In Managing Security in the Age of Zero Trust, NetCraftsmen introduces Zero Trust as a data-centric approach to security. This involves identifying the data assets and adjusting or creating an Enterprise Information Security Policy (EISP) that protects data and takes a risk-based approach to security.
So, what exactly is a “risk-based” approach from a technological perspective?
From a security management standpoint, there is a risk-based methodology called the CIA Triad: Confidentiality, Integrity, and Availability (CIA). Confidentiality means that only authorized users and processes should be able to access or modify data. Integrity describes that data should be maintained in a correct state, and nobody should be able to improperly modify it, either accidentally or maliciously. Finally, Availability describes that an authorized user should be able to access data wherever and whenever they need it.
Confidentiality is often simplified to mean encryption. But there are three separate technology areas: encryption at rest, encryption in transit, and emerging technologies applying encryption during processing (a.k.a. confidential computing). This oversimplification is an artifact of pre-Zero-Trust siloed thinking.
In this older technological paradigm encryption was deployed piecemeal on the infrastructure:
- Encryption of Data at Rest: by Storage Engineers using the encryption technologies supported by the various vendor choices
- Encryption of Data in Transit: by Network Engineers using such technologies as MACsec or WAN tunnels with IPSec, iWAN, DMVPN, or other SD-WAN technologies
- Encryption of Data in Use: an emerging technology called Confidential Computing that closes gaps in data security while data is in use
However, confidentiality has always involved privileged access – verifying that the user accessing the data has the right to see or modify it. So, the older operational approach separated out the infrastructure work and user access technology as independent issues.
As a result, to maintain data confidentiality, an enterprise required multiple independent groups to be firing on all cylinders to function correctly.
The Zero-trust approach with confidentiality is to integrate the approach across all these silos. This means implementing least privileged access technologies such as role-based access controls (RBAC) and even attribute-based access control (ABAC), an emerging technology standard that can apply context to the permissions.
Loss of confidentiality is defined as data being seen by unauthorized users. As a result, most of the cyber incidents in the press are examples of confidentiality breaches.
To fight this, we need authentication, authorization, and encryption.
Authentication includes a huge number of technologies and techniques, but it can be satisfied with Multi-Factor Authentication.
This can consist of a combination of at least two of the following:
- Something the user knows (e.g., password, pin or account number)
- Something the user has (e.g., key or security token)
- Something the user is (e.g., biometrics)
- Somewhere the user is (e.g., location validated by GPS)
Authorization involves ‘need to know’ mechanisms, and sometimes this is as simple as having separate user IDs for Admin access. However, authorization can be more complex, and this is where the NIST standard on ABAC was developed. This permits policies that differentiate not just on ‘read and write’ access or specific data sets, but they can accommodate dynamic rulesets based on location or even on a risk score that looks at a series of risk-based attributes.
Encryption seems straightforward but can be very complex. Consider that many current data centers use overlay technologies that do not support encryption. While this may be viewed as a problem, it can normally be worked around using hardware technologies such as MACsec (802.1AE). The trick is to step back and look at the problem holistically.
However, encryption requires the management of a lot of keys. As a result, you really need to think through the process and make sure your plans involve a comprehensive view of key management.
But confidentiality technology alone cannot solve all issues. NetCraftsmen does a lot of work in healthcare and the infrastructure we develop often supports electronic medical records (EMR) systems. Many of these are old and cannot differentiate access to patient data as required by HIPAA regulations. As a result, if you can see and modify records for one patient, the only thing preventing you from looking up data on someone you are not treating (and therefore not authorized to view) is an HR policy.
In these cases, the policy might be enforced through the examination of log files. While after the fact, the presence of a forensic trail would be a powerful incentive to prevent snooping.
No single company has a complete product or even product set for confidentiality, let alone Zero Trust, but perfection is the enemy of progress. As a result, we should be looking for solutions that improve the current situation and move us forward.
In our work, we are big fans of MFA and, for our own systems, use Okta, but we also support DUO and other vendor solutions. For identity-based secure access and segmentation, we are partnered with Elisity but also work with traditional vendors such as Cisco, Illumio, Palo Alto, and Zscaler.
Ongoing Call to Action
EISPs and the downstream technological policies need to be living systems and kept up to date as the business evolves and changes. As a result, a governance process needs to be established to tie the senior management team with the technology teams tasked with protecting and managing the firm’s data assets.
For a practical view on including the CIA Triad within your security practice you can read our blog on this subject: Architecting an information security program for the Enterprise.
As always, NetCraftsmen consultants are here to assist and guide your journey to a more secure future.
This article is part of an on-going series on network security. Links to the other members of the series: