Protecting data at intersection of zero trust and open source

As the federal government continues its emergence from the pandemic, its information technology strategy is being influenced by two compelling, but divergent trends—zero trust and open source.
Thanks in part to the White House’s 2021 Executive Order on Improving the Nation’s Cybersecurity, the most prominent of these trends may be zero trust adoption. But some fear cybersecurity gain could be weakened by the growing popularity of open source software.
According to the 2020 Federal Source Code Study, 80% of the more than 6,800 federal software projects listed on Code.gov are open source, allowing developers to innovate quickly, lower cost for deployment and provide more vendor choice.
Open source’s crowd-supported approach to innovation could improve cybersecurity but the transparency of the source code can allow attackers to creatively inject malware. A 2020 research paper entitled the “Backstabber’s Knife Collection,” detailed 174 malicious software packages “used in real-world attacks on open source software supply chains,” between 2015 and 2019 to highlight the challenges that the software applications face from potential breaches.
While the open source community is adept at monitoring and quickly patching vulnerabilities, the diffuseness of open source packages means that when an attack occurs, it can spread quickly before being detected. Once those open source software applications are breached, it becomes difficult for a zero trust architecture to combat the attack because the software infected with malware has already been accounted for in the IT environment.
And while zero trust can help secure legitimate points of access and limit data exposure, it cannot itself recover compromised data in the event of an attack. Zero Trust is an architecture, a design, a mindset – not a foolproof copy of data, nor a single product.
To prepare for the potential impact of attacks on open-source supply chains, agencies need to think beyond traditional zero trust methods to put in place defensive strategies that account for the complete supply chain and a strong data protection plan should a breach occur.
Protect the entire software supply chain
The dependency on open source software is not expected to ebb, especially in the public sector, where the federal government continues to see its value in innovation.
That means in addition to zero trust protections, IT officers also need to incorporate cybersecurity efforts against possible software supply chain attacks. This could include steps like requiring a software bill of materials (SBOM) to provide IT personnel with data on the components of a software product.
It also requires strong cyber hygiene from IT managers, including frequent patching and updating of software components across the enterprise to protect against possible vulnerabilities.
Safeguard your data
To combat an attack that may have already occurred, IT managers need to ensure their data is also protected.
As we discovered with NotPetya, a strain of malware first identified in a 2017 attack on Ukraine, the attack itself was originally thought to be ransomware installed in a legitimate software update that merely left users unable to access their data. However, it was ultimately found to be a fast-spreading wiper attack that irretrievably destroyed data on infected computers and globally caused $10 billion in damages.
Because of the inherent risk of these threats, it is vital for enterprises to implement a data backup strategy that is reliable, verified and tested and can be deployed across all mission-critical workloads.
That means taking steps like ensuring that a backup’s integrity is verifiable from the moment it is made and quickly retrievable in the event of such an attack. Backups must also possess resiliency from attack — either by being stored on removable drives, protected in hardened repositories, secured with end-to-end encryption or safeguarded by ransomware remediation capabilities.
Without full visibility into the software supply chain, it may be difficult to identify vulnerabilities. While efforts to secure the software supply chain are ongoing, having an expansive data protection strategy across on-prem, in the cloud and within other software-based systems is a critical failsafe and therefore the most comprehensive form of protection.
Zero trust remains an important strategy in helping defeat potential cyberattacks, but it is only one strategy to be deployed against increasingly sophisticated adversaries. To help ensure that government is resilient in the face of such threats, it is imperative that it has at its bedrock a strong data protection strategy.
-- Contact us at [email protected]
-
Hang Seng Index back to where it was in 1997 Ben Kwok
The hits just keep on coming for the Hong Kong stock market. At yesterday's closing, Hang Seng Index fell close to two per cent to the year-low of 16,327, below the peak in 1997. Not only Hong Kong
-
What our youth need today Brian YS Wong
The headlines say it all. The suicide rate amongst 15-24 year olds in Hong Kong rose to a record high of 12.2 deaths per 100,000 people, as compared with just over a half of this number 8 years ago.
-
Reducing water pipes leakage requires departmental collaboration Dr. Winnie Tang
Water leakage in the public water networks is a perennial problem. Mainland media reported in 2021 that the leakage rate of water pipes in some cities and towns reached 30%, and the public water
-
Sanctimonious sanctions Neville Sarony
With clockwork inevitability, the proposal by a number of US lawmakers to introduce the Hong Kong Sanctions Act provoked a locust swarm of vitriolic protests. The idea of sanctioning 49 Hong Kong
-
Opportunities brought by the ageing population Dr. Winnie Tang
According to the government projection, the average life expectancy of men and women in Hong Kong in 2022 was 81.3 and 87.2 years respectively, the highest in the world. A paper published in The