National Cybersecurity Strategy Shifts Burden to Tech Sector
Last week the Biden-Harris White House issued a new National Cybersecurity Strategy to protect the country’s critical infrastructure, networks and data from cyber threats. As expected, this comprehensive plan outlines a multiprong strategy to improve the nation’s cybersecurity across public and private sectors. What may not have been expected is that, under this directive, the burden for cybersecurity shifts away from the end users and toward the tech industry.
What Does This Mean for Software Providers?
The new National Cybersecurity Strategy urges more mandates on companies that control most of the nation’s digital infrastructure. It also urges a bigger role for the government and state-sponsored entities to help stop hackers. While this new document is not the law in itself, it does set a framework for new legislation that could affect software providers.
The plan focuses on five key pillars.
- Defending critical infrastructure
- Disrupting and dismantling threats
- Shaping market forces to drive security and resilience
- Investing in a resilient future
- Forging international partnerships
Why the change? In the 38-page blueprint, the White House acknowledged that its previous reliance on voluntary cybersecurity measures failed to prevent a spike in ransomware attacks. This led to billions in economic losses. The document also calls out “inadequate and inconsistent outcomes” across critical infrastructure like energy pipelines, food companies, schools and hospitals.
Shifting the Cybersecurity Burden
A key element of the new framework involves shifting the burden of cybersecurity from individuals, businesses and the government. Instead, the burden moves toward software developers and other institutions. The new strategy holds tech firms responsible for building software that can withstand malicious actors.
In fact, the document proposes that new laws shift liability to software makers that fail to take reasonable precautions to secure their products and services. The bills would be drafted in coordination between Congress and the private sector and include “an adaptable safe harbor framework” to protect companies that “securely develop and maintain their software products and services.”
Zero Trust Mandate
This new strategy comes less than two years after the Executive Order on Improving the Nation’s Cybersecurity. In it, the Biden White House urged the federal government to adopt security best practices and advance toward zero trust security (ZTS).
This zero trust strategy includes an acceleration toward secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Platform as a Service (PaaS). It also mandated centralized and streamlined access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks. And it urged investment in both technology and personnel to match these modernization goals.
How API Gateways Can Help with Zero Trust Security
APIs are essential for businesses so that programs can interact and coordinate with one another. An API gateway, which acts as a middleman between the APIs and different clients or services, enables a uniform way to access the data and maintain the API communication in a secure and organized way. It also offers other benefits such as authentication, analytics and so on.
Best Practices When Working with APIs and API Gateways
A zero trust approach recommends shrinking any implicit trust boundaries as much as possible. This can be done through the use of individual API gateways for each service along with a distinction between internal and external APIs.
If the APIs are not being used by users outside the organization, there is no need to make them available in this way. It is essential that the gateway management has global rules regarding the amount of authentication needed for external APIs and that the environments behind the gateway can confirm that these rules were applied to incoming traffic.
In order to stay secure, it is necessary to keep track of APIs that are no longer in use or are outdated. An API gateway can be useful for this purpose, allowing you to measure and observe usage. If a particular API is not used often or if it receives an unusual amount of traffic, then it should be closely monitored.
This leads us to consider the monitoring and data analysis capabilities of API gateways. Collecting metrics and records that show details about the traffic and requests can help us recognize potential security problems before they are used by malicious people.
How Service Mesh Can Help with Zero Trust
Service mesh offers a comprehensive approach to meeting all aspects of the zero trust model.
Service mesh facilitates the ability to adhere to best practices such as reducing implicit trust boundaries and implementing individual API gateways for each service, as suggested by CISA and NIST frameworks. Additionally, it assists in optimizing the identity, network/environment, application workload and data pillars. Here is how:
Access Control
In a service mesh, multiple levels of security protocols are implemented to limit access and ensure secure communication. These include network regulations, authorization and root trust policy.
Resource Protection
Gateways and sidecars in a service mesh are implemented to safeguard the connected assets. Gateways ensure the safety of resources beyond the Kubernetes cluster at a cluster level, whereas sidecars provide a more intricate level of safety for each resource.
Monitoring and Analytics
For a service mesh to remain secure and enforce its policies, all gateways and sidecars must be configured to send out metrics and logs. A management tool like the Gloo Platform can set up this kind of configuration, and when data masking is added to the mix, it creates a zero trust governance system.
Least Privilege
A single configuration in a service mesh can implement “deny all” for network communication between workloads. Authorization, network and security policies can then be used to selectively open communication based on identity verification.
How Corporations Can Prepare
While the proposed legislation seems to mostly touch corporations in the tech sector, other large corporations with a diverse portfolio of companies may also be affected. Adherence to a zero trust model could help all organizations preemptively protect their data from unauthorized access. Taking it a step further, organizations should look into FIPS certification, as well as FedRAMP approval.
To prevent the fallout from an attack — whether that be financial burden, a hit to a company’s credibility or government action — organizations should consider taking immediate action. Taking action now has the potential to benefit corporations, consumers and national security.
