The Colonial Pipeline hack and the shutdown of the U.S.’s largest fuel pipeline was only one of many recent ransomware attacks on our nation’s hospitals, financial institutions and critical infrastructure. Can government IT departments alone shield public infrastructure from such malicious attacks, ransomware and the ensuing outages? President Biden’s executive order on improving the nation’s cybersecurity addresses this question, and outlines potential security gaps and relevant technology solutions. The order details specific types of technology, security best practices and other ways the federal government and the private sector can team up to crack down on cyberattacks.
The president’s order states that the U.S. “faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.” And while the order states that “protecting our nation from malicious cyber actors requires the federal government to partner with the private sector,” it arguably implies that the private sector must include the strongest and most transparent protections, whatever their origins. This may accelerate the shift from commercial proprietary technology to open source software. Only by collaborating and innovating together can we bring all the best ideas to the table and examine them for their relative strengths and weaknesses. It’s unrealistic to think any one individual, company, or government department will be able to envision all lines of attack or build impenetrable code to defend against them.
The president writes that the government “must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services.” Security best practices are outlined, such as comprehensive authentication, authorization, encryption, and having consistent policies and controls in place. However, the challenge is exacerbated by modern, cloud-native application networks and cloud platforms. As applications migrate toward hybrid and multi-cloud environments, microservices instead of monoliths and containers instead of bare metal or virtual machines, zero-trust application networking becomes mandatory. One complication: not every application can be modernized at once, so security professionals need to find a way to address both modern and legacy platforms.
Open source software is a potential solution, as it serves as a mechanism for several actors to work together and secure applications in even the most diverse environments. Let’s look at two examples: API gateways and service meshes. The most popular API gateways that span both Kubernetes and traditional environments are based on open source Envoy Proxy, a Cloud Native Computing Foundation (CNCF) project. And the most feature-rich service meshes are based on open source Istio. Both projects benefit from having many hands adding security features and many eyes watching for vulnerabilities. As a benefit, any party acting in bad faith and trying to slip in a back door has much less chance of going unnoticed.
We see the best results when many start from open source and enhance it further. For example, to secure inbound traffic, an application programming interface (API) gateway also acts as a gatekeeper in a zero-trust architecture, receiving, screening and routing cleared traffic to the appropriate applications. Open source Envoy Proxy off-the-shelf brings mutual transport layer security (mTLS) encryption, secrets management and access logging. Some vendors have hardened this further by adding a web application firewall (WAF), data loss prevention (DLP), extensible certificate-based authentication, federated role-based access controls (RBAC) and delegation, Open Policy Agent (OPA) authorization (itself an open source component) and vulnerability scanning to Envoy. They also bring adaptability to fit existing authentication tools such as API Keys, JSON Web Tokens (JWT), LDAP, OAuth, OIDC and whatever other tools are already in place. It’s not that government organizations or well-resourced companies couldn’t build their own custom enhancements in these areas given enough time and effort, but it’s much easier and faster to have everyone working together. Commercial software has a role to play, too. In other words, starting with open source, making it more secure and then offering it back to the community improves coverage for everyone.
Similarly, for a service mesh handling internal communications between microservices and legacy applications, building on the open source Istio can deliver much more robust capabilities. Off the shelf, open source Istio also has features like encryption and isolation, but that’s not enough to cover all vectors of attack. Again, some vendors have built on the strengths of the Istio project to provide improvements like federated trust domains, multi-tenancy support and denial of service (DOS) protection with features like advanced rate limiting and global failover routing to other resources, if needed. Access logging for forensics and complete, real-time observability through a central dashboard using tools like Prometheus or Grafana (again, both starting from open source foundations) help round out the security capabilities, and make the service mesh compatible with Federal Information Processing Standards (FIPS).
We can protect our nation’s infrastructure, but no one group can do it alone. If experts from government, private and public companies, as well as white hat enthusiasts join together, we’ll all be safer. Collaboration yields innovation— and in the security realm, the resulting solutions will benefit us all.