The changing cybersecurity landscape demands evolving technology and policy to help Federal agencies combat cyber threats and build resilience. MeriTalk spoke with Bryan Rosensteel, public sector cybersecurity architect at Cisco’s Duo Security, about the expansion of agency networks beyond traditional perimeters, how the Continuous Diagnostics and Mitigation (CDM) program is adapting to the changing landscape, and how dynamic authentication can help agencies stay ahead of bad actors.
MeriTalk: For FY21, the CDM program is putting a big focus on building out capabilities for mobile and cloud security. What are the top priorities the program needs to consider on these fronts?
Rosensteel: CDM is only as good as the data you can ingest, inspect, and gain insights from. With TIC 3.0, the Federal government and its industry partners, like Duo, are decentralizing a lot of ways we’re gaining access to information, and that is compounded by the rapid adoption of cloud infrastructure and applications.
That means that we no longer have central pipes and can say, “This is everything that’s coming through.” Now, some users may be going directly to a cloud application, and we need to figure out how we still get the cyber data we need. If we don’t do a good job of that, the data we are ingesting will be increasingly less valuable.
Data collection cannot be solely reliant on sensors in an environment. We need to understand where the network is, and therefore where the best place is to gather the data we need to adequately assess our cyber posture.
MeriTalk: How quickly do you think mobile capabilities can roll out, and how will 5G on mobile affect this?
Rosensteel: The pandemic accelerated mobile adoption, and 5G is going to fuel that acceleration even more, because it’s going to bring greater speed to mobile devices than the typical home internet connection. We need to ensure the data we’re bringing in to CDM from mobile devices is valuable. CDM is all about having sensors that collect data and centralizing that data to perform analysis in real time. But using sensors to collect mobile data may not be feasible or effective. Instead, we have to look at common focal points for mobile data, one of which is authentication. We can then build automated tools around authentication to speed collection and analysis. Automation is critical in the mobile realm.
MeriTalk: How does the government’s Federal Identity, Credential, and Access Management (ICAM) program align with CDM, and why is this important as we continue to operate in a max-telework environment?
Rosensteel: In some ways they align very well, but they don’t align in one critical area: privileged access management (PAM). CDM basically says Personal Identity Verification (PIV) is for everything. But for PAM, that doesn’t align with ICAM best practices.
PIV is meant to be issued to one individual, and it’s only intended for non-privileged accounts. For privileged accounts, some agencies have issued a public key infrastructure (PKI) smart card, some use derived credentials, and others have direct binding of the PIV to admin accounts.
But some users may have more than one admin account, and others may share admin accounts. We like to say that should never happen, but it does. Traditional PKI and PIV especially do not work in these cases. I’d like to see CDM address this moving forward.
MeriTalk: Considering PAM, what is the necessary separation of controls for users?
Rosensteel: CDM focuses on limiting the over-privileging of users. In the past, we’ve given admins all kinds of access, and they end up collecting way more privileges than they should. Tracking and limiting privileges is really important.
Separation of control needs to happen between the authoritative source of a user’s identity or access and the authenticators. For example, in a multi-tier Active Directory environment, typically a domain admin can modify group policy to add or elevate themselves to any admin group. How do I know that’s not happening?
Part of it is monitoring and checking the login information, but that’s not going to stop it in real time. CDM seeks to provide awareness at the speed of the network. We can’t just rely on data we ingest after the fact. We need to build controls separate from the primary authenticator that specifies which users are allowed access, so admins can’t self-elevate.
MeriTalk: Federal agencies have traditionally used tools like PIV cards or Common Access Cards (CAC) to authenticate users within their networks. But these methods don’t translate well to the virtual world. In use cases where we can’t replace PIV and CAC, how can we enhance the identity and access management experience within the CDM program?
Rosensteel: This is very timely. The National Institute of Standards and Technology (NIST) just released the draft version of FIPS 201-3, and section 2.10 addresses alternatives to smart card-based PIV credentials in the form of derived PIV credentials. It recognizes that not everything needs to run through Federal PKI common policy if we can show that we have equivalent strengths of authenticators and identity binding. That’s critical in the cloud environment, because PKI has struggled there. CDM’s documentation is rooted very heavily within PIV. To better address these challenges, we need updated guidance from the Office of Management and Budget, further guidance from NIST, and adoption of that guidance by Federal agencies. I think we are moving in that direction.
MeriTalk: How can we ensure secure access for contractor work on the CDM program?
Rosensteel: This gets right into the visibility problem. First, we identify that a user is a part of a specific group, such as a contractor, and apply specific controls.
But we must recognize we will never have the same level of control over the network as we once did. When CDM was written, it addressed what and who is on the network, and what is happening on the network. It did not address where is the network.
The network has long since moved outside of a traditional perimeter, and the pandemic accelerated that movement. Now, we have to ask, “Where is the network? How far does it extend?” It’s all about following the data. One of the biggest challenges of Cybersecurity Maturity Model Certification (CMMC) is following controlled unclassified information (CUI), because each agency defines it differently. When we can identify what is and what is not CUI, we will achieve better security that’s done faster, with a deeper level of visibility. CMMC is doing a good job of starting that conversation and putting enforcements behind it. I think we need similar types of flexibility built into the CDM program.
MeriTalk: How are CDM capabilities helping to protect high-value assets (HVAs)?
Rosensteel: When we look at HVAs, especially in the classified space, we have a lot of attribute-based accesses that are right in line with what CDM aims to do – make sure you don’t have more access than what’s required. It’s all about identifying what data is critical, and ensuring we protect it. We shouldn’t treat all data the same way. We need to do a better job, especially on the unclassified network, of applying attribute-based access. To do that, we have to understand all the data, and that’s what CDM is about.
MeriTalk: The Cybersecurity and Infrastructure Security Agency is aiming to upgrade agency and Federal-level CDM dashboard infrastructure and improve the quality of data coming from agency network sensors in FY21. What impact are you hoping these improvements will have on agency cybersecurity?
Rosensteel: I’m hoping that we get not only better scanners, but also a better understanding of what you can and can’t scan. This goes back to the “Where is your network?” question. I’m unable to scan the network in a telework environment. It’s too broad. Right now, CDM is looking at it retroactively. But the goal of CDM is real-time assessment. It’s easy to say, but difficult to do.
MeriTalk: As agency employees continue to work remotely and use myriad devices, how does authentication need to adapt to ensure security of agency networks and data?
Rosensteel: When everyone’s on-site, we can manage the traffic, even if it’s for a cloud application. We know the network and where the traffic is going. Now, when 95 percent of people are working remotely, we can’t rely solely on VPNs for authentication. We have to modernize our approach to authentication.
The Federal government has focused on building the strongest authenticators possible, but they still are rooted in static authentication practices. That doesn’t mean these authenticators are bad; it just means we have to recognize there’s more to authentication than the multifactor authenticator. PIV is an example of a static authenticator. It’s proof of possession of the private key stored on a smart card – but that’s as far as the authentication goes. It doesn’t tell me anything about the browsers or operating system in use, or any other information about the devices involved that may affect whether I want the authentication to continue. That’s what dynamic authentication addresses.
I like to compare the idea of static versus dynamic authentication to a passage in “Through the Looking-Glass” by Lewis Carroll. Alice is running away from the Red Queen as fast as she can as the queen is shouting, “Off with her head!” Alice notices the ground below her is moving at the same speed that she’s running, and she can’t make any distance between her and the Red Queen. What’s important to note here is Alice isn’t static – she is running. As long as she’s keeping pace, she can’t be overtaken by the Red Queen – unless the Red Queen runs twice as fast.
The cybersecurity lesson is the moment that you become static, you’re in trouble, because your adversaries won’t be. Adopting a dynamic approach puts the onus upon the would-be attacker. You can run at a certain pace, and the attacker has to run much faster to catch up. That’s what is at the heart of dynamic authentication; building in adaptive policies that allow you to respond to emerging threats in near real time.
MeriTalk: Duo Security has multiple products on the CDM Approved Product List. Can you talk a little bit about your role in the CDM ecosystem?
Rosensteel: We operate in Phase 2 of CDM. We move PIV authentication beyond static authentication by applying a dynamic policy engine on top of the smart card, so you get a much smarter and stronger authentication workflow. By using Duo, you can determine that a personal device is running on a particular operating system, has screen lock enabled, and therefore, is within security policy and is granted access. We’re not going to be able to know everything about an endpoint, but we can learn an amazing amount just through its browser.
Additionally, Duo has a number of NIST SP 800-63 alternative authenticators that can be leveraged where the use of a PIV has traditionally struggled, such as cloud applications, local and shared privileged admin accounts, and mobile device applications.
We get at that heart of who and what is on the network, and the broader “Where’s your network?” question. Access to data is gained through the authentication layer, that’s where we sit.