“Zero Trust” Cyber Defense Strategy Could Help Thwart Hackers Targeting Government, Business
BU’s Sharon Goldberg applauds new federal policy, but says private companies have a long way to go in securing software systems
Last year, it appeared that hackers everywhere had gotten new computers for Christmas, as a string of ransomware attacks, often traced to Russia and China, hit American businesses and government agencies. Russia arrested hackers alleged to be involved in last year’s Colonial Pipeline attack, but Uncle Sam also is going on offense, recently declaring a “zero trust” strategy of cybersecurity.
Government employees will be required by the end of fiscal year 2024 to use devices that are “consistently tracked and monitored, and the security posture of those devices [will be] taken into account when granting access to internal resources,” according to a January 26 Office of Management and Budget (OMB) memo. Meanwhile, agencies’ systems will be isolated from one another, with data traffic in and between them “reliably encrypted.” A key need, OMB added, is multifactor authentication, which requires online users to offer at least two proofs of identity. BU uses such a system with Duo, which employees and students use to get into BUworks and the Student Link.
Will “zero trust” avert future cyberattacks, and can businesses embrace the approach? BU Today asked Sharon Goldberg, a College of Arts & Sciences associate professor of computer science and cofounder and CEO of BastionZero, which helps companies secure their servers. Goldberg blogged favorably about the approach after the government’s announcement.
With Sharon Goldberg
BU Today: Can you define “zero trust?”
Sharon Goldberg: It means don’t give individuals long-standing credentials to access systems. Instead, ask them to authenticate themselves every time they do something new. A lot of the attacks that we see come from credentials that are old, like an old password, that an adversary finds and uses to get in and laterally move through a system, and compromise more parts of the system.
[Duo] would be a zero-trust system, because every time Duo calls your phone, you’ve proved that you are the person who still has this phone. You’ve authenticated with two pieces of information, your password and something we think of as attached to you. Another analogy is, if you use BU Healthway, and you schedule a COVID test—and then you look at your pay stub [in BUworks], you’re going to have to do that Duo thing each time. You’re forced to log in to each application, each time.
The language of “zero-trust” is misleading. It’s not that there’s no trust. We’re saying [that] we’re not going to trust the user just because they logged in once, so they can log in forever. We are going to set up some centralized authority that has the right to determine whether you’ve successfully logged in. When you use your BU log-in, you’ve got Shibboleth [a software package allowing sites to accurately authorize individual access to protected online resources], and you’ve got Duo. Duo informs Shibboleth of whether or not you logged in successfully, and if you have, it allows you to access whatever—Healthway for your COVID test; your pay stub. You’re trusting those two to decide if you can get in.
BU Today: What traditional defenses does the memo criticize?
Sharon Goldberg: The memo deprecates phones as a second [authentication] factor, which is good. [They are] known to be vulnerable to an attack called SIM swapping [subscriber identity module]. A majority of banks use [phones] as the second factor authentication into your bank account, which is disappointing.
The other thing is TOTP [time-based one-time password]. If you’ve ever used Google authenticator on your phone, and you’ve seen those codes, they’ve deprecated that, too. That’s an aggressive step, because that is what most cutting-edge companies do. [The government] said you need to use hardware tokens—most people don’t use them; they look like little USB keys that you can plug into your computer. These tokens are not as vulnerable to phishing.
BU Today: If I wanted to see my BU pay stub, I’d stick this thing in my computer?
Sharon Goldberg: Yeah, but this is not practical for a place like BU as much as it may be for the government. At BU, you have students, professors; how are you going to onboard and offboard them with this token? It’s quite an undertaking. Even using Gmail—is Gmail really going to send every person a hardware token for their email? No. Does every person want a token? No; they have their phones, and people know how to use their phones.
The [government] memo doesn’t want the posture of the government to be weaker than a company that sells shoes.
BU Today: What would you say businesses need to do, whether it’s BU or Colonial Pipeline, to bolster their cybersecurity?
A majority of things in that memo are applicable broadly. Centralized single sign-on is a great idea: you use the same log-in for BU across all BU services—you use your [Kerberos] ID to log in to your payroll, Healthway. That is great; you only have one password for BU, you don’t have to remember 50,000 passwords for every BU service, [making it more possible that] you would lose them. The memo says across the government, they need to be using something like that.
BU has Duo, but a lot of other places don’t. The government has a compliance standard that anyone who supplies services to the government has to comply with. It is incredibly onerous; my company is not compliant because we’d have to spend more money than we have to get there. [The memo] is saying, we have this [standard], we’re still getting hacked, maybe we need to look at what are real best practices for securing software systems. The memo is a very cutting-edge set of recommendations. I spend all my time talking to companies about what they do here—this is literally all I do with my life right now, other than teach—and most companies have not gotten there yet.
BU Today: When will the government actually have zero trust protection in place, and businesses, so that ransomware attacks are harder to pull off?
It is going to take a long time. I know organizations that are close to what the memo recommends; they’re few and far between. The majority of the companies I’ve talked to are not like that. You’ve got to build software systems over multiple years—for a small company, 2 or 3 years, for a big company, 10 years. Having to move them into this modern security posture is not something that happens fast.
Can the government get this done quickly? No. It’s going to be difficult and slow. What will happen is it will change the conversation in the industry, and people thinking about their security over the next year may be making decisions that are different as a result of this memo.
BU Today: Can the good guys keep ahead of the bad guys?
Technological means alone will not be enough. Adversaries are very determined. I think that this [requires] a mix of technological means and policy. That said, running with outdated software, unpatched systems, passwords flying around all over the place—this is very bad. What you want to see is creating a situation where the adversary really has to work hard to infiltrate these systems. The memo doesn’t want the posture of the government to be weaker than a company that sells shoes.