The Colonial Pipeline hacking and the largest U.S. pipeline shutdown was just one of many recent ransomware attacks on our nation’s hospitals, financial institutions, and critical infrastructure. Can government IT departments only protect public infrastructure from these malicious attacks, ransomware, and the resulting disruptions? President Biden’s executive order on improving the country’s cybersecurity addresses this issue and describes possible security gaps and relevant technological solutions. The order details specific types of technology, good security practices, and other ways in which the federal government and the private sector can come together to combat cyberattacks.
The president’s order states that the U.S. “faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the security and privacy of the American people.” And while the order states that “protecting our nation from malicious cyberattacks requires the federal government to partner with the private sector,” it implies that the private sector must include the strongest and most transparent protections, whatever they may be. be their origins. This can accelerate the transition from commercial proprietary technology to open source software. Only by collaborating and innovating together can we bring all the best ideas to the table and examine their strengths and weaknesses. It is unrealistic to think that any individual, company, or government department is capable of imagining all lines of attack or constructing an impenetrable code to defend itself from them.
The president writes that the government “must adopt best security practices; move towards Zero Trust Architecture; accelerate movement to protect cloud services. “Security best practices are described, such as full authentication, authorization, encryption, and consistent policies and controls. However, the challenge is exacerbated by application networks. and modern, cloud-based cloud platforms As applications migrate to hybrid and multi-cloud environments, microservices instead of monoliths, and containers instead of naked or virtual machines, the network of zero-trust applications becomes A complication: Not all applications can be upgraded at once, so security professionals need to find a way to address modern and old platforms.
Open source software is a potential solution, as it serves as a mechanism for multiple actors to work together and protect applications even in the most diverse environments. Let’s look at two examples: API gateways and service meshes. The most popular API gateways spanning both Kubernetes and traditional environments are based on open source Envoy Proxy, a project of the Cloud Native Computing Foundation (CNCF). And the feature-rich service meshes are based on open source Istio. Both projects benefit from having many hands that add security features and many eyes watching for vulnerabilities. As a benefit, any party that acts in bad faith and tries to slip through a back door is much less likely to go unnoticed.
We see the best results when many start from open source and improve it even more. For example, to protect incoming traffic, an application programming interface (API) gateway also acts as a guardian in a zero-trust architecture, receiving, selecting, and routing cleaned traffic to the appropriate applications. The Envoy Open Source Proxy provides mutual layer security (mTLS) encryption, secret management, and access logging. Some vendors have tightened it even further by adding a web application firewall (WAF), data loss prevention (DLP), extensible certificate-based authentication, federated role-based access controls (RBAC), and delegation, authorization. ‘OPA (Open Policy Agent) an open source component) and vulnerability scanning in Envoy. They also provide adaptability to adapt to existing authentication tools, such as API keys, JSON Web Tokens (JWT), LDAP, OAuth, OIDC, and any other tool that is already installed. It’s not that government organizations or companies with adequate resources can’t build their own custom improvements in these areas with enough time and effort, but it’s much easier and faster for everyone to work together. Commercial software also has a role to play. In other words, starting with open source, making it more secure, and re-offering it to the community improves everyone’s coverage.
Similarly, for a network of services that manages internal communications between microservices and legacy applications, relying on open source Istio can offer much more robust functions. Off-platform, open source Istio also has features such as encryption and isolation, but this is not enough to cover all attack vectors. Again, some vendors have relied on the strengths of the Istio project to provide improvements such as federated trusted domains, multi-lease support, and denial of service (DOS) protection with features such as advanced rate limitation and l global routing of failover migration to other resources, if necessary. Accessing the forensic registry and full, real-time observability via a central dashboard using tools like Prometheus or Grafana (again, both from open source basics) help complete security capabilities and make the mesh of services is compatible with federal information processing (FIPS) standards.
We can protect our nation’s infrastructure, but no group can do it alone. If experts from public, private and public companies as well as white hat enthusiasts come together, we will be safer. The collaboration generates innovation and, in the field of security, the resulting solutions will benefit us all.