible access requests and machine compromise. Dozens of user behavior and device security posture attributes are assessed during each authentication request. If you have a MDM or other endpoint security, their attributes can add context to the authentication decision as well.
- Respond: We provide an immutable record of every login transaction that is tied to the identity and includes the policy and decision made.
How Beyond Identity Addresses Mandates in the Executive Order
We validate that only authorized users and devices are getting access to your critical resources. And we provide an immutable record so that you can prove compliance or run crisp investigations.
Beyond Identity is cloud-native to begin with, low touch from an administrator perspective, and we help organizations safely move to the cloud quickly via our partner integrations.