In Managing Security in the Age of Zero Trust, NetCraftsmen introduces Zero Trust as a data-centric approach to security. This involves identifying the data assets and adjusting or creating an Enterprise Information Security Policy (EISP) that protects data and takes a risk-based approach to security.
So, what exactly is a “risk-based” approach from a technological perspective?
Risk-Based Technology
From a security management standpoint, there is a risk-based methodology called the “CIA Triad”: Confidentiality, Integrity, and Availability (CIA). Confidentiality means that only authorized users and processes should be able to access or modify data. Integrity describes that data should be maintained in a correct state, and nobody should be able to improperly modify it, either accidentally or maliciously. Finally, Availability describes that an authorized user should be able to access data wherever and whenever they need it.
Availability Defined
Availability is often simplified to mean backups, disaster recovery (DR) and system design. But it literally means that data should be available to users whenever and wherever it’s needed to support the business.
As a result, there is substantial crossover with integrity.
Again, as with integrity, the ultimate safeguard is immutable storage. This is where copies of the data are made that cannot be modified. This is emerging as a primary defense against Ransomware attacks where the attacker encrypts the data and holds it hostage to extort money. With one client we designed a solution moving the immutable backups to a colocation facility not visible from within their environment. This kind of offsite storage is also a safeguard against any number of DR scenarios.
The Zero-trust approach with integrity is to integrate the approach across all IT silos. This means implementing least privileged access technologies such as role-based access controls (RBAC) and even attribute-based access control (ABAC), an emerging technology standard that can apply context to the permissions. It also involves coordinating encryption technologies, certificate management and backups that include immutable storage as needed.
Finally, we need to examine the system from an availability mindset. This means a lot more than simply providing redundancy, it means thinking through what the end user needs from a readiness standpoint.
In reliability engineering we discuss 5 9s as the concept of a system being highly available (HA). That number was inherited from the telecommunication service provider industry. The literal definition of this is that the system is 99.999% available. This results in an expectation that there be no more than 5.26 minutes of downtime per year.
But what if you need continuous availability? And how does one maintain these systems?
Even more challenging is that for the user to be able to interact with the data, the discrete systems include:
- Data storage technologies being used
- The data base and file storage systems utilizing the physical storage
- The application suites involved
- The network infrastructure between the users and the data
The result is that the combination of these 4 systems results in a combined availability of less than 5 9s. To achieve 5 9s for the complete system, each component must be at 6 9s.
And this does not even answer the question on continuous availability.
Before we touch that one, let’s consider why so-called HA systems fail (and we have seen this regularly over the years). This often happens through lack of maintenance resulting in preventable failures. Remember that at 5 9s they only get 5.26 minutes downtime per year. Failures in these systems point out that in IT we tend to design to meet minimum requirements within the context of capital or operational budgets. What we fail to think about is how to design for the real world. This involves thinking about designing for operational environments.
A system that can sustain only a few minutes of downtime per year is very likely to be in terrible shape from a security and operations standpoint. As a result, designing a system or a system of systems that can operate during maintenance permits the system to remain current and up to date with security and other patches.
Availability Examples
Loss of availability is defined as data being unable to access, modify or add data. A public example of a security breach based on availability is a distributed denial of service (DDoS) attack. This type of attack consumes a firms Internet infrastructure making it difficult to do business.
A more subtle example would be loss of access due to a systemic IT issue, a failed design or because of a facilities loss. Such a loss could be due to power, weather, cybersecurity incident or, as with 9/11, a physical attack of some sort.
This brings up disaster recover and business continuity planning. What many organizations fail to plan on is the length of the recovery period and amount of work to ensure the plans will work when needed. A good example is the recent Colonial Pipeline hack, where some news outlets have reported that the ransom was paid, despite backups, because the time to decrypt the data was significantly shorter than that for restoration from backups.
Vendor Choices
In our work, we partner with Cohesity and Pure Storage for backups, immutable storage systems and disaster recovery. For identity-based secure access and segmentation, we are partnered with Elisity but also work with traditional vendors such as Cisco, Illumio, Palo Alto, and Zscaler.
However, availability analytics, high availability (HA) and non-stop architectures have always been a core strength at NetCraftsmen. We have been doing this part of the Triad for almost 20 years.
Ongoing Call to Action
EISPs and the downstream technological policies need to be living systems and kept up to date as the business evolves and changes. As a result, a governance process needs to be established to tie the senior management team with the technology teams tasked with protecting and managing the firm’s data assets.
For a practical view on including the CIA Triad within your security practice you can read our blog on this subject: Architecting an Information Security Program for the Enterprise.
As always, NetCraftsmen consultants are here to assist and guide your journey to a more secure future.
Related Articles
This article is part of an on-going series on network security. Links to the other members of the series:
The CIA Triad: Part 1 – Confidentiality
The CIA Triad: Part 2 – Integrity
Managing Security In the Age of Zero Trust
Architecting an Information Security Program for the Enterprise Part 1