Biden, Zero Trust and cybersecurity

Cybersecurity presents pressing issues for the ERP community, with few glimpses of hope to be found in the current landscape.

One small cause for optimism is the cybersecurity executive order issued by the US government last May. President Biden’s software bill of materials eyes improvements to US software supply chain, both in security and supply chain risk management.

But Executive Order 14028 (EO), as it’s officially known, may not exactly be a game changer for enterprise tech, according to Tim Mackey, principal security strategist at Synopsys Cybersecurity Research Centre.

“One important thing to remember is that President Biden doesn’t have the authority to order any government agency to purchase specific software, nor does he have the authority to require any governmental agency procure specific software,” he says.

“It’s also worth noting that while ‘EO compliance’ will be something enforced by procurement teams within the US government, we are talking about a supply chain meaning that any provider of software within a supply chain should be prepared to answer questions about ‘EO compliance’ if their software could be used in a US Government setting.”

As we’ll discover later, there is enough information to define what elements software producers should be prepared to provide to US authorities. But Mackey points out there is there really isn’t anything that can be defined as ‘EO compliance’ as of yet. This means there is no way to tell if Biden’s bill – and its promise of more regulated software supply chain – will enable any safer a cybersecurity landscape for enterprises.

Don’t bide your time

So what can ERP vendors do in the here and now? For Nir Zuk, founder & CTO at Palo Alto Networks, organizations need to get a handle on the risks associated with hybrid work and direct-to-app connectivity.

“The new reality is that our attack surfaces have expanded dramatically while cyberattacks continue to grow in volume and sophistication. The whack-a-mole approach of deploying a new tool for every type of application or threat makes security management and enforcement way too complex.”

“Most organizations have discovered that old and clunky VPN-based solutions just don’t cut it from a security and performance perspective. These legacy solutions have no concept of context and thus do not understand how to apply application, user or device-based, least privilege access. Instead, they give trusted access to entire network segments.

“In the world of hybrid work and cloud migration, legacy VPN is dead. Zero Trust Network Access (ZTNA) approaches emerged to address the challenges caused by legacy VPN.”

When it comes to the today’s evolving landscape of hybrid work, Zuk sees old and unfortunate security issues at play.

“The first generation of ZTNA products (which we call ZTNA 1.0) have proven more dangerous than helpful because of several critical limitations.

“ZTNA 1.0 provides way too much access, especially for apps that use dynamic ports or IP addresses. It supports only coarse-grained access controls while classifying applications based on L3/L4 network constructs, such as IP address and port numbers.

“Secondly, once access to an app is granted, that communication is then trusted forever. ZTNA 1.0 assumes that the user and the app will always behave in a trustworthy manner, which is a recipe for disaster.

“Finally, ZTNA 1.0 only supports a subset of private apps while unable to properly secure microservice-based, cloud-native apps – apps that use dynamic ports like voice and video apps, or server-initiated apps like Helpdesk and patching systems. Moreover, legacy ZTNA approaches completely ignore SaaS apps and have little to no visibility or control over data.”

Meanwhile, Tom Venables, practice director – application and cyber security at risk management company Turnkey Consulting, argues that enterprise protection requires an integrated approach across several elements of the security estate, all of which should be considered to ensure the organization can trust the data and processes supported by its ERP.

“ERP systems are at the core of every business; they handle some of the most critical processes and feed into the effective management of the organization,” Venables says. “This makes it essential that these business critical systems are protected from threats, both internal and external, especially with a rise in cybercriminals targeting these systems for financial gain, ransomware or to perpetrate fraud.”

Solutions in cyber

So what are the solutions for these threats to ERP safety? Palo Alto proposes a new industry approach it’s calling ZTNA 2.0. According to Zuk, this overhaul solves the shortcomings of ZTNA 1.0 by identifying applications at layer 7, enabling precise access control at the app and sub-app levels, independent of network constructs like IP and port numbers.

Also included is continuous trust verification and continuous security inspection.

“(For the former) once access to an app is granted, trust is continually assessed based on changes in device posture, user behavior and app behavior.

“(The latter provides) deep and ongoing inspection of all traffic, even for allowed connections, to prevent all threats including zero-day threats.”

Consistent control of data across all apps is another hallmark of ZTNA 2.0, including private apps and SaaS, with a single DLP policy. This comes alongside safeguarding all applications used across the enterprise, including modern cloud-native apps, legacy private apps and SaaS apps. Apps that use dynamic ports and apps that leverage server-initiated connections are also included.

“At the height of the pandemic, many businesses focused on trying to scale their VPN infrastructure. When that didn’t work, they quickly pivoted to the ZTNA 1.0 solution, only to discover it didn’t live up to their expectations.

“ZTNA 2.0 is the necessary paradigm shift to overcome the existing limitations of ZTNA 1.0, and it is the right architecture to support your organization in the long term.”

Turnkey Consulting’s Venables meanwhile posits that a risk-based approach can help “to ensure the right funding and prioritization is put in place to secure critical ERPs against the most likely and impactful risks.”

“Pivoting the organization’s defense to face the likely threat will ensure the strategy makes the most effective use of resources, as well as minimize regret cost.”

Knowledge of what may be at risk is key in ensuring the organization can protect itself against these risks, he adds.

“This requires knowing the estate, and investing in a quality configuration management database (CMDB), or asset management capability to identify operating systems, patch levels and privileged accounts within that ERP landscape. This allows more effective patch and vulnerability management to be undertaken and protects against common threats and exploits.”

ERP landscapes should also be integrated with the IT protection, detection and response capabilities of the organization.

“If a SAAS ERP is running, is there sufficient telemetry from the estate to be able to identify attempts at compromising the enterprise’s key data? Alternatively, if the ERP is on-premise, are monitoring solutions, endpoint detection and response (EDR), network monitoring and quality extended detection and response (XDR) solutions deployed so that indicators of compromise (IOCs) can be identified when they’re targeting key data?”

To answer these questions, organizations need to work with their CISO and CIO (or equivalent) to understand what protections are applied across the IT estate and ensure the ERPs are integrated with those detection and response capabilities.

“The security operation centre (SOC) needs to include ERP in its monitoring and response scenarios, and disaster recovery or business continuity plans should be in place to respond if the worst happens.”

This ties in with Venables’ last piece of advice: avoid silos at all costs.

“ERPs often exist in a blind-spot for the teams responsible for cyber defense, with system or application ownership often allocated to different director-level resources within the business; for example, an ERP may be owned by a CFO, while the CIO owns the infrastructure within which it is hosted and provisioned.

“Breaking down this siloed approach to securing the estate is essential, which requires the organization working as a whole to integrate and protect its critical data.”

ERP teams can support the IT organization with the knowledge of the business processes and impact assessments, based on data and processes, and ensure prioritization is given to the biggest risks.

“They can also better engage with these teams by understanding the layered approach to security and the language used in defining this; establishing a common framework and learning about approaches such as the NIST (National Institute of Standards and Technology) cyber security framework can provide some commonality for this approach.”

EO critical software

Going back to Biden’s bill, clues to what software vendors can expect to affirm before the US authorities can be found in associated NIST documents, as Synopsys’ Mackey explains.

“The EO instructs heads of agencies to perform specific tasks. One of the first of those tasks was for NIST to solicit input from the public and private industry surrounding the structure and management of software supply chains. That work resulted in a NIST publication on ‘EO critical software’ in July and an updated Secure Software Development Framework (SSDF) in February. This guidance… will form the basis for any EO compliance effort.

“The SSDF defines a set of tasks that NIST views as a minimum requirement to securely create software and manage the software creation process.

“If the USG procurement requirements specify following the SSDF, then software producers who already know how well aligned they are to the SSDF will be that much closer to compliance.”