IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.
Sponsor Content
What does this mean?

Securing Government Supply Chains With Critical Access Management

shutterstock_technology security

Government agencies can address security vulnerabilities and secure their critical access points with critical access management solutions.

Supply chain cyber attacks, like the SolarWinds attack that directly impacted federal agencies or the ransomware attacks on the city of Boston that resulted in an estimated $18.2 million price tag, have demonstrated the expansive consequences that can occur from unsecured critical access points that lead to critical assets, such as systems, networks, infrastructure, data, applications, and sensitive information. Governments are full of these mission-critical systems and information, like private citizen data (e.g. social security numbers and tax information) and manage critical infrastructure and emergency services like police and fire (both the systems and records for those services). These types of infrastructure and information are some of the most targeted assets hackers will go after, and they set their sights on government ¯ particularly local government ¯ all too frequently. Unfortunately, these access points leading to government assets are often left vulnerable for a variety of reasons:

  • Unknown users and access rights: Many organizations, including government entities, struggle to keep track of who has access to their critical systems and data, and this is particularly challenging with third parties and contractors, who governments heavily rely on. Without clear insight into who has access to what, there’s no control over how access can be used or what level of access each person has. If the worst should happen and a bad actor gained control of an undocumented access privilege, an organization could be in the likes of the Oldsmar water treatment plant that experienced a cyber attack that led to consequences that impacted the health and safety of the general public.
  • Credential management: We’ve all written down passwords on sticky notes or used a generic password for multiple devices, platforms and accounts. But this is bad behavior that leads to vulnerable access points and data breaches. Stolen passwords are responsible for 61 percent of data breaches according to the Verizon 2021 Data Breach Investigations Report. When credentials aren't managed and secured properly, it leaves these critical access points extremely vulnerable.
  • Insider threats: Although we envision most hackers as outside parties infiltrating organization walls, we have to face the reality that sometimes hackers come from the inside. Companies can do great work to protect their critical assets, but employees (malicious or negligent) often have easy and streamlined access to critical information and systems, making it easy for either internal bad actors or compromised insider accounts to be utilized throughout the network.
  • External threats: And of course, there are external threats everywhere, especially due to how much government entities rely on third parties. Third parties are responsible for 51 percent of data breaches according to the 2021 Ponemon Report. More often than not, hackers will focus on compromising government third parties to gain access to your agency for reasons like espionage, financial gain, or vengeance and cause substantial damage once they gain access to critical systems through their many hacking methodologies.

WHAT'S THE PROBLEM?

While there are many reasons for vulnerability, it boils down to two key problems organizations encounter in regards to cybersecurity: unprotected/uncontrolled access points and incorrect trust relationships. Even if all the vulnerabilities above were addressed, security measures still fall flat if access is unsecured and any user or access right is implicitly trusted.

When critical access is left unprotected due to the vulnerabilities listed above, any access point acts as an entryway that could lead a hacker to a hallway of doors that go to all types of critical assets, like operational technology, industrial control systems, IT infrastructure, regulated and protected citizen data, and emergency/records systems. Implementing basic security measures like password management and multifactor authentication are great first steps, but a government agency still remains vulnerable if that access is uncontrolled, meaning that even if an organization has a handle on who can enter through the critical access doorway, they don’t have control over what a person does with that access, or they can’t put a stop to that access if the user goes rogue.

Incorrect trust relationships form when governments treat their third parties and supply chain like employees. Granting a third party the same access with the same level of security and trust as a government employee is opening up the door to a compromised network. The reality is that this fails to fully secure third-party access because organizations do not directly control third parties or supply chains. An employee’s level of access might include more privileges than a third party needs, even if least privilege access is applied to the employee’s access rights.

WHAT'S THE SOLUTION?

It’s easy to compare critical access points to physical doors. Some doors are made available to the public while others are extremely guarded and need high security clearance. It all depends on the assets and items behind the door.

There’s a reason access to a door like a bank vault door is not only a foot thick, but also needs additional layers of security and control ¯ the asset behind the door needs additional and enhanced protection. Just the same, certain access points need more protection than others. And think about the dual-controlled locks that are standard on bank vault locks; in banks and financial institutions, there isn’t a single person internally or externally who’s capable or trusted enough to walk through a vault door alone. The assets a vault door is protecting are so important that one person can’t go into it unchecked, and there’s an additional step of authorization and approval required to access something that valuable and high risk. For government institutions, the amount of high-risk information and infrastructure available within critical systems and environments (like ICS and OT) outweighs that of many other industries; therefore, critical systems must be secured with the same standards as a bank vault door, such as thick barriers, controls and locks, additional authorization and approval, and monitoring capabilities.

This is the whole idea behind critical access management: securing the access to items your governmental organization deems most valuable and high risk.

CRITICAL ACCESS MANAGEMENT

The solution to the problem of vulnerabilities in government cybersecurity is critical access management. Critical access management is the practice of managing access to mitigate the risk associated with points of access to an organization's high-risk systems, networks, infrastructure, applications and data. It’s a cybersecurity approach that secures the doorways that lead to critical access points and assets, like sensitive citizen data, government operating systems, and industrial environments with a variety of governance, control, and monitoring measures.

It’s a simple and logical concept ¯ secure the access that leads to the assets that are most at risk within a government institution. But how can governments accomplish critical access management? What does it look like to secure these assets and install the vault door that will keep critical government information and systems protected?

Critical Access Management for Government Institutions

Step 1: Identify your critical access points

Step 2: Identify the users who need access

Step 3: Establish access governance

Step 4: Implement access control

Step 5: Practice access monitoring

Step 1: Identify your critical access points

The first step in establishing critical access management is to identify your critical access points. This is the discovery stage of critical access management where your IT, security and compliance teams need to sync on what assets are most critical and need the most protection. To help identify these access points and assets, you can ask yourself the following:
  • Is the asset high risk and accessed at a low frequency?
  • Would a breach have high impact or expansive consequences, such as the inability to operate government functions (such as emergency services), provide citizen services, loss of revenue, a regulatory violation, or a threat to public health and safety?

If any of these answers are “yes,” then that asset requires strong security in the form of critical access management.

Step 2: Identify the users who need access

Step 2 directly addresses the vulnerability of the “unknown users and access rights.” Between all the different user identities across all different user groups like employees, third parties and even customers, this might seem like a hefty task; however, it’s absolutely essential to comprehensive cybersecurity to inventory all the users who require access to critical systems and what level/rights/privileges of access they need. Here are some steps you can take to identify your users and their access rights:
  • List the identity traits. Is the user an employee, third-party rep, consultant, MSP, etc.?
  • Have they made access mistakes in the past? This will help determine how much access they should be given.
  • How much control do you have over their access privileges/rights?
  • Are you able to monitor their behavior?

Step 3: Establish access governance

Access governance consists of the systems and processes that ensure access policy is adhered to as closely as possible. Government organizations know all about policies, and they know how important it is for them to be followed as closely as possible. With access policies, rules are put in place to establish who should have access to what and what privileges a user should have to access a certain asset, and these rules should align as closely with the principles of least privilege as possible, meaning access rights are only given based on what is needed for a user’s job function and nothing more. In most cases, access governance is implemented through the HR system, which uses the data on each employee and job role to determine access rights that match with job responsibility. It’s achievable to put rules in place based on these policies, but government organizations often fail to regularly review access rights to ensure policy is being enforced. That’s where reviewing access rights becomes a critical step in access governance. Governments should implement automated periodic user access reviews to check that users match the specific access rights needed for their role.

Step 4: Implement access control

Access controls are additional layers of security on top of the access policy you put in place in Step 3. When putting access controls in place, you’re looking at each specific user or asset and putting friction on their acces so you can stop whatever access isn’t necessary for them. This is done through a variety of methods like access notifications and schedules, but the most granular level of access control comes in the form of Zero-Trust Network Access (ZTNA). ZTNA authenticates each user before an access session using multifactor authentication, then, rather than taking the user onto a network or into a critical system, ZTNA will tie the user’s access directly to the software or application (rather than the network) down to the host or port level. This ensures the user can only access and "see" what they need, mitigating the risk of any lateral movement throughout the network and compromise of any other critical assets.

Step 5: Practice access monitoring

For governments, access monitoring looks like observing a user’s behavior while they’re accessing a critical asset. It’s like having security cameras on your property; most of the time, nothing is likely to happen, but you want to keep track of activity in the chance that something does happen. This is especially helpful for governments so they can proactively monitor access to sensitive government files, records, systems and databases with regulated information and reactively investigate any security incidents or user access that might be inappropriate.

The risk and cost of compromised assets and ransomware attacks are too high a price, and the short-term investment in automating critical access management solutions is worth the longer-term rewards of securing access vulnerabilities and peace of mind. Implementing critical access management could seem like a daunting task, especially for government IT teams that are already burnt out, drained of resources or unsure how to handle the influx of ransomware this year. The good news is there are solutions that exist that automate user access reviews, manage third-party identities, implement ZTNA and MFA methods, and monitor user access sessions. These programs take the heavy lift from government IT, security and compliance teams to make critical access management attainable and to fully secure critical access points.