The VA’s Zero Trust North Star Journey Can Start with APIs
The Department of Veterans Affairs (VA) Chief Information Officer Kurt DelBene recently stated that the VA has made significant progress in transforming the agency’s cybersecurity posture.
Much of this is based on using Zero Trust as a “north star” for guiding the security of the agency’s IT systems and veterans’ data – moving away from traditional perimeter-based protection.
As highlighted in this recent NextGov/FCW interview, using the Zero Trust guidance has never been more important for the VA with its expansive IT network. The agency has more than 500,000 desktops in 2,000 different physical locations and 1,000 systems overall. On top of this, the VA has to protect millions of veterans’ personal and health data.
As agencies such as the VA continually increase the use of application programming interfaces (APIs), focusing Zero Trust efforts on APIs is of critical importance, and is the ideal starting point to implement a Zero Trust architecture.
According to this Forbes article, this is because API-driven software and apps aren’t contained in a fixed network. Instead they exist in the cloud, and there are potential threats throughout the application and infrastructure stack.
In addition, an API-driven application often has thousands of microservices, which make it difficult to track the overall security impact. Thus, it can be more challenging to find any bad actors attempting to exploit the application and steal precious data.
The API-Driven North Star Approach
Adopting an API strategy to exchange and synchronize data between systems is a great start for embracing a north star Zero Trust strategy.
To counter the rise of Advanced Persistent Threats (APTs) and insider threats, the best approach is to create layers of security that enforce checks during each access to applications or data in order to reduce the security threats and security risks.
Data API integration is also paramount. While agencies benefit from systems exchanging data transfer in an automated fashion, this can create significant vulnerabilities from inadvertently having bad actors on a network. These bad actors can leverage the automatic synchronization exchanges of data between systems for capturing and exfiltrating critical data.
In addition, civilian agencies and the Department of Defense have been leveraging ETL and point-to-point approaches for data sharing and synchronization for decades. Often this data moves around in batches to ensure that separate systems all have an up-to-date copy of the data that’s used across these systems.
This type of data synchronization is typically accomplished by specific scripts that are running on servers responsible for extracting the appropriate data, and transforming it into the necessary target format for sharing.
One challenge in this scenario is that an attacker can very easily hijack these scripts if a server has been compromised. Once this happens, the attacker can execute the scripts, and gain access to the data itself.
Developing API Policy Enforcement for a Secure Zero Trust Environment
Development of API policy enforcement is critical for achieving Zero Trust. Part of a typical API solution includes enforcing policies at runtime, or when systems are invoking the API to interact with data. It typically provides benefits like authentication, which performs an identity check on the system or whichever user is asking for the data.
It also provides authorization policies to determine if that particular user is allowed to access that piece of data at that moment in time.
A holistic platform for API management will include not only a policy enforcement point, but also a developer portal – allowing system engineers to understand how to use an API and its function. This also helps to foster a community of data users who can help onboard new users.
Finally, agencies that have moved further along in their Government API adoption practice will often implement an application portfolio tool, which is vital for moving towards Zero Trust architectures and principles.
Enterprise architects can also document application information and answer simple business questions around the Zero Trust compliance of their applications. This documentation also provides links of the applications to the underlying technologies that support it, as well as information on current and planned projects and budget.
Data Sharing: Zero Trust Principles in Action
To best share data between applications within their architectures to meet Zero Trust principles, agencies should embrace continuous verification. This is essential to enforce verification with every access to a resource. For example, if a consumer or a system has access to certain data today, there could be a future policy to remove access tomorrow.
The blast radius should be as limited as possible to minimize exposure in the event of a data breach. In an API context, specific consumer applications only have access to specific APIs and endpoints. There may also be additional policies that redact or mask the data for specific consuming applications.
Prior to a potential security incident or breach, it is important to collect the data for analysis ahead of time. In the event of a compromise, the agency will have an audit trail for assessing the impact of the breach.
Conclusion
These key highlights were provided by Darryn Graham, Chief Architect at Software AG Government Solutions, during his presentation at 2022 Digital Government Institute’s Zero Trust: The Fundamentals Virtual Conference.
Watch Darryn’s full presentation here: How APIs Bolster Zero Trust Strategies and Security
Is your agency looking for a Zero Trust “north star”? If so, please reach out to Software AG Government Solutions today to start with API security.
Want to keep up with all things Software AG Government Solutions?
Share your email address below.
View our upcoming events and on-demand webinars