In case you missed it, there’s been a lot going on this week in the world of identity management. Venafi just concluded our third annual Machine Identity Management Global Summit during which we heard from both public and private sector leaders on the critical impacts and organizational wins arising from implementing a strong machine identity management program. We heard from GSA on the implications of agencies deploying Digital Workers at the cusp of human and machine identity management—including the risks and recommendations of supervised vs unsupervised digital workers. We also heard from Gartner on why machine identity management is on their list of Top Security and Risk Trends for 2021 alongside identity-first security just ahead of their own Identity and Access Management Summit.
Now, on the heels of yet another major cyber attack on American critical infrastructure that shut down the Colonial Pipeline, causing gas shortages and a run on gas stations across the east coast, we finally see the Biden Administration’s much anticipated Executive Orderon Improving the Nation’s Cybersecurity. “The Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.”
Within the Executive Order, we see multiple decisive action items for the government going forward—and recommendations for the private sector to follow suit. Many of these actions connect directly into the themes and recommendations of this week’s events. Among them, the following directives stand out:
Sec. 3. Modernizing FederalGovernmentCybersecurity further directs agencies to
- Advance toward Zero Trust Architecture(ZT/ZTA). At the heart of ZT is identity. NIST 800-207 combines human and machine identities broadly into “subjects.” Under ZT then, these subjects are granted minimum access based on the identification of their need combined with continuous authentication and authorization for access requests. For the non-human subjects, automated machine identity management is imperative to support this persistent credential analysis of each and every subject.
- Adopt encryption for data at rest and in transit to the maximum extent consistent with Federal records laws. We’ve been adopting HTTPS everywhere standards for years (OMB 15-13), but as legacy sites and intranets achieve higher rates of encryption adoption, their machine identity management needs increase. We all too often hear from agencies that they’re still trying to manage certificates on spreadsheets but doubling down on encrypted data in transit will once and for all lay those spreadsheets to rest in lieu of automated solutions.
Sec. 4. then follows with directives on Enhancing Software Supply Chain Security. More to come on this from NIST based on the timelines set forth in the EO, but with software being developed not only outside, but inside of government agencies, the directive to take actionto rapidly improve the security and integrity of the software supply chain creates more urgency for agencies to address the code signing processes employed internally and by their contractor organizations.
Specifically, the EO seeks to attain guidance from NIST to set standards, procedures and criteria regarding things like:
- Securing software development environments
- Generating and providing artifacts that demonstrate conformance to the processes (to be defined)
- Employing automated tools to maintain trusted source code supply chains, thereby ensuring the integrity of the code
- Employing automated tools that check for known and potential vulnerabilities and remediate them, which shall operate regularly, or at a minimum prior to product, version, or update release
- Providing artifacts of the execution of the tools and processes making publicly available summary information on completion of these actions, to include a summary description of the risks assessed and mitigated
- Maintaining accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes, and performing audits and enforcement of these controls on a recurring basis
We’ll see what NIST ultimately comes out with, and while I’m paid to say nice things about Venafi, it’s nice to see that the government’s trusted partner in machine identity management is already ahead of this curve to help agencies meet such requirements.
The administration wisely acknowledges that, “in the end, the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced.” As our CEO, Jeff Hudson introduced at this week’s summit, “FASTSECURE” is the new mindset on which we’ll build a fast, secure, digitally transformed network and government on our way to ensuring the trustworthiness of our digital infrastructure.