Expanding the Zero Trust Model With Application Layer Encryption
On January 26, 2022, the White House published a memorandum titled Moving the U.S. Government Toward Zero Trust Cybersecurity Principles. The goal of this memo was to lay out a process for aligning U.S. government agencies with zero trust principles by the end of FY 2024. This memorandum builds on previous guidance from the White House on improving cybersecurity in the wake of the SolarWinds and Colonial Pipeline hacks.
The White House Zero-Trust Directive
The White House’s call for a zero trust security model signals a significant shift from how cybersecurity has been traditionally managed. Flagship government security programs like EINSTEIN were intended to provide protection at the perimeter of government networks. A perimeter which has gradually disappeared with the emergence and adoption of cloud and distributed environments, greatly increasing the federal government’s attack surface.
The new memo accurately states that:
“In the current threat environment, the Federal Government can no longer depend on conventional perimeter-based defenses to protect critical systems and data.“
“A transition to a ‘zero trust” approach to security provides a defensible architecture for this new environment….The foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted.”
The White House directive calls out a number of security technologies and processes vital to its zero trust strategy, including role-based access control (RBAC), multi-factor authentication (MFA), external security assessments, encryption of internal traffic, the use of more effective encryption approaches, and the use of cloud services. Beyond this, the memo encourages agencies to tailor their security programs to the threats that they face, stating that “agencies should scrutinize their applications as our nation’s adversaries do.”
Effectively Enforcing Zero Trust
Zero Trust is currently a buzzword with organizations actively pursuing a better method to improve security controls. However, implementing a corporate security policy based on zero trust principles is useless if that security policy is not enforced effectively.
At its core, a zero trust security strategy should be focused on data. Data is an organization’s most valuable asset, and most cyberattacks (data breaches, ransomware, etc.) are focused on access to data. A zero trust security strategy is really about blocking the various avenues by which an unauthorized user can gain access to data as its base principle.
In terms of managing access to sensitive data, encryption is the ideal solution. Modern encryption algorithms ensure that only someone with access to the correct private key can decrypt encrypted data. With regard to data encryption, zero trust boils down to ensuring that only the appropriate people, applications, systems, etc. have access to the encryption keys used to secure sensitive data.
The White House Directive directs government agencies to not only encrypt data at rest but also acknowledges the limitations of many data encryption solutions. It says, “Encryption at rest can protect data that is copied while at rest, but does not protect against access by compromised system components that are authorized to decrypt data.” This essentially highlights the long-known Achilles heel of most at-rest encryption solutions, such as transparent disk encryption and full disk encryption, which weren’t designed – and aren’t effective against – the modern threats organizations face.
Let’s explore this in a bit more detail using a database example.
Say an organization stores sensitive application data in Amazon RDS. As a standard security measure, they enable encryption on creation, which encrypts all of the data at rest. The beauty of this approach is that it’s easy and the database isn’t aware (and doesn’t even need to be) that the data is encrypted.
Data safe, right? Well, not so fast. This approach protects data from physical theft, but doesn’t protect against an attacker who successfully connects to the database using stolen authorized admin credentials or by exploiting an application vulnerability. Once connected, the database automatically decrypts the data for the attacker, because it can’t tell between the authorized user or someone who stole the authorized user’s credentials.
The memo also states that, “The critical requirement for key management is that, even if an application is compromised and an adversary has the ability to decrypt data managed by that application, any decryption attempts will still be reliably logged by a separate system.” Key management is notoriously difficult to implement correctly and one of the most common areas of vulnerability for most implementations of cryptography, as evidenced by A02:2021 – Cryptographic Failures being the second most common software vulnerability impacting web applications listed in OWASP’s Top 10 List.
To meet its zero trust security requirements, the U.S. government needs to recommend the implementation of a zero trust-compliant encryption approach that closes this long-known gap and addresses the data security risks that are the primary target of modern attacks such as ransomware or intellectual property theft.
Meeting Zero Trust Data Security Goals with Application-layer Encryption
Application-layer encryption (ALE) enables a more granular and effective approach to data at-rest encryption, than full-disk or database encryption. Instead of encrypting data in bulk, ALE allows an application to manage its own encryption, making it possible to tailor encryption to the unique security needs of the application’s data and subsequently the users that have access to those applications.
ALE Enables Granular Data Encryption
The White House’s zero trust initiative requires the granular encryption made possible by ALE. As stated in the memo, encryption doesn’t protect data at rest if an attacker exploits a system or database that stores sensitive data.
The OPM breach, which exposed the personal data of millions of federal employees and contractors, is a classic example of where full disk or database encryption, if used, would have done nothing to mitigate the data breach. According to Andy Ozment, the Assistant Secretary in the Office of Cybersecurity and Communications at the DHS, “If the adversary has the credentials of a user on the network, they can access data even if it’s encrypted just as the users on the network have to access data. That did occur in this case. Encryption in this instance would not have protected this data.”
These limitations are only true for full-disk and database encryption, where the need for access to any data on the disk or in the database provides access to all of the data. With ALE, it is possible to implement attribute or role-based access controls providing access to data on a case-by-case basis determined by specific attributes or an employee’s role within the organization and their data access needs. The right to access a list of current employees should not automatically translate to the ability to access their social security numbers, fingerprints, and answers to a questionnaire designed to determine suitability for a security clearance.
Deploying Strong Encryption to Legacy Systems
While full-disk or database encryption would not have helped with the OPM breach, these solutions were not in place at all. The stated reason for this was, “that the agency’s IT infrastructure didn’t necessarily support modern encryption technologies.”
While this may be true for large-scale full-disk and database encryption solutions, ALE encryption can be “bolted on” with minimal impact on existing systems, as it integrates directly into the application and doesn’t require changes to the storage layer (e.g., databases, data warehouses, etc.). ALE can be implemented by integrating a lightweight encryption library, a few lines of code, and integrated key management and logging can be leveraged and managed using a cloud-based system.
This approach to encryption and key management meets the directive’s requirements to “use key management tools to create a trustworthy audit log that documents attempts to access that data.” In contrast, full-disk and database encryption only prove that a user has access to a system or database as a whole, with no visibility into the individual files and records within it. Nor do they generally leverage unique encryption keys for specific data sets or users.
The Future of Federal Zero Trust Security
The White House’s Zero Trust Directive is an exciting new step towards improving the cybersecurity of the federal government and the nation’s most sensitive data. We look forward to seeing what new guidance emerges and how government agencies implement the requirements in this newest White House cybersecurity directive.