Protecting data at intersection of zero trust and open source

Rick Vanover August 15, 2022 09:25

As the federal government continues its emergence from the pandemic, its information technology strategy is being influenced by two compelling, but divergent trends—zero trust and open source.

Thanks in part to the White House’s 2021 Executive Order on Improving the Nation’s Cybersecurity, the most prominent of these trends may be zero trust adoption. But some fear cybersecurity gain could be weakened by the growing popularity of open source software.

According to the 2020 Federal Source Code Study, 80% of the more than 6,800 federal software projects listed on Code.gov are open source, allowing developers to innovate quickly, lower cost for deployment and provide more vendor choice.

Open source’s crowd-supported approach to innovation could improve cybersecurity but the transparency of the source code can allow attackers to creatively inject malware. A 2020 research paper entitled the “Backstabber’s Knife Collection,” detailed 174 malicious software packages “used in real-world attacks on open source software supply chains,” between 2015 and 2019 to highlight the challenges that the software applications face from potential breaches.

While the open source community is adept at monitoring and quickly patching vulnerabilities, the diffuseness of open source packages means that when an attack occurs, it can spread quickly before being detected. Once those open source software applications are breached, it becomes difficult for a zero trust architecture to combat the attack because the software infected with malware has already been accounted for in the IT environment.

And while zero trust can help secure legitimate points of access and limit data exposure, it cannot itself recover compromised data in the event of an attack. Zero Trust is an architecture, a design, a mindset – not a foolproof copy of data, nor a single product.

To prepare for the potential impact of attacks on open-source supply chains, agencies need to think beyond traditional zero trust methods to put in place defensive strategies that account for the complete supply chain and a strong data protection plan should a breach occur.

Protect the entire software supply chain

The dependency on open source software is not expected to ebb, especially in the public sector, where the federal government continues to see its value in innovation.

That means in addition to zero trust protections, IT officers also need to incorporate cybersecurity efforts against possible software supply chain attacks. This could include steps like requiring a software bill of materials (SBOM) to provide IT personnel with data on the components of a software product.

It also requires strong cyber hygiene from IT managers, including frequent patching and updating of software components across the enterprise to protect against possible vulnerabilities.

Safeguard your data

To combat an attack that may have already occurred, IT managers need to ensure their data is also protected.

As we discovered with NotPetya, a strain of malware first identified in a 2017 attack on Ukraine, the attack itself was originally thought to be ransomware installed in a legitimate software update that merely left users unable to access their data. However, it was ultimately found to be a fast-spreading wiper attack that irretrievably destroyed data on infected computers and globally caused $10 billion in damages.

Because of the inherent risk of these threats, it is vital for enterprises to implement a data backup strategy that is reliable, verified and tested and can be deployed across all mission-critical workloads.

That means taking steps like ensuring that a backup’s integrity is verifiable from the moment it is made and quickly retrievable in the event of such an attack. Backups must also possess resiliency from attack — either by being stored on removable drives, protected in hardened repositories, secured with end-to-end encryption or safeguarded by ransomware remediation capabilities.

Without full visibility into the software supply chain, it may be difficult to identify vulnerabilities. While efforts to secure the software supply chain are ongoing, having an expansive data protection strategy across on-prem, in the cloud and within other software-based systems is a critical failsafe and therefore the most comprehensive form of protection.

Zero trust remains an important strategy in helping defeat potential cyberattacks, but it is only one strategy to be deployed against increasingly sophisticated adversaries. To help ensure that government is resilient in the face of such threats, it is imperative that it has at its bedrock a strong data protection strategy.

-- Contact us at [email protected]

Rick Vanover

Senior Director, Product Strategy, Veeam.