The EO Compliance Milestone for Multifactor Authentication and Encryption is Fast Approaching

President Biden’s Executive Order (EO) on Improving the Nation’s Cybersecurity puts security front and center to address some of the worst cyberattacks against the federal government. To accelerate technology modernization, Section 3 of the EO calls for agencies to expedite the adoption of cybersecurity best practices such as Zero Trust and secure cloud services. It specifically mandates the deployment of multifactor authentication (MFA) and encryption for data at rest and in transit by November 8. These capabilities are not only essential to good cyber hygiene, they help ensure that security modernization efforts are built on a strong security foundation.

Is Your Agency Ready for the Nov. 8 Deadline?

If not, Merlin can help. We have formed strategic partnerships with the world’s best-in-class cybersecurity brands to bring market-leading solutions to our customers. Our research has identified four vendors that can immediately help you with MFA and data encryption requirements: Okta, CyberArk, Silverfort, and Netskope.

Okta – One Trusted Platform to Secure Every Identity

The Okta Identity Cloud is a secure, reliable, and scalable platform that provides comprehensive identity management, enabling agencies to leverage a universal directory to secure their users and connect them to technology and applications, anywhere, anytime, and from any device. Okta Adaptive MFA solves the challenges of legacy, stand-alone MFA products by offering enterprise-grade security and a great user experience through policy-driven contextual access management, single sign-on to on-prem and cloud applications, support for a broad set of modern factors, big data analytics, and built-in integrations to all the apps and VPNs that organizations need to protect. Agencies can use Okta’s out-of-the-box functionality to provide seamless access for an extended workforce of employees, partners, and contractors, or leverage Okta’s user management, authentication, and authorization APIs in their own citizen-facing applications.

CyberArk – Privileged Access Management for Critical and High-value Assets

CyberArk is the global leader in privileged access management (PAM), a critical layer of IT security to protect data, infrastructure, and assets across the enterprise, in the cloud, and throughout the DevOps pipeline. The CyberArk Core Privileged Access Security Solution helps federal agencies centrally secure and control privileged account credentials and access rights, proactively monitor privileged account activity, intelligently identify suspicious activity, and quickly respond to threats. Designed from the ground up for security, interoperability, and scalability, the single-platform solution offers a wide variety of out-of-the-box integrations and automatically provides documented, auditable proof of compliance. Automated rotation of privileged credentials (passwords and SSH keys) and/or just-in-time privileged access eliminates time-consuming and error-prone administrative tasks.

Silverfort – Agentless Multifactor Authentication and Zero Trust

Silverfort offers a revolutionary agentless and proxyless authentication platform that enables government agencies to achieve secure authentication and a Zero Trust environment in a holistic and non-intrusive way. The platform extends multifactor authentication, risk-based authentication, and Zero Trust policies in a unified, AI-driven manner across all devices, enterprise networks, and environments, both on-prem and in the cloud, without modification to endpoints and servers. This includes systems that couldn’t be protected before, such as homegrown applications, legacy systems, IT/OT infrastructure, file shares, command-line tools, machine-to-machine access, and more. Agencies have the flexibility to use either Silverfort’s MFA, or leverage integrations with leading MFA providers (Microsoft, Okta, Ping, Yubico, Duo, RSA, etc.). By monitoring all human and machine access requests, analyzing risk and trust levels, and applying adaptive risk-based authentication policies, Silverfort allows agencies to detect and prevent unauthorized access and identity-based attacks, and achieve compliance with industry regulations.

Netskope – Automatic, Transparent, Powerful Encryption

Netskope leverages advanced encryption and tokenization to provide a powerful layer of protection for structured and unstructured data in the cloud. Netskope encrypts structured data at rest and in transit to sanctioned cloud services through Netskope-native format-preserving encryption. Agencies can leverage pre-built integrations with cloud service providers via bring your own key (BYOK) capabilities. Encryption can also be applied as a policy action with API protection, encrypting selected files stored in sanctioned cloud services like Office 365 and Box. Netskope complies with Key Management Interoperability Protocol (KMIP), allowing agencies to retain control of their encryption keys. Advanced key management technology includes NIST-approved AES-256 encryption and a FIPS 140-2 level 3 certified key management service with a hardware security module. Netskope Encryption operates automatically, transparently encrypting and decrypting data behind the scenes to provide users with safe, seamless access to cloud services.

***

The Cybersecurity Executive Order comes at a time when government agencies are increasingly being disrupted by cyberattacks and takes an ambitious approach with aggressive timelines on policies, procedures, and technology modernization initiatives. For help on navigating the key requirements, deadlines, and solutions, we encourage you to visit our EO Resource Center. Please reach out to learn more about what Merlin Cyber can do for your agency.

Enhancing software supply chain security

The Secretary of Commerce must solicit input from the federal government, private sector, academia, and other appropriate actors to identify existing or develop new standards, tools, and best practices for complying with secure software development standards and procedures identified in President Biden’s Executive Order (EO) on cybersecurity. The scope of the EO’s Section 4 on software supply chain focuses on the ability of software manufacturers and software developers, in particular, to validate all components of the sub-systems which support their offerings. It also focuses on best practices for assessing the risk of included components in their offerings, either in pure form, object, or executable, which cannot be verified or validated to their true origins. Furthermore, the EO solicits guidance from industry including best practices for identifying breaches in the management of the software supply chain, and allows for multiple agencies to receive such alerts and ingest threats into their systems, enabling analysis at a much greater velocity than has been achieved before.

EO RESOURCE CENTER: Learn how to accelerate your ability to meet the requirements

Whether it is an entire platform or a single library, the software lifecycle starts with one or more use case(s). First, a design contains features and functions which address the use case as well as meet the financial goals of the organization. Next, the solution is vetted and management accepts the cost for the development of the software. Engineers then come together and combine reusable objects (development libraries, OS libraries, compilers, web services, databases, etc.) with code and develop a solution, which becomes a release candidate. Along the way, documentation around the successful, as well as not-so-successful, development efforts are compiled. Once it is deemed viable, testing occurs with the candidate, and depending upon the outcome of the testing, the candidate is officially released. The release can then be sold, distributed, and delivered in many forms to consumers.

With so many moving components to the software lifecycle, threats can enter the solution at multiple phases. An approach to addressing security vulnerabilities within a software supply chain will need to:

  • Utilize a cybersecurity posture regarding the policy of identifying security vulnerability indicators and warnings promptly
  • Alert about the elevation of access during the composition and execution of an offering, eliminating any unforeseen introduction of vulnerabilities
  • Provide both positive and negative artifacts during the software supply chain process (events captured can be shared and readily imported to any consumer data lake for risk analysis)

Looking at the software supply chain from an obtuse to an acute way, a security solution should start with creating policy around a proper build cycle that produces artifacts concerning the success and failure of build, test, and deployment. These artifacts are the cornerstone to which a risk assessment can be made. Additional components necessary to help mitigate supply chain risk include a vulnerability assessment of the target solution and target platform. Looking more closely at what glues the solution together, a static/dynamic code analysis tool should also be leveraged during the overall build/test process to mitigate the risk of introducing unforeseen vulnerabilities downstream to the consumer. Examining what comprises a solution shouldn’t stop at the application itself but should extend to secondary and tertiary dependencies upon which solutions depend.

Vulnerabilities can present themselves in many ways and a vulnerability scan tool utilized during the testing process will assist in mitigating risk. The scope of the vulnerability scan needs to consider all components north and south with regards to the solution to consider the full potential scope of the vulnerability risk assessment. As these lower-level components are leveraged, additional policy regarding software supply chain validation needs to be enforced. Sub-systems and repository sources will need appropriate attestation to their validity and can be achieved using cryptographic mechanisms to verify component integrity. With sub-systems also relying heavily on platform as a service (PaaS) technology, there should be consideration given to vetting the location of platform components to include OS/Container image validation.

Merlin Labs builds Proof of Concept integrations with several best-in-class cybersecurity partners which demonstrate market-leading solutions to difficult real-world problems, including supply chain security. Some of these tools address CI/CD DevSecOps, application security, and application access management. For example, the combination of CyberArk and Contrast Security can help federal agencies meet the EO’s Section 4 requirements.

CyberArk’s Platform Access Security/Application Access Manager is a critical piece of the puzzle. By managing least privilege to the application layer, it can manage access control and work to leverage threat analysis based upon behavior from within applications. The addition of Contrast gives software providers real-time remediation guidance and attack protection through inline use, cutting valuable time to market due to inherent risks via code practices or dependent modules. With these and other partner solutions, Merlin offers comprehensive solutions for securing the software supply chain.

Mission-ready: Standing alongside government and our partners to deliver on the cybersecurity Executive Order

The Cybersecurity Executive Order (EO) comes at a time when government, businesses, and our way of life are increasingly being disrupted by cyberattacks. It is no wonder that the EO takes an ambitious and comprehensive approach with aggressive timelines on policies, procedures, and technology modernization initiatives. The 7 key sections of the EO reveal two consistent themes: 1) Improve public-private collaboration and 2) Accelerate modernization.

Improve public-private collaboration

We can’t succeed without each other.
The EO makes it clear that in order to succeed in defending against today’s threats, the government and the private sector must further strengthen their collaboration. While this public-private partnership has always existed, barriers still exist that create challenges with information-sharing, effective collaboration, and accountability.

The importance of close collaboration became more evident with the recent SolarWinds software supply chain compromise and Microsoft Exchange Server zero-day vulnerabilities. In the SolarWinds attack, it was through the detection of a cybersecurity firm that initially exposed a highly sophisticated campaign that may have begun several months prior to being detected. It was reported days later to government and law enforcement, who then mobilized their incident response.

An even more dangerous vulnerability was discovered just weeks later. With the Microsoft Exchange Server vulnerability potentially impacting hundreds of business systems, the FBI took the unprecedented action of remotely accessing these private servers to remove a web shell backdoor program used by attackers.

The rapid pace of technological innovation and the government’s increasing reliance on technology to deliver on its mission bring to light the need for closer partnership between the private and public sectors.

Accelerate modernization

We need to move faster. When it comes to cybersecurity, speed is vital. The ability to rapidly detect threats and respond to incidents are necessary to keep continuity of business. They are also often the measure of effective security operations. The EO recognizes that for government to keep pace with its adversaries, it needs to accelerate technology modernization.

The EO recommends that government agencies expedite the use of cloud services to quickly and securely move towards a more resilient cybersecurity architecture. Similarly, the EO requires improvements to agencies’ security operations and their ability to identify, detect, and respond to vulnerabilities and incidents.

It is worth noting the focus on zero trust architecture and capabilities of multi-factor authentication (MFA) and data encryption. These capabilities are essential to good cyber hygiene. They help ensure that additional security modernization efforts are built on a strong security foundation. Securing user identities and data security are the cornerstones of an effective zero trust security strategy.

How can Merlin help?

The 7 key sections of the EO reveal logical intersections between the two objectives to improve public-private collaboration and accelerate modernization. As we analyze the EO’s requirements to determine how we can best serve government and industry, we find that these intersections present us with great opportunities for efficiencies and maximize results on our efforts.

diagram showing how the executive order addresses collaboration and modernization

At Merlin, we believe that we are well-positioned at these intersections. With industry-leading partners, innovative solutions, and a secure cloud platform, Merlin can help the government with modernization, secure cloud adoption, and security operations. 

Converging at the nexus of security and cloud

The EO requires agencies to prioritize cloud technologies as a faster path towards modernization and zero trust architecture. At Merlin, we offer cloud-based identity security, endpoint security, and data security solutions. Since these solutions are delivered from the cloud, they are quick to deploy and provide rapid time to value. Our identity security solutions enable adaptive MFA and risk-based authentication to all assets on the network. To protect high-value assets, we secure privileged credentials with comprehensive privileged access management.

To secure agencies’ journey to the cloud, we offer cloud security solutions that secure cloud access and protect critical applications across the cloud infrastructure. Cloud has expanded the network perimeter and has become one of the key drivers for the move towards zero trust architecture. At Merlin, we take a holistic approach to zero trust architecture. We apply zero trust security principles to all endpoints, applications, and identities. With our holistic zero trust security, users’ and network access are provided in a least privilege model and continuously verified. Resources are protected with granular-level security with the ability of automated remediation to continuously enforce zero trust principles.

We follow these core tenets to ensure zero trust is applied across the different layers of your infrastructure:

  • Identity as a Perimeter
  • Least Privilege
  • Intrinsic Workload Security
  • Micro-segmentation
  • Integration & Automation
  • Security Analytics

With zero trust security applied throughout the network, agencies can greatly improve the effectiveness of their security operations. The EO requires that agencies implement endpoint detection & response (EDR), logging, and standardized playbooks. At Merlin, we offer solutions for security operations that help our customers apply security analytics and automation to quickly identify and respond to threats and anomalous network activity.

Our cloud-based EDR collects host-based telemetry data for expanded visibility and control of endpoints. Combining threat intelligence data and deep analytics, threat hunting teams can use the cloud-scale data lake to proactively hunt for threats on the network. Security orchestration, automation & response (SOAR) enriches EDR data with additional telemetry data from SIEM, network threat detection, threat intelligence, and other sources, providing better contextual information on incidents and threats. 

FedRAMP acceleration

To stay one step ahead of adversaries, agencies must continue to adapt and thrive in a  dynamic and evolving threat landscape. Merlin continuously analyzes the cybersecurity landscape for emerging technologies and innovative solutions to help our customers with their toughest cybersecurity challenges. Cloud has proven to be an optimal strategy for cybersecurity companies to deliver their software quickly, and for agencies to consume more easily.

Earlier this year, Merlin Cyber launched Constellation GovCloud, a FedRAMP managed service offering that accelerates our OEM partners’ journey towards FedRAMP authorization. This turnkey, platform-as-a-service built on AWS GovCloud reduces the costs and complexity of FedRAMP by meeting nearly 80 percent of the controls.

diagram showing how Constellation GovCloud benefits both government and OEM companies

As more stringent requirements are placed on software OEMs to comply with secure software development and testing practices, the OEMs are looking for more effective ways to ensure that they can attest to and demonstrate conformity. Non-compliance can mean removal from government contracting vehicles. Pursuing FedRAMP authorization becomes a viable strategy for companies to demonstrate compliance. Using a FedRAMP authorized cloud service, OEMs can benefit from the baseline security controls and continuous monitoring functions prescribed by FedRAMP for the IaaS and PaaS, thereby demonstrating compliance with the software security requirements in the EO.

Constellation GovCloud benefits our OEM partners with a path towards FedRAMP authorization and the software security compliance that comes along with FedRAMP. At the same time, government benefits from access to a growing number of secure, software-as-a-service cloud solutions.

Winning the battle requires strategy and execution

For nearly 25 years, Merlin has delivered innovative solutions that help our clients reduce security risk and simplify IT operations. We continue to transform our business to ensure that we are constantly delivering value to our clients. Delivering value is in our DNA.

We formed strategic partnerships with the world’s best-in-class cybersecurity brands to provide our clients with solutions they know and trust. Today, we partner with market-leading and trusted cybersecurity vendors such as CyberArk, Darktrace, Netskope, Okta, and Swimlane. We launched Constellation GovCloud to accelerate our OEM partners’ journey towards FedRAMP, and to expand their routes to opportunities in federal. In these unprecedented times for cyber defenders, Merlin stands ready to partner with government and industry to face these challenges.