Can Zero Trust
Be Trusted
Responding to breaches or new attack techniques by advancing defensive frameworks BNy Karthik Krishnan
ot to be macabre, but cy- bersecurity frameworks make me think of plane crashes. Airline safety al- ways gets better after an
incident because experts analyze what happened and how to make it not happen again. Our industry does the same thing. We respond to breaches or novel new at- tack techniques by advancing new defen- sive frameworks to meet the moment.
Zero trust/least privilege is one of the frameworks that has many cyber security professionals justifiably excited. Most of the what you’ll read about applies to networked resources, such as databases or online applications and services. But can it also be applied to secure the millions of contracts, reports, spreadsheets, and other files your users create and manage?
This so-called “unstructured data” is notoriously difficult to protect – so, let’s start by getting a good handle on the framework’s first principles and see what we can use.
ZERO TRUST
It’s no surprise that cyber security defenses took their first cues from the physical world. Castles have moats. Your house has a door with a lock. It makes sense to protect your network with a firewall. But cyber criminals soon crashed that plane. Once they got past the firewall, they feasted on the unprotected targets behind it. Enter zero trust.
The first principle of Zero Trust states there are no safe networks. Access can’t be governed by network locations, IP addresses or machines, but instead by the nature of the asset and the authorization of the user.
Here is another analogy. If you ran a Zero Trust bar, you’d trade your bouncer at the door for a staff of ID checkers, each protecting an “asset,” such as the bar, the stage or seating areas, with different access requirements, such as a minimum age to access the bar or being part of the band to get backstage.
On the network, Zero Trust implemen- tations are built with micro-segmentation
“We respond to breaches or novel new attack
techniques by advancing new defensive frameworks
34
NOVEMBER/DECEMBER 2020 | SECURITY TODAY
to meet the moment.”
(breaking the network down into smaller, resource-defined areas to control/protect), and robust identity and access manage- ment (IAM) tools (the blend of authenti- cation, role and context needed to make a go/no go access decision). But we’re going to need a different approach for unstruc- tured data.
LEAST PRIVILEGE
Accounts with overly broad privileges are the source of substantial mischief when compromised or misused by disgruntled insiders. The recent Twitter kerfuffle, for example, happened because a compromised insider account had the authority to modify end-user accounts with few restrictions and no checks and balances. There are plenty of other stories outside of Twitter about admin account abuse. It is a big problem.
The least-privileges first principle says accounts should be able to access only what’s needed and nothing more. Of course, we still need administrative accounts with potentially dangerous permissions – so the goal is containment of the blast radius should something go wrong. Together, least privileges and
zero trust deliver a powerful model for protecting specific assets with access based on expertly tailored permissions. Sounds like something you’d want for your unstructured data, right?
APPLYING ZERO TRUST/LEAST PRIVILEGE TO UNSTRUCTURED DATA Without a doubt, applying these first principles will dramatically improve unstructured data security. But the devil,
as they say, is in the details.
Firewalls. Like firewalls for the network
before Zero Trust, folders are the most common control points for unstructured data. And just as we now focus on the resource and not the network location, Zero Trust directs our attention to the file, not the folder. That means each file needs to be protected based on its sensitivity – but who’s to say what’s sensitive, and what’s not?
Assets. Traditional Zero Trust focuses on assets that are easy to find and relatively static, such as databases or interfaces to networked applications. Unstructured data, on the other hand, is a different animal. The users who create and use it, aren’t always thinking about where
UNSTRUCTURED DATA
sdecoret/Shutterstock.com