Services

Kearney & Company provides a variety of financial services to the Federal Government, including financial statement audits, IT audits, and various consulting services. For more information regarding what services we offer, click here.


Careers

Kearney & Company is consistently rated a Best Place to Work. One of the top CPA firms in the country, Kearney & Company is ideal for those looking to start or grow their careers. For a full listing of open positions, click here.

No Inherent Trust?

The ingenuity of cyber-attacks is increasing every day, and each organization must have that same thought process when conceptualizing a Zero Trust environment.

No Inherent Trust?

By Ryan Ahearn, Chris Noel, Cara Swann, and Tiara Williams

John Kindervag, Senior Vice President of Cybersecurity Strategy and ON2IT Global Fellow, said, “Zero Trust doesn’t say that employees are untrustworthy… trust is a concept that information security pros should not apply to packets, network traffic, and data.” We think this sums up Zero Trust perfectly.

What is Zero Trust?

How can you ensure your organization is Zero Trust-compliant? Zero Trust can be defined as an information security model, approach, or framework that secures an entity from the inside to the outside of the perimeter. This ideology forces organizations to develop new and more secure paradigms to achieve a shielded environment.

Changing the trust model should lower the likelihood of insider abuse and enhance an organization’s view of its network so it can foresee vulnerabilities before being challenged. Although purchasing an all-in-one product would be convenient, Zero Trust is not as simple as encrypting all traffic, having enforcement points, shifting to attribute-based access control (ABAC), or validating application security. Thus, it is a complete overhaul of traditional network setups. The National Institute of Standards and Technology’s (NIST) ideal architecture contains three areas: “access actor, policy enforcement point (comprising a policy engine and a policy administrator), and the enterprise resource.”(1) Therefore, it is a matter of system architecture and corporate governance in addition to security.

What governs Zero Trust?

Since 2019, the Cybersecurity and Infrastructure Security Agency (CISA) has issued 10 emergency directives to address active cyber threats. One of the most high-profile directives was in response to the SolarWinds exploit. This vulnerability allowed threat actors to penetrate the networks of hundreds of organizations across the Government and private industry and was one of the most significant breaches in United States history.

As the cyber threats continue to evolve, so does the Federal workspace. According to a recent Government Accountability Office (GAO) report (2), all surveyed agencies reported increase in telework hours during the Coronavirus Disease 2019 (COVID-19) pandemic. While working from home can provide convenience and increased productivity, this transition to a remote environment presents increased cybersecurity threats. These are caused by additional connections to devices outside the agency network, phishing and social engineering attempts, and access to resources outside of the agency office space.(3)

The increased cyberthreats are a priority at the highest levels of the Government. Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” was issued on May 12, 2021. This EO directs agencies to enact “bold changes” to defend against cyber threats. Among other directives, agencies must move toward Zero Trust Architecture (ZTA). This not only provides agencies with executive action items, but also lists resources for agencies that assist with properly instilling ZTA within that respective agency.

The Office of Management and Budget (OMB) recently issued the Federal strategy (M-22-09, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles) for implementing ZTA by the end of fiscal year (FY) 2024. To facilitate the transition to ZTA, CISA has drafted a pre-decisional Zero Trust Maturity Model based on the five pillars below to guide agencies in their implementation of ZTA.

Source

Additionally, NIST has published guidance on ZTA, including within Special Publication (SP) 800-207: Zero Trust Architecture. NIST SP 800-207 provides responsible for migrating to ZTA with a basic overview of ZTA. Once agencies familiarize themselves with ZTA, this publication can be used for as a reference and checklist to ensure that all components of the ZTA architecture are being met. These components include ZTA variations; trust algorithms; the kinds of threats that could be present in a ZTA environment, Risk Management Framework/privacy framework; and how to properly deploy, monitor, and continuously expand on ZTA, as needs/requirements change. To assist in the implementation of the concepts discussed, NIST published “Planning for a Zero Trust Architecture: A Planning Guide for Federal Administrators” on May 6, 2022 (NIST Cybersecurity White Paper [CSWP] 20). Federal agencies can ensure that no gaps are overlooked and a “never trust, always verify” environment is created by following the requirements included in EO 14028, OMB M-22-09, and NIST publication SP 800-207.

What are the benefits of Zero Trust?

Once agencies implement ZTA, they will reap the benefits of it. Zero Trust can dynamically provide access based on policy by using ABAC versus role-based access control (RBAC). Per NIST (4), ABAC “is a logical access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and in some cases, environment conditions against policy, rules, or relationships that describe the allowable operations for a given set of attributes.” For example, when a new employee (or contractor) starts working, they would be assigned a set of attributes when their account is created. For example, John Smith works for the Office of the Chief Financial Officer (OCFO) as a Budget Analyst. The administrator would create their account based on the policies set up for a Budget Analyst in OCFO, versus requesting approval to numerous file shares, applications, etc. This allows for flexibility and scalability, and while there is effort required upfront to establish the policies based on attribute, ABAC is easy to maintain.

Source

Zero Trust also reduces lateral movement, thus reducing the attack surface, which, in turn, reduces risk. Lateral movement is the ability of a user to move “freely” around a network once access has been authorized, due in part to the user being trusted once inside the network. Per Verizon’s 2022 Data Breach Investigation Report (DBIR), 73% of breaches resulted from an external attack. Using inherent trust, a threat actor could access a network using a low-level employee’s credentials. While that employee may not have access to the “trophy” the threat actor is looking for, with inherent trust, they have ability to move around the network to determine where that information is and who can access it. Then, the threat actor can find a way to access the network as the individual with the access they need. Zero Trust does the opposite of this by never trusting and always verifying, ultimately reducing the threat actor’s ability to map out the “trophy.” The ingenuity of cyber-attacks is increasing every day, and each organization must have that same thought process when conceptualizing a Zero Trust environment.

About Kearney & Company, P.C. (Kearney)
Established in 1985, Kearney is the largest Certified Public Accounting (CPA) firm in the country focused exclusively on the Government. Kearney provides financial management services to the Federal Government to improve the overall effectiveness and efficiency of financial operations; increase accountability and compliance with laws, regulations, and guidance; and protect funds from fraud, waste, and abuse. Consistently recognized as a Best Place to Work by multiple publications over the past decade, Kearney fosters a “people first” culture. We have more than 700 professionals providing services to every Cabinet-level Department and major independent agencies.

This publication is for informational purposes only and does not constitute professional advice or services, or an endorsement of any kind. Readers should first consult with a professional before acting with regard to the subjects mentioned herein.  

(1) NIST’s Zero Trust Taxonomy Introduces Components, Threats and Mitigation Routes | SecurityWeek.com
(2) GAO-22-104282 “COVID-19: Federal Telework Increased During the Pandemic, but More Reliable Data Are Needed to Support Oversight”
(3) GAO-21-583 “COVID-19: Selected Agencies Overcame Technology Challenges to Support Telework but Need to Fully Assess Security Controls”
(4) Hu, V., Ferraiolo, D., Kuhn, R., Schnitzer, A., Sandlin, K., Miller, R., & Scarfone, K. (2014). Guide to Attribute Based Access Control (ABAC) Definition and Considerations. NIST SP 800–162, iii. https://doi.org/10.6028/NIST.SP.800-162