Meeting Federal Zero Trust Requirements With Harness
In this blog, we’ll explore the new Federal Zero Trust Strategy as part of the Executive Order on Improving the Nation’s Cybersecurity and how Harness can help support it.
As cyber security threats are constantly evolving, government approaches to cyber security must adapt. Conventional, perimeter-based approaches to security are no longer sufficient. That’s why in May 2021, President Biden issued an Executive Order on Improving the Nation’s Cybersecurity. Part of the new approach, a zero trust strategy, was presented in a memorandum, M-22-16. According to the memorandum:
"The Federal Zero Trust Strategy defines priority goals for agencies to achieve a consistent enterprise-wide baseline for cybersecurity grounded in principles of least privilege, minimizing attack surface, and designing protections around an assumption that agency perimeters should be considered compromised."
Federal agencies must implement a zero trust architecture (ZTA) and meet specific security standards by the end of fiscal year 2024. The strategic goals of the M-22-16 memorandum are aligned with the five key pillars laid out by the U.S. Cybersecurity & Infrastructure Security Agency (CISA).
In this blog, we’ll explore each of the five pillars and show how Harness can help federal agencies support the strategic goals of the M-22-16 memorandum.
CISA Pillar #1: Identity
“Agency staff use enterprise-managed identities to access the applications they use for their work. Phishing-resistant multi-factor authentication (MFA) protects those personnel from sophisticated online attacks.”
Harness provides enterprise-grade integrations with all major identity providers (IdPs) to provide a fully compliant authentication framework for managing DevSecOps pipelines and assets, backed by our Role-Based Access Control (RBAC). Harness can utilize two-factor authentication (2FA) from a connected IdP or integrate with a 2FA provider directly in the Harness platform to meet the needs specified by CISA.
CISA Pillar #2: Device Inventory Management
“The Federal Government has a complete inventory of every device it operates and authorizes for Government use, and can prevent, detect, and respond to incidents on those devices.”
While Harness is not a device inventory management tool, Harness has comprehensive templating capabilities and Open Policy Agent (OPA) governance built in. By having OPA built in, agencies can be sure all necessary tools and steps for enrollment and connectivity with device management tools are performed reliably and enforceably for every deployment.
Sidecar services, such as service meshes and monitoring agents, are important for a zero trust architecture because they provide additional layers of security and visibility to protect against potential threats.
In a zero trust architecture, all network traffic is considered untrusted and must be verified and validated before being allowed to communicate. This approach assumes that attackers can and will attempt to infiltrate the network, and therefore, security controls must be implemented at every layer of the architecture.
Service meshes act as a dedicated layer for managing service-to-service communication within a zero trust architecture. By providing features such as traffic management, service discovery, and security, service meshes can ensure that only authorized services can communicate with each other. This is typically achieved through mutual Transport Layer Security (mTLS) encryption, which provides authentication and encryption of communication between services.
Similarly, monitoring agents can provide additional layers of visibility and security by collecting and analyzing data on network traffic, system performance, and user behavior. This can help identify potential threats and suspicious activity, allowing administrators to take appropriate actions to mitigate risks.
By implementing service mesh registration and monitoring agents as sidecar services, organizations can create a more secure and resilient zero trust architecture that can adapt to new threats and provide greater visibility into network activity.
Harness can support this pillar by enforcing the deployment of these sidecar services.
CISA Pillar #3: Secure Networks
“Agencies encrypt all DNS requests and HTTP traffic within their environment, and begin executing a plan to break down their perimeters into isolated environments.”
The Harness platform is a comprehensive tool that prioritizes the privacy and security of its users. One of the ways that Harness achieves this is through the use of modern Transport Security Layer (TLS) for all in-transit communications related to operations. TLS is a protocol that ensures secure communication over a network by encrypting data and verifying the identity of communicating parties. This protocol ensures that sensitive data is protected from eavesdropping and tampering. By leveraging TLS, Harness provides users with enhanced data security and peace of mind.
In addition to TLS, Harness also provides its own secrets manager and integrates with best-in-class secrets management services and vaults. This approach ensures that users have a connector/secret separation, which simplifies network management and eliminates secrets sprawl. Secrets sprawl refers to the problem of having too many secrets or credentials scattered across different systems, which can make it difficult to manage and secure them. By using a secrets manager and integrating with top secrets management services and vaults, Harness helps users implement modern credentialing and token provision strategies such as secrets rotation and just-in-time (JIT) access, which further strengthens data security.
Secrets rotation involves regularly changing passwords, keys, tokens, and other secrets used to access systems and data. This strategy ensures that even if a secret is compromised, it will only be valid for a limited period, reducing the risk of unauthorized access and data breaches.
JIT access is a method of granting temporary access to systems and data only when it is needed for a specific task. This strategy reduces the risk of unauthorized access and data breaches by limiting the time that sensitive data is accessible.
Overall, Harness helps users to focus on their core business objectives without worrying about the security of their data. With TLS-enabled platform communications, a secrets manager, and integrations with best-in-class secrets management services and vaults, users can trust that their data is secure and protected.
CISA Pillar #4: Application and Workloads
“Agencies treat all applications as internet-connected, routinely subject their applications to rigorous empirical testing, and welcome external vulnerability reports.”
As a best-in-class orchestration tool for all security testing requirements, Harness supports the requirement to subject applications to rigorous testing.
The Harness Security Testing Orchestration (STO) module ensures all application vulnerability scanning runs at high velocity without sacrificing security. Also, by providing security guardrails via governance policies, STO can prevent critical vulnerabilities from ever reaching production environments. STO also consolidates vulnerability findings into a deduplicated and user-friendly interface to provide aggregated scan management. These findings can then be shifted left into continuous integration (CI) pipelines. Harness supports an automated testing approach throughout the SDLC, with full audit logs for every deployment across both cloud-based and on-premise infrastructures.
CISA Pillar #5: Data
“Agencies are on a clear, shared path to deploy protections that make use of thorough data categorization. Agencies are taking advantage of cloud security services to monitor access to their sensitive data, and have implemented enterprise-wide logging and information sharing.”
Harness provides dashboarding, alerting, and reporting tools that are tightly integrated with the platform data model to provide business leaders with a clear, immutable overview of all aspects of their DevSecOps operations. This data is exportable into other systems of record.
Our platform also provides first-class support for ticketing tools such as Jira and ServiceNow to continuously update systems of record regarding the software delivery lifecycle.
Harness can orchestrate and scale any intended data categorization and metadata tagging activities across DevSecOps by templating and versioning these processes while applying them across all pipelines organization-wide. These can be pushed to any data and artifact repositories, including S3 or external databases.
Learn More About Harness Support for ZTA
Harness is a powerful tool for implementing a ZTA. Harness STO helps you meet requirements for security regulations while also making it possible to maintain delivery velocity and easing developer workloads, preventing burnout. The intelligent engine and automation built into STO handles the heavy lifting associated with application security testing associated with DevSecOps. This allows developers to stay focussed on adding new features and fixing vulnerabilities in real-time. STO also removes barriers and friction between security teams and developers, giving them a collaborative platform to reach their common ZTA goals. In addition, your security team can govern pipelines with guardrails and they will gain a complete application security dashboard view across all application services.
To learn more about how Harness can help organizations implement and manage the security- and compliance-related services and infrastructure necessary to support zero trust, request a demo today!