DoD Identifies API Security as Critical for Zero Trust

December 13, 2022

Dean Phillips & Doug Steele

Post Featured Image

The opening line of the newly published Department of Defense (DoD) Zero Trust Strategy should be a warning to all: “Our adversaries are in our networks, exfiltrating our data, and exploiting the Department’s users.”1 Numerous users and devices across geographic boundaries, various hardware and software supply chains, internal and external facing applications, sophisticated malicious actors, and sensitive data that moves easily as electrons certainly present challenges for cyber defense in today’s environment. The new strategy, dated October 21, 2022, expressly identifies an urgency in adopting “a Zero Trust mindset” to reduce attack surface, mitigate risk, and protect DoD assets. To drive these efforts, the DoD Zero Trust Portfolio Management Office (ZT PfMO) was born.

In its roadmap for the future, the ZT PfMO identified multiple targets across the seven tenets of Zero Trust. In the Application and Workload tenet, the ZT PfMO targeted Application Inventory, Secure Software Development and Integration, and Continuous Monitoring and Ongoing Authorizations. Across other tenets, the roadmap identified the use of Machine Learning tools and Policy Inventory as important targets. 

For the first time Application Programming Interfaces (APIs) were addressed as a key control point throughout multiple tenants. There are recurring requirements for agencies to control APIs by establishing and enforcing API standards and governance over API development and monitoring. What’s interesting is the fact that API visibility and control are called out in multiple sections as well as a dedicated section 6.6 titled API Standardization. As we at Noname have articulated before, API security is now an integral part of a Zero Trust strategy, and DoD’s roadmap supports that assertion. 

The challenge of API visibility and control falls on agencies ill equipped to shift left in pre-production of secure applications. Current network and cloud sensors are not adequate to provide full visibility into API activity. Given that section 6.6 of the strategy specifically directs the establishment and enforcement of enterprise-wide API standards with all non-compliant APIs to be identified and replaced, the burden of this task will be significant to dev and security operators. That is why Noname Security is offering a full suite of API specific capabilities focused on government agencies. Noname offers the following API capabilities to help DoD agencies meet their ZT timelines:

  1. An API security assessment that will establish an agency’s Internal and external API landscape. 
  2. A pre-production testing tool that integrates into a CI/CD process to help an agency shift left to provide secure APIs with full documentation of the API gold image. 
  3. Continuous monitoring of an agency’s API landscape enabling the agency to enforce API standards no matter where the API is found in the network. This can be delivered through external scanning and on-prem sensors built for military networks and clouds.

If the Executive Order on Improving the Nation’s Cybersecurity, dated May 12, 2021, was the genesis of the government-wide drive to implement a Zero Trust strategy, the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Binding Operational Directive 23-01 was the first major guidance for civilian agencies. However, DoD’s roadmap is the latest, most comprehensive, and most aggressive strategy to date. Whereas CISA’s plan requires automated asset discovery by April 2023, DOD goes beyond physical assets and recognizes applications and APIs as particular vulnerabilities as well. We believe CISA will follow DoD’s lead and further recognize the need to protect applications and APIs as part of Zero Trust rather than simply focusing on physical hardware. 

The Noname Public Sector team supports the most thorough approach feasible in bolstering our nation’s cyber defenses. But this does not just affect DoD; it’s a national problem impacting government agencies at the federal, state, and local levels, as well as businesses who increasingly rely on applications to provide goods and services to customers. Dean Phillips and Daren Presbitero from the Public Sector team have both written before about the vulnerabilities unsecured APIs present and the impact of data loss. We hate to see businesses negatively impacted or government services shut down because of a cyber breach – that has a real, measurable impact on people’s lives and we need to do everything we can to prevent it.

With an accelerated timeline to achieve identified targets, it makes sense to use a trusted provider like Noname to help meet objectives. The Noname platform specifically addresses various aspects across several target areas in DoD’s roadmap.  Whether a government agency or business, if you’re embarking on a Zero Trust approach to security, Noname can help you meet deadlines and objectives in securing your environment. API security is not just “nice to have,” it’s “need to have” in today’s environment.

 

1DoD Zero Trust Strategy, October 21, 2022, Foreword, p. ii