CISA and NSA: The Times, They Are A-Changin. Identity is Everything Now – Security Boulevard
The recent SolarWinds Senate hearing and a flurry of subsequent briefings have unearthed new questions around the attack, which acting director of the U.S. Cybersecurity and Infrastructure Agency (CISA) Brandon Wales called the most complex and challenging hacking incident the agency has come up against.As impacted agencies and private enterprises work to pick up the pieces, theres debate over the best ways to tackle systemic weaknesses and improve cyber intelligence sharing across the board. But one thing everyone can agree on is that traditional security approaches which have failed to change with the digital times are in dire need of an overhaul.
The SolarWinds breach, along with nearly every major cyber attack today, involved the compromise of identity and subsequent manipulation of privileged access. While presenting forensic analysis of the attack at NISTs most recent Information Security and Privacy Advisory Board meeting, CISA technical strategist Jay Gazlay put it bluntly: Identity is everything now.
While Gazlay acknowledged that very few could pull off such a highly sophisticated digital supply chain attack without being detected, his message was clear: traditional, perimeter-centric security wont cut it. We can talk about our network defenses. We can talk about the importance of firewalls and network segmentation. But really, identity has become the boundary, and we need to start readdressing our infrastructures in that matter, he said, according to Federal News Networks report on the briefing.
Of course, SolarWinds is far from the first major attack to prompt action. But Gazlay warned that attackers are constantly innovating, and that protections many agencies put in place after the 2015 Office of Personnel Management breach are likely inadequate today since so many resources have shifted to the cloud.
Theyre going after the identities that give them access to all the data holdings much broader campaigns, he said, according to Federal News Network. That makes trust store and identity management compromises much more impactful, and frankly, a much higher target. As we move into a cloud infrastructure where all that matters is the expectation that you are who you say you are, to get access to cloud infrastructures, this becomes even more pernicious.
This focus on identity is accelerating the shift toward Zero Trust, a never trust, always verify approach that includes authenticating and authorizing every identity human or non-human before granting access. While the concept isnt new, its safe to say Zero Trust is going mainstream as hybrid and multi-cloud environments become the norm.
The U.S. National Security Agency (NSA) recently released guidance for embracing a Zero Trust approach, noting these principles can better position [cybersecurity professionals] to secure sensitive data, systems, and services.
As we focus on helping agencies and enterprises secure identities throughout the cycle of accessing critical assets, these recommendations resonated strongly with our CyberArk team. Heres a look at our top takeaways from the NSAs Zero Trust directive:
Outsider, Insider It Doesnt Matter. Always Assume Breach
NSA authors write, Contemporary threat actors, from cyber criminals to nation-state actors, have become more persistent, more stealthy, and more subtle; thus, they demonstrate an ability to penetrate network perimeter defenses with regularity. They urge agencies and organizations to consciously operate and defend resources with the assumption that an adversary already has presence within the environment.
In the public sector, weve seen the great lengths to which legitimate, authorized users will go to exfiltrate information and accomplish ill-intentioned objectives. An assume breach mindset does not discriminate between outsiders or insiders instead, every identity and access request is presumed malicious until proven otherwise. And the question shifts from Have I been breached? to Do I have the right alarm systems and motion-sensing lights in place to detect and respond before its too late?
Least Privilege Is Foundational to Zero Trust
Motives vary. Adversaries might try to establish persistence in the environment and hide their activity; the SolarWinds attacker used the sophisticated Golden SAML technique to do this successfully. Or, attackers might aim straight for the domain controller or cloud console in search of sensitive data to steal or hold for ransom, or to cause disruption by shutting down critical systems or deleting files. No matter what theyre after, attackers usually follow the same steps: acquire credentials for an identity, move laterally and vertically to escalate privileges, then use this privileged access to compromise sensitive data and assets.
The most effective way to break this chain and shrink the overall attack surface is to enforce least privilege security controls across all identities, devices and apps from the endpoint to the cloud. NSA authors write that data-centric Zero Trust models allow the concept of least privileged access to be applied for every access decision, where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access to resources.
When It Comes to Zero Trust, 1+1=3
Theres no cybersecurity silver bullet, and likewise, Zero Trust cannot be achieved with one vendor or solution its not about a specific technology, its an approach, and a mindset. Instead, it requires a holistic, layered approach that integrates disparate but related cybersecurity capabilities into a cohesive engine for cybersecurity decision-making, write NSA authors.
By placing Privileged Access Management at the core of this defense-in-depth strategy, not only can defenders protect against the leading cause of breaches, they can also minimize the attacks impact. Consider this scenario: an attacker successfully compromises an agencys vulnerability management platform, runs an authentication scan and pinpoints every vulnerable and misconfigured identity within the hybrid cloud environment essentially scoring a step-by-step playbook for the attack. By protecting these powerful tools with Privileged Access Management controls, such as vaulting and rotating privileged credentials and monitoring sessions to detect risky activity, agencies can dramatically limit exposure and keep that playbook out of reach.
Its Okay to Start Small. But the Time to Start Is Now.
Conceptually, Zero Trust makes perfect sense. But NSA authors warn that putting it into practice will take time. Instead, they encourage a phased, risk-based approach. Incorporating Zero Trust functionality incrementally as part of a strategic plan can reduce risk accordingly at each step, they write. Among the NSAs key Zero Trust design recommendations is to architect from the inside out, first protecting critical data and assets, such as Tier 0 systems, then securing all paths to access them.
TheIdentity Defined Security Alliance framework can help with scoping and tiering the various technology components that will require protection at the identity level.
In SolarWinds shadow, many agencies are feeling pressure to address their greatest identity-related vulnerabilities quickly. This NSA directive offers valuable prioritization guidance for achieving quick wins to drive down risk, while laying the groundwork for a phased Zero Trust implementation strategy.
In the famous words of Bob Dylan, The times, they are a-changin. Drive resilience in this new threat landscape by embracing a Zero Trust model. And trust CyberArk to help along the way. As the recognized leader in protecting privileged access with multiple Department of Defense customers and 130+ installations across the U.S. federal government, were uniquely positioned to help agencies meet todays modern security and compliance requirements.
*** This is a Security Bloggers Network syndicated blog from CyberArk authored by Kevin Corbett. Read the original post at: https://www.cyberark.com/blog/cisa-and-nsa-the-times-they-are-a-changin-identity-is-everything-now/
Continue reading here:
CISA and NSA: The Times, They Are A-Changin. Identity is Everything Now - Security Boulevard
- Cyber Command, NSA chief warns foreign adversaries likely to target midterms - The Record from Recorded Future News - April 29th, 2026 [April 29th, 2026]
- CISA flags data-theft bug in NSA-built OT networking tool - theregister.com - April 29th, 2026 [April 29th, 2026]
- Decades-old pre-Stuxnet cyber sabotage tool breaks cover, NSA listed it as 'nothing to see here' fast16 targeted nuclear reactors, dam design, and... - April 29th, 2026 [April 29th, 2026]
- The NSA Just Warned Everyone to Reboot Their Routers What to Do Right Now - National Cybersecurity Alliance - April 29th, 2026 [April 29th, 2026]
- Former NSA Science Chief Warns Humanity May Be Missing Something 'Huge' About UFO Phenomena - International Business Times UK - April 29th, 2026 [April 29th, 2026]
- Court rejects bid to halt trial of former NSA Deputy CEO - Ghanaian Times - April 29th, 2026 [April 29th, 2026]
- The NSA: SLs missing link on the geopolitical stage - The Morning - April 29th, 2026 [April 29th, 2026]
- Farmers seeking new pastures urged to try NSA's Graziers List - Craven Herald - April 29th, 2026 [April 29th, 2026]
- Punjab Police takes Amritpal on 2-day remand following expiry of NSA detention - ThePrint - April 29th, 2026 [April 29th, 2026]
- Report: NSA is currently using Anthropics unreleased Mythos model - Sherwood News - April 23rd, 2026 [April 23rd, 2026]
- FBI And NSA Warnings IgnoredNo Fix For Millions Of Phones - Forbes - April 23rd, 2026 [April 23rd, 2026]
- NSA Uses AI Mythos Even Though Anthropic is Blacklisted by the Pentagon - VOI.ID - April 23rd, 2026 [April 23rd, 2026]
- NSA Running Blacklisted Anthropic AI: Warning for UK Banks - Disruption Banking - April 23rd, 2026 [April 23rd, 2026]
- Amritpal Singh Taken into Punjab Police Custody After NSA Detention Ends in Dibrugarh - The Sentinel - of this Land, for its People - April 23rd, 2026 [April 23rd, 2026]
- Cybersecurity, Claude Mythos, is Anthropic's model in the hands of the Nsa? - Il Sole 24 ORE - April 23rd, 2026 [April 23rd, 2026]
- NSA Doval Meets Top Saudi Leaders, Focus On Security And Energy - The Times of India - April 23rd, 2026 [April 23rd, 2026]
- NSA: stereotyping, ethnic profiling can weaken intelligence gathering - The Nation Newspaper - April 7th, 2026 [April 7th, 2026]
- Former NSA John Bolton says Pentagon would have told President Trump about Iran closing the Strait of Hormuz beforehand - indica News - April 5th, 2026 [April 5th, 2026]
- Trump Thought This Would Be Easier: Former NSA John Bolton Exposes US Presidents Unprepared War Strategy - Republic World - April 5th, 2026 [April 5th, 2026]
- Dog owners urged to take responsibility as NSA ramps up sheep worrying campaign - Hexham Courant - April 5th, 2026 [April 5th, 2026]
- Dog owners urged to take responsibility as NSA ramps up sheep worrying campaign - The Scottish Farmer - April 5th, 2026 [April 5th, 2026]
- 'Dhurandhar 2 sets a new benchmark, it's going to be very difficult for anyone to match up': Former deputy NSA of India | Bollywood - Hindustan Times - April 1st, 2026 [April 1st, 2026]
- Rethinking the NSA Office beyond security coordination - The Nation Newspaper - April 1st, 2026 [April 1st, 2026]
- The $15 Billion Post-Quantum Migration: NIST Standards Are Final, NSA Deadlines Are Set, and Enterprise Cybersecurity Is About to Be Rebuilt from the... - April 1st, 2026 [April 1st, 2026]
- NSA kicks off sheep worrying awareness week - Agriland.co.uk - April 1st, 2026 [April 1st, 2026]
- Regime change only way to tackle Iran threat, says former US NSA John Bolton - CNBC TV18 - March 30th, 2026 [March 30th, 2026]
- The command centre: Why Nigerias NSA must evolve beyond coordination - guardian.ng - March 30th, 2026 [March 30th, 2026]
- Former NSA chiefs worry American offensive edge in cybersecurity is slipping - CyberScoop - March 28th, 2026 [March 28th, 2026]
- NSA and ASDs ACSC Release Joint Guidance on LEO SATCOM System Risks and Mitigations - National Security Agency (.gov) - March 28th, 2026 [March 28th, 2026]
- New NSA director pushes for more intel-sharing with allies in internal meeting - Nextgov/FCW - March 28th, 2026 [March 28th, 2026]
- "Trump Is Transactional, Doesn't Think Strategically": Former US NSA - NDTV - March 28th, 2026 [March 28th, 2026]
- Former NSA John Bolton urges Trump to cut Irans oil revenue after PM Modi call - The Indian EYE - March 28th, 2026 [March 28th, 2026]
- $HAREHOLDER ALERT: The M&A Class Action Firm Is Investigating The MergerULY, NSA, CTRA, and FONR - WBOC TV - March 28th, 2026 [March 28th, 2026]
- Rethinking the command centre: Why Nigerias NSA must evolve beyond coordination - The Sun Nigeria - March 28th, 2026 [March 28th, 2026]
- Constitutional freedoms cannot be exercised at the cost of human lives: Allahabad HC upholds preventive detention order under NSA - SCC Online - March 28th, 2026 [March 28th, 2026]
- Next Generation Shepherd of the Year Competition opens for NSA Scotsheep 2026 - The Scottish Farmer - March 28th, 2026 [March 28th, 2026]
- NSA (NSA) explains vesting, prorated FY2026 bonus and severance in merger with Public Storage - Stock Titan - March 20th, 2026 [March 20th, 2026]
- Sergio Gor meets NSA Ajit Doval discussing geopolitical issues - The Indian EYE - March 20th, 2026 [March 20th, 2026]
- National Storage Investor Alert: Kahn Swick & Foti, LLC Investigates Adequacy of Price and Process in Proposed Sale of National Storage Affiliates... - March 20th, 2026 [March 20th, 2026]
- Public Storage to Buy NSA: Is This a Smart Growth Move for Investors? - TradingView - March 20th, 2026 [March 20th, 2026]
- Was Russia an IMMINENT THREAT to US?: Rep Scott Perry grills NSA official on Ukraine war - The Economic Times - March 20th, 2026 [March 20th, 2026]
- NSA invoked against prime accused Aslam in banned meat supply case - thehitavada.com - March 20th, 2026 [March 20th, 2026]
- Watch | Indian Foreign Policy Confused; Were Not as Influential as We Used to Be: Former NSA - TheWire.in - March 20th, 2026 [March 20th, 2026]
- Russia Or Iran? Trumps NSA Cornered in Senate Over Military Action in Iran As War Enters 4th Week - Oneindia - March 20th, 2026 [March 20th, 2026]
- Need to Evolve The Office of the NSA Beyond Coordination to National Defence Strategy Nerve Centre - THISDAYLIVE - March 20th, 2026 [March 20th, 2026]
- Halper Sadeh LLC is Investigating Whether UNF, NSA, ULY, MPX are Obtaining Fair Deals for their ... - Bluefield Daily Telegraph - March 20th, 2026 [March 20th, 2026]
- Organized and technological: ICE resistance groups posing growing danger, warns former top NSA, DHS official - Fox News - March 18th, 2026 [March 18th, 2026]
- Declassified Report Reveals NSA Broke Surveillance Rules - Project On Government Oversight - March 18th, 2026 [March 18th, 2026]
- Gen. Joshua Rudd '93 confirmed as leader of U.S. Cyber Command, NSA; elevated to rank of general - Furman University - March 18th, 2026 [March 18th, 2026]
- Public Storage to Buy NSA: Is This a Smart Growth Move for Investors? - Zacks Investment Research - March 18th, 2026 [March 18th, 2026]
- National Storage (NSA) Climbs to Record High on $10.5-Billion Acquisition - Yahoo Finance - March 18th, 2026 [March 18th, 2026]
- Organized and technological: ICE resistance groups posing growing danger, warns former top NSA, DHS official - WFIN - March 18th, 2026 [March 18th, 2026]
- SHAREHOLDER ALERT: The M&A Class Action Firm Announces An Investigation of National Storage Affiliates Trust (NYSE: NSA) - PR Newswire - March 18th, 2026 [March 18th, 2026]
- National Storage Affiliates Trust (NYSE:NSA) Rating Increased to Neutral at BNP Paribas Exane - MarketBeat - March 18th, 2026 [March 18th, 2026]
- Is National Storage Affiliates Trust (NSA) Share Price Misaligned With Its DCF Estimate Today - Yahoo Finance - March 9th, 2026 [March 9th, 2026]
- Interview with 2026 AFI NSA Naples Spouse of the Year, Dannielle Niewald - Stripes Europe - March 9th, 2026 [March 9th, 2026]
- Iranian drones strike apartments in city thats home to NSA Bahrain - Stars and Stripes - March 7th, 2026 [March 7th, 2026]
- "At this point, US win is going to be pretty elusive," says former US Principal Dy NSA Jon Finer on Iran... - lokmattimes.com - March 7th, 2026 [March 7th, 2026]
- "Over next 5-10 years, you are likely to see emergence of new nuclear powers": Former US NSA official Jon... - lokmattimes.com - March 7th, 2026 [March 7th, 2026]
- China tends to pursue strategy of staying on good terms with everyone: Former US NSA official Finer - ANI News - March 7th, 2026 [March 7th, 2026]
- NSA (NSA) Executive Chair Fischer reports new OP unit awards and LTIP conversions - Stock Titan - March 4th, 2026 [March 4th, 2026]
- Cyber retaliation from Iran is a problem for U.S. companies 'It's in the hands of a 19-year-old hacker in a Telegram room,' ex-NSA operative says -... - March 4th, 2026 [March 4th, 2026]
- Ajit Doval Indias Most Useless NSA Ever Says Netizens: Zero Intel on Uri, Pulwama, Galwan, Iran War & More - indiaherald.com - March 4th, 2026 [March 4th, 2026]
- Sheep Village Cynefin to be launched by RWAS and NSA at the Royal Welsh Show - Shropshire Star - March 4th, 2026 [March 4th, 2026]
- Wyden blocks nominee to lead NSA and Cyber Command - Federal News Network - February 27th, 2026 [February 27th, 2026]
- Wyden blocks Rudd confirmation to lead Cyber Command, NSA - The Record from Recorded Future News - February 27th, 2026 [February 27th, 2026]
- NSA said to have seen security concerns in Grok - breakingthenews.net - February 27th, 2026 [February 27th, 2026]
- NSA: Solid Q4 Beat and Favorable 2026 Outlook, But Cost Pressures and High Expectations Justify Hold Rating - TipRanks - February 27th, 2026 [February 27th, 2026]
- Videotron and Samsung Expand Partnership Through 5G NSA and 4G LTE Core Gateway Deployment - samsung.com - February 24th, 2026 [February 24th, 2026]
- Videotron Taps Samsung for Cloud-Native 5G NSA and LTE Core Gateway Solution - The Fast Mode - February 24th, 2026 [February 24th, 2026]
- El-Rufai Demanded to Provide Evidence in NSA Hacking Claims - streamlinefeed.co.ke - February 24th, 2026 [February 24th, 2026]
- DSS to arraign El-Rufai on Feb. 25 over alleged NSA phone interception - Businessday NG - February 24th, 2026 [February 24th, 2026]
- Securus Technologies Supports Expansion of Sheriff-Led NSA I.G.N.I.T.E. Initiative to Improve Jail Safety and Reentry Outcomes - PR Newswire - February 7th, 2026 [February 7th, 2026]
- NSA set to deal with defiant parties, politicians, supporters on integrity of democratic process - ThePointNG - February 7th, 2026 [February 7th, 2026]
- Where NSA zero trust guidance aligns with enterprise reality - Help Net Security - February 4th, 2026 [February 4th, 2026]
- UNG third in Division 1 of NSA cyber event - University of North Georgia - February 4th, 2026 [February 4th, 2026]
- Green Beret Lieutenant General Joshua Rudd Tapped To Lead NSA and US Cyber Command - SOFREP - February 4th, 2026 [February 4th, 2026]
- SC Flags Health Concerns, Urges Rethink on Sonam Wangchuks NSA Detention - The Morning Voice - February 4th, 2026 [February 4th, 2026]
- What security teams need to know about the NSA's new zero trust guidelines - IT Pro - February 4th, 2026 [February 4th, 2026]
- 'India won't be bullied': NSA Ajit Doval told Marco Rubio that New Delhi would wait out Trump term for trade deal: Report - theweek.in - February 4th, 2026 [February 4th, 2026]