Protecting data at intersection of zero trust and open source
As the federal government continues its emergence from the pandemic, its information technology strategy is being influenced by two compelling, but divergent trends—zero trust and open source.
Thanks in part to the White House’s 2021 Executive Order on Improving the Nation’s Cybersecurity, the most prominent of these trends may be zero trust adoption. But some fear cybersecurity gain could be weakened by the growing popularity of open source software.
According to the 2020 Federal Source Code Study, 80% of the more than 6,800 federal software projects listed on Code.gov are open source, allowing developers to innovate quickly, lower cost for deployment and provide more vendor choice.
Open source’s crowd-supported approach to innovation could improve cybersecurity but the transparency of the source code can allow attackers to creatively inject malware. A 2020 research paper entitled the “Backstabber’s Knife Collection,” detailed 174 malicious software packages “used in real-world attacks on open source software supply chains,” between 2015 and 2019 to highlight the challenges that the software applications face from potential breaches.
While the open source community is adept at monitoring and quickly patching vulnerabilities, the diffuseness of open source packages means that when an attack occurs, it can spread quickly before being detected. Once those open source software applications are breached, it becomes difficult for a zero trust architecture to combat the attack because the software infected with malware has already been accounted for in the IT environment.
And while zero trust can help secure legitimate points of access and limit data exposure, it cannot itself recover compromised data in the event of an attack. Zero Trust is an architecture, a design, a mindset – not a foolproof copy of data, nor a single product.
To prepare for the potential impact of attacks on open-source supply chains, agencies need to think beyond traditional zero trust methods to put in place defensive strategies that account for the complete supply chain and a strong data protection plan should a breach occur.
Protect the entire software supply chain
The dependency on open source software is not expected to ebb, especially in the public sector, where the federal government continues to see its value in innovation.
That means in addition to zero trust protections, IT officers also need to incorporate cybersecurity efforts against possible software supply chain attacks. This could include steps like requiring a software bill of materials (SBOM) to provide IT personnel with data on the components of a software product.
It also requires strong cyber hygiene from IT managers, including frequent patching and updating of software components across the enterprise to protect against possible vulnerabilities.
Safeguard your data
To combat an attack that may have already occurred, IT managers need to ensure their data is also protected.
As we discovered with NotPetya, a strain of malware first identified in a 2017 attack on Ukraine, the attack itself was originally thought to be ransomware installed in a legitimate software update that merely left users unable to access their data. However, it was ultimately found to be a fast-spreading wiper attack that irretrievably destroyed data on infected computers and globally caused $10 billion in damages.
Because of the inherent risk of these threats, it is vital for enterprises to implement a data backup strategy that is reliable, verified and tested and can be deployed across all mission-critical workloads.
That means taking steps like ensuring that a backup’s integrity is verifiable from the moment it is made and quickly retrievable in the event of such an attack. Backups must also possess resiliency from attack — either by being stored on removable drives, protected in hardened repositories, secured with end-to-end encryption or safeguarded by ransomware remediation capabilities.
Without full visibility into the software supply chain, it may be difficult to identify vulnerabilities. While efforts to secure the software supply chain are ongoing, having an expansive data protection strategy across on-prem, in the cloud and within other software-based systems is a critical failsafe and therefore the most comprehensive form of protection.
Zero trust remains an important strategy in helping defeat potential cyberattacks, but it is only one strategy to be deployed against increasingly sophisticated adversaries. To help ensure that government is resilient in the face of such threats, it is imperative that it has at its bedrock a strong data protection strategy.
-- Contact us at [email protected]
-
HK migrants alarmed by new British policy Mark O'Neill
Hong Kong people who emigrated to Britain with a BNO passport are alarmed by the new immigration policy outlined on Monday by Prime Minister Sir Keir Starmer. Most alarming is a new requirement that
-
HK says Goodbye to Pioneer of English Education Mark O'Neill
On May 7, 150 people crowded into St John’s Cathedral in Garden Road to say goodbye to a polymath and pioneer of English-language education who lived in the city for 42 years. Dr Verner Bickley
-
French Sisters in HK saved 34000 abandoned children Mark O'Neill
In 19th century Hong Kong, families abandoned thousands of girls whom they could not or would not bring up. They faced death, disease, a life of domestic service or prostitution. But the Sisters of
-
Czech National Ballet in Hong Kong Arts Festival Kevin Ng
Nowadays Hong Kong seldom plays host to overseas ballet companies, except during the annual Hong Kong Arts Festival. Czech National Ballet is the only ballet company touring this year’s Festival. Its
-
Are Hong Kong migrants to UK returning home? Mark O'Neill
“She was a schoolteacher in Hong Kong and now works as a cashier in a supermarket in Britain. I think she and her husband would like to come back but it is a question of face. How would she explain
