Attacks and Vulnerabilities
Control device security
Critical infrastructure
News
Secure Remote Access
Threat Landscape
Vulnerabilities
Zero Trust

NSA releases guidance on advancing zero trust maturity for application, workload security

May 23, 2024
NSA releases guidance on advancing zero trust maturity for application, workload security

The U.S. National Security Agency (NSA) published on Wednesday a cybersecurity information sheet (CSI) to help organizations secure applications from unauthorized users and ensure continuous visibility of the workload at any given time. The document provides recommendations for achieving progressive levels of application and workload capabilities under the ‘never trust, always verify’ Zero Trust (ZT) paradigm. It discusses how these capabilities integrate into a comprehensive ZT framework. ZT implementation efforts are intended to continually mature cybersecurity protections, responses, and operations over time.

Titled ‘Advancing Zero Trust Maturity Throughout the Application and Workload Pillar,’ the guidance outlined that granular access controls and integrated threat protections can offer enhanced situational awareness and mitigate application-specific threats. The application and workload pillar depends on various capabilities, including application inventory; secure software development and integration; software risk management; resource authorization and integration; and continuous monitoring and ongoing authorizations. 

The document provides recommendations for achieving progressive levels of application and workload pillar capabilities and further discusses how these capabilities integrate into a comprehensive ZT framework. National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) owners should use this and other guidance to develop concrete steps for maturing their application and workload security. 

“This guidance helps organizations disrupt malicious cyber activity by applying granular access control and visibility to applications and workloads in modern network environments,” Dave Luber, NSA’s director of cybersecurity, said in a media statement. “Implementing a Zero Trust framework places cybersecurity practitioners in a better position to secure sensitive data, applications, assets, and services.”

The document provides guidance primarily intended for NSS, DoD, and the DIB, but may be useful for owners and operators of other systems that sophisticated malicious actors might target. Guidance for other system owners and operators is also available via the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA). This guidance is compatible with the DoD’s Cybersecurity Reference Architecture (CSRA) Version 5.0, the DoD ZT Reference Architecture (ZTRA) Version 2.0, and the DoD ZT Strategy.

The DoD ZT Security Model can be illustrated as seven pillars comprising the complete cybersecurity posture. Adopting a ZT framework bolsters the protection of critical applications and workloads with a decisive shift from a network-centric to a data-centric security model (DSM) and granular implementation of attribute-based access control (ABAC) for every data access.

A modernized ZT framework integrates visibility from multiple vantage points, makes risk-aware access decisions, and automates detection and response. The application and workload pillar disrupts the efforts of malicious actors by bringing granular access control and visibility to applications and workloads in the environment. By implementing this ZT security model, applications are hidden from unauthorized users and there is no ability to scan for resources beyond the requested application. 

Organizations that have robust identity management for authorized users and have integrated continuous automated monitoring into their security strategy will have full visibility to trace every transaction and pinpoint exactly what each workload is doing at any given moment. The workloads enforce granular, consistent access control to applications across disparate data centers and cloud environments. Implementing such a framework places cybersecurity practitioners in a better position to secure sensitive DAAS.

The spectrum of applications and workloads includes individual tasks on end-user systems, services executing on on-premises servers, and applications or services running in cloud environments. ZT workloads span the complete application stack from the application layer to the hypervisor. Securing and properly managing the application layer as well as compute containers and virtual machines is central to ZT adoption. 

The CSI also details progressively maturing capabilities in the application and workload pillar. It includes recommendations and examples for achieving increasing maturity levels, from initial preparation, through the basic and intermediate phases, and finally to the advanced ZT level for making risk-aware, fine-grained access decisions. 

Applications and workloads are mutually dependent. Applications include any computer programs and services that execute in on-premises and cloud environments. While applications are the individual tools that serve business needs, workloads can be standalone solutions or tightly coupled groups of processing components performing mission functions. Workload implementations should dynamically segregate processing components and compute containers by filtering and applying access rules between components to increase the logical separation between critical resources and threat actors. 

Conducting an inventory of applications and workloads is a critical first step to implementing ZT. These resources must be identified and categorized to prioritize cybersecurity protection requirements for critical assets, especially of application updates. An inventory of organizational application assets is a crucial yet effective ZT approach to increase an organization’s cybersecurity posture. 

Most organizations rely on software and code from sources that could contain vulnerabilities or malicious injected functionality. Having secure software that can be relied on to perform its intended functions and not be exploited to perform malicious operations is just as important, if not more important, as securing the provided software. The ZT model recommends adopting the DevSecOps framework and utilizing the continuous integration/continuous delivery (CI/CD) approach for organizations that develop applications to ensure secure development and deployment. 

Developed source code and common libraries should be vetted through DevSecOps development practices to secure applications from inception. The ZT approach entails incorporating security controls through every phase of the development and deployment process. CISA outlines the concept of ‘Secure by Design’ software development in which security considerations are made during the initial software design phase. This ensures the number of exploitable flaws is reduced before that software hits the market, and the total number of flaws is significantly fewer over the entire lifecycle of the software. 

Consequently, organizations should address the security of all APIs and implement network micro-segmentation to isolate applications and workloads. Micro-segmentation can help alleviate security challenges by creating separate logical network segments dedicated to the application’s traffic. Another security measure that is essential to the security of all applications is using strong encryption algorithms to ensure data the application relies on is protected at rest and in transit.

The NSA also addressed managing software risk involves calculating risk against need and ensuring that components of the supply chain are secure, vulnerabilities are reduced, and the organization is aware of residual risks. 

Organizations must ensure that all needed resources are available and allocated to allow continual validation of these risks and their mitigations. Those resources must also comply with modern authorization policies that limit access based on the principle of least access and implement ABAC for granular access decisions, or else be placed behind application gateways or proxies. 

Proxies or application firewalls may also be used to mitigate other application risks, such as application vulnerabilities and exploitation attempts. Regular security assessments, including penetration testing and vulnerability scanning, should be conducted to identify and remediate security weaknesses and risks proactively.

In March, the NSA released a CSI that details curtailing adversarial lateral movement within an organization’s network to access sensitive data and critical systems. The zero trust network and environment pillar curtails adversarial lateral movement by employing controls and capabilities to logically and physically segment, isolate, and control access (on-premises and off-premises) through granular policy restrictions. It also strengthens internal network control and contains network intrusions to a segmented portion of the network using zero-trust principles.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

Webinar: Transforming Manufacturing Security: The 5-Step Approach to Rolling Out and Scaling Up OT Cybersecurity

Register: May 22, 2024 | 8am PDT | 11am EDT | 5pm CEST

http://industrialcyber.co

Related

2024.06.16 gauging maturity of secure remote access as cybersecurity demands grow in operational, industrial environments
Gauging maturity of secure remote access as cybersecurity demands grow in operational, industrial environments
Nozomi announces top risks in browser-based HMIs, concludes CVE study with AiLux RTU62351B
Nozomi announces top risks in browser-based HMIs, concludes CVE study with AiLux RTU62351B
New CISA report addresses zero trust in space, boosting security for satellites and ground infrastructure
New CISA report addresses zero trust in space, boosting security for satellites and ground infrastructure
NIST’s NCCoE focuses on OT remote access in water and wastewater sector cybersecurity architectures
NIST’s NCCoE focuses on OT remote access in water and wastewater sector cybersecurity architectures
Symantec reports Black Basta ransomware group suspected of exploiting zero-day in likely failed attack
Symantec reports Black Basta ransomware group suspected of exploiting zero-day in likely failed attack
Rockwell warns ICS sector of FactoryTalk View SE v11 vulnerability, recommends upgrade to patched v14.0
Rockwell warns ICS sector of FactoryTalk View SE v11 vulnerability, recommends upgrade to patched v14.0
Biden administration boosts healthcare cybersecurity following 128% rise in cyberattacks; ropes in Microsoft, Google
Biden administration boosts healthcare cybersecurity following 128% rise in cyberattacks; ropes in Microsoft, Google
Dutch report exposes expanded COATHANGER campaign, as cyber espionage campaign targets edge devices
Dutch report exposes expanded COATHANGER campaign, as cyber espionage campaign targets edge devices
Xona
XONA Systems secures $18 million in funding to bolster OT cybersecurity amid rising threats
DoD unveils Zero Trust Overlays document for achieving cybersecurity goals from 2021 Executive Order
DoD unveils Zero Trust Overlays document for achieving cybersecurity goals from 2021 Executive Order