The OPM Data Breaches – Doing Business in a Zero Trust Environment

The data breaches at the OPM have significant ramifications for the government and for the millions of us that may be negatively impacted in the future. However, breaches present a unique impetus to drive much needed change in policies, technologies and monitoring.

It has been reported that the breach was caused by compromised credentials of privileged users. These credentials were then used to access core OPM systems. In the absence of encrypted data or multi-factor authentication, adversaries used the credentials to easily move throughout the IT environment and access OPM systems and data. Without a mature continuous diagnostics and monitoring program in place, it took OPM months to realize that millions of personal records had been stolen.


According to the OPM Inspector General, there were systemic weaknesses in OPM systems dating back a decade. Seven major systems out of 25 had inadequate documentation of security testing, and of those seven, four were systems directly maintained by the OPM’s internal IT department.   Further, OPM has 22 systems run by contractors, and as reported by the IG in FY 2014, “The next stage in the OCIO’s plan involves requiring continuous monitoring of contractor-operated systems and implementation of the DHS Continuous Diagnostic and Mitigation program.”

While one may view OPM as an outlier with poor IT security posture, recent breaches show that many commercial and public sector organizations face similar vulnerabilities. Even those with the most advanced prevention and detection tools should assume that sophisticated adversaries could gain access to their systems. In other words, assume “zero trust” in your IT environment, and do not expect it to protect your data assets just based on credentials. On the other hand, locking down your data and limiting system access is not an option if you want to stay competitive.

At Resilient Network Systems, we recommend stronger and more frequent use of multi-factor authentication for both internal and external users. In addition, we recommend some type of monitoring for suspicious behaviors or activity. Finally, you should create an adaptive access management workflow to protect your most important data assets.   Aim to have an access management solution that leverages information from a multitude of sources, to include security information and event management systems and sensors. Give adversaries a moving target as it relates to your access management criteria, and do so without inconveniencing your legitimate users.

There is certainly a need to manage identities of your own employees, but in an extended enterprise with partners, customers and suppliers, there are many users whose identities you cannot directly manage.  By focusing your efforts on managing access, not more identities, organizations can adapt authentication, authorization and monitoring efforts to the situation at hand. No longer will one privileged user’s credential be sufficient for access to all systems nor will context be lost between systems.

To learn more about our network-based, adaptive access management, please post a comment, contact us or try TNaaS today.