" zero trust Archives - LuxSci

Posts Tagged ‘zero trust’

Implementing Zero Trust Architecture

Tuesday, March 8th, 2022

The US Government has released its zero trust strategy to help government agencies implement zero trust architectures. It requires federal agencies to meet certain standards before the end of the 2024 fiscal year.

zero trust architecture

The zero trust strategy aims to improve the nation’s security posture and reduce the potential harms from cyber attacks. It assumes that attackers cannot be kept outside of network perimeters and sensitive data should be protected at all times.

The move toward zero trust architecture is a significant undertaking for the federal government, and this strategy aims to outline a common path for agencies to take, as well as limit uncertainty about transitioning.

It will require agency heads to partner with IT leadership in a joint commitment to overhaul the current security architecture and move toward a zero trust model. The strategy encourages agencies to assist each other as they work to implement zero trust architecture, exchanging information and even staff where necessary. Ultimately, the zero trust strategy aims to make the federal agencies stronger and more resilient against cyber attacks.

What Does The Zero Trust Architecture Strategy Include?

The Cybersecurity and Infrastructure Security Agency (CISA) created a zero trust maturity model to guide the strategy. The model contains five pillars including:

  • Identity
  • Devices
  • Networks
  • Applications and Workloads
  • Data

There are also three themes that cut through each of these areas:

  • Visibility and Analytics
  • Automation and Orchestration
  • Governance

Identity

First, the strategy includes a number of identity-related goals. Federal agencies must establish centralized identity-management systems for their employees. These systems must integrate with common platforms and applications.

Another core goal is for agencies to use strong multi-factor authentication throughout the organization. However, it must be enforced at the application layer rather than at the network layer. Password policies no longer require the use of special characters or frequent password changes.

The new strategy will also require that user authorization also incorporates at least one device-level signal. This could include confirming the device is authorized to access the application and has up-to-date security patches.

Devices

Under the Devices pillar, federal agencies must participate in CISA’s Continuous Diagnostics and Mitigation (CDM) program. This allows them to create reliable asset inventories. The other major goal is for each agency’s Endpoint Detection and Response (EDR) tools to be deployed widely and to meet CISA’s technical requirements.

Networks

Among the network-related measures, agencies need to use encrypted DNS to resolve DNS queries wherever it is technically supported. They must also force HTTPS for all web and API traffic. On top of this, agencies also need to submit a zero trust architecture plan that includes their approach to environmental isolation to the Office of Management and Budget.

Applications and Workloads

In addition, there are a number of application and workload-related goals for agencies, including:

  • Operating dedicated application security testing programs.
  • Undergoing third-party application security evaluations.
  • Running a public vulnerability disclosure program.
  • Working toward deploying services that employ immutable workloads.

Data

When it comes to data, agencies must follow a zero trust data security guide created by a joint committee made up of Federal Chief Data Officers and Chief Information Security Officers. Agencies must also automate data categorization and security responses, with a focus on tagging and managing access to sensitive documents. They must also audit any access to encrypted data in commercial cloud services. Another goal is for agencies to work alongside CISA to implement logging and information sharing capabilities.

Zero Trust Architecture and the Future

The federal government isn’t just pushing toward a zero trust architecture model as a fun new hobby. Instead, it is a response to the increasing sophistication of cyber attacks, especially those originating from nation-state level groups.

These complex and well-resourced cyber attacks aren’t only a threat to government agencies. Other organizations face similar threats in the ever-changing threat landscape. The reality is that businesses also need to move toward the zero trust model in order to effectively defend themselves in the future.

LuxSci can help your organization make the change through services such as our zero trust email options, or our zero trust dedicated servers. Contact our team to find out how LuxSci can help your organization prepare for a zero trust future.

5 New Year’s Resolutions to Improve Your Cybersecurity

Tuesday, January 4th, 2022

Happy New Year! Start the year off by making a New Year’s resolution to improve your cybersecurity. Here is LuxSci’s list of what your organization needs to do to prepare for the new year.

cybersecurity new year’s resolution

Read the rest of this post »

2021 Year in Review

Tuesday, December 21st, 2021

As the year draws to a close, it’s a good time to take a look back. In this 2021 Year in Review, we analyze the most important developments in cybersecurity, as well as the major information security threats.

2021 year in review

2021 Year In Review: The Impact Of Coronavirus

As we entered year two of the coronavirus pandemic, we are still dealing with the fallout. The work-from-home model spurred on by COVID-19 presented a significant shift for the workplace and the way we use technology. The emergence of the Delta and Omicron variants wreaked havoc with plans to return to the office. As a result, many roles permanently shifted to full-time remote work. Still, other companies returned to the office and are managing a hybrid model. There are far more work-from-home opportunities than were available in the pre-pandemic world.

This has significantly altered the threat landscape. Organizations need to acknowledge that remote work is here to stay. As a result, they should update their security plans and invest in the equipment needed to enable secure remote work.

In addition, there have been a host of COVID-19-related threats that we have had to remain vigilant against. These have ranged from fake COVID-19 medication websites that suck up sensitive data, to malware loaders that use pandemic-related topics as a smokescreen. The most effective threats often utilize social engineering and the anxiety caused by COVID-19 is a benefit to cybercriminals.

The good news is that these threats seem to be going down, with Trend Micro finding about half the number of COVID-19-related threats in the first half of 2021 as they did in the beginning of 2020. However, this does not mean that overall cyberthreat levels are decreasing. Instead, it’s likely that attackers are simply moving on to other deception techniques.

2021 Year In Review: Ransomware

Trend Micro reported that ransomware detections have halved from 14 million in the first 6 months of 2020, to 7 million between January and June in 2021. However, it doesn’t mean that the threat is going away. The company’s report finds that attackers are adopting a targeted approach that aims for high rewards, as opposed to pursuing as many victims as possible. Indeed, we saw attacks on critical infrastructure this year that garnered national attention. The Colonial Pipeline, JBS Foods, and the Kayesa ransomware attacks were just a few that made headlines in 2021.

Figures from Palo Alto Networks show that ransomware payouts are rising. The average ransomware payment rose from $312,000 in the first six months of 2020 to $570,000 in the first half of 2021. The FBI was able to recover some ransomware payments from cryptocurrency wallets this year, but only in a small fraction of cases.

Trend Micro also noticed an increase in modern ransomware attacks that involve more sophisticated methods of infection. As ransomware threats get more sophisticated, make sure your cybersecurity program is keeping up. Annual reviews, training, and investment in cybersecurity are crucial to keep your business protected.

2021 Year In Review: Zero Trust Architecture

One of the more positive developments in cybersecurity has been the move to Zero Trust Architecture. This approach was spurred on by a government initiative that aimed to boost America’s cyberthreat resilience. The initiative also included plans to modernize the federal cybersecurity environment.

Under the plan, each agency head was required to develop plans for implementing Zero Trust Architecture according to guidelines set out by the National Institute of Standards and Technology (NIST). The government is continuing to invest more in cybersecurity as a part of America’s national defense. It’s likely we will see increased funding for such initiatives in 2022.

Zero Trust Architecture quickly caught on across all industries. It is an approach that assumes an organization’s own network is not safe from cyberthreats. This security model accepts that attackers may already be inside the network and involves creating trust zones of access which are as small as possible. The approach reduces the potential impacts of an attack. Limited trust zones prevent bad actors from accessing all of a network’s systems and data.

Stay Safe in the Future With LuxSci

The last 12 months have brought a lot of changes to the cyber landscape. One thing that always stays consistent is the tenacity of attackers in coming up with new ways to circumvent cyberdefenses.

Amid our ever-changing tech environment and the constant wave of novel attacks, the only way for companies to effectively defend themselves is with a cybersecurity partner like LuxSci. Contact us now to find out how our services can help to protect your organization from threats in 2022 and beyond.

Should your web site database have its own dedicated server?

Tuesday, August 24th, 2021

Should you have separate dedicate servers or clusters for your web site and database? It comes down to your security and reliability needs. What are the pros and cons of each scenario? Is it worth the expense? We shall delve into these business-critical questions in this article.

 dedicated web site database

Let’s look at the security and reliability impact of the various common configuration choices.

Read the rest of this post »

Zero Trust Email

Tuesday, July 20th, 2021

Our third article on Zero Trust Architecture covers zero trust email and the systems it requires. In May, the Biden Administration announced a new approach to cybersecurity that included a push toward Zero Trust Architecture. We have already covered Zero Trust Architecture as a whole, and also talked about how dedicated servers are important parts of the zero trust model. Now, it’s time to talk about zero trust email.

zero trust email

Zero Trust Email and Encryption

As we discussed in our previous articles, Zero Trust Architecture begins with the presumption that an organization’s network may not be secure. Because attackers may already be inside the network, NIST stipulates that:

“…communication should be done in the most secure manner available… This entails actions such as authenticating all connections and encrypting all traffic.”

This means that emails always need encryption. While many organizations recognize external threats and encrypt their sensitive external communications, it’s still common for workplaces to use unencrypted communication methods within the company network. This is generally done under the outdated assumption that the internal network is secure.

Zero Trust Architecture understands that any attacker within the network could easily read these communications. This is why zero trust email needs to be encrypted, even when it’s within an organization’s private network. One step in this direction is to force TLS for email encryption for all entities.

The zero trust model also requires encryption at rest, so emails also need to be protected in storage, not just in transmission.

Authentication and Zero Trust Email

NIST’s publication on Zero Trust Architecture also stipulates that:

“Access to individual enterprise resources is granted on a per-session basis. Trust in the requester is evaluated before the access is granted. Access should also be granted with the least privileges needed to complete the task.”

When it comes to zero trust email, this means that sensitive messages require authentication and authorization to be read. TLS encryption alone is not sufficient, because it doesn’t have the full capability for this type of verification. While it does allow authentication and authorization on the recipient’s email account, it cannot do so on the raw message data.

LuxSci supports:

  • Sender Policy Framework (SPF) – This is a system for email authentication that can detect forged sender addresses. Due to its limitations, it is best to complement it with other email authentication measures.
  • DomainKeys Identified Mail (DKIM) – This authentication method can detect email spam and phishing by looking for forged sender addresses.
  • Domain-based Message Authentication Reporting and Conformance (DMARC) – This email authentication protocol complements SPF, allowing it to detect email spoofing. It helps to protect organizations from phishing, business email compromise attacks, and other threats that are initiated via email.

Each of these email authentication measures are useful for verifying sender identities. LuxSci also offers premium email filtering, and together these techniques limit the trust that is applied to inbound messages.

Together, these techniques identify legitimate email messages while filtering out those that are unwanted or malicious. While it isn’t directly stated in the NIST guidelines, SPF, DKIM and DMARC can all be integral parts of the zero trust framework.

Access Control and Zero Trust Email

In addition to measures for encrypting messages and verifying inbound emails, zero trust email requires granular access controls to keep out intruders. LuxSci’s Secure Email Services include a wide range of access controls that limit unauthorized access while still making the necessary resources available. These include:

  • Two-factor authentication
  • Application-specific passwords
  • Time-based logins
  • IP-based access controls
  • APIs that can be restricted to the minimum needed functionality

These configuration options help reduce the likelihood that a malicious actor can access your systems. They also limit the sensitive email data that an attacker may have access to if they do manage to compromise an organization’s network.

LuxSci’s Zero Trust Email

As a specialist provider in secure and compliant services, LuxSci’s offerings are well-positioned as zero trust email solutions. Our Secure Email aligns with Zero Trust Architecture for every industry vertical, not just HIPAA. Contact our team to find out how LuxSci can help secure your organization with a zero trust approach.