Can Zero Trust Be Trusted

Responding to breaches or new attack techniques by advancing defensive frameworks

Not to be macabre, but cybersecurity frameworks make me think of plane crashes. Airline safety always gets better after an incident because experts analyze what happened and how to make it not happen again. Our industry does the same thing. We respond to breaches or novel new attack techniques by advancing new defensive frameworks to meet the moment.

Zero trust/least privilege is one of the frameworks that has many cyber security professionals justifiably excited. Most of the what you’ll read about applies to networked resources, such as databases or online applications and services. But can it also be applied to secure the millions of contracts, reports, spreadsheets, and other files your users create and manage?

This so-called “unstructured data” is notoriously difficult to protect – so, let’s start by getting a good handle on the framework’s first principles and see what we can use.

ZERO TRUST

It’s no surprise that cyber security defenses took their first cues from the physical world. Castles have moats. Your house has a door with a lock. It makes sense to protect your network with a firewall. But cyber criminals soon crashed that plane. Once they got past the firewall, they feasted on the unprotected targets behind it. Enter zero trust.

The first principle of Zero Trust states there are no safe networks. Access can’t be governed by network locations, IP addresses or machines, but instead by the nature of the asset and the authorization of the user.

Here is another analogy. If you ran a Zero Trust bar, you’d trade your bouncer at the door for a staff of ID checkers, each protecting an “asset,” such as the bar, the stage or seating areas, with different access requirements, such as a minimum age to access the bar or being part of the band to get backstage.

On the network, Zero Trust implementations are built with micro-segmentation (breaking the network down into smaller, resource-defined areas to control/protect), and robust identity and access management (IAM) tools (the blend of authentication, role and context needed to make a go/no go access decision). But we’re going to need a different approach for unstructured data.

LEAST PRIVILEGE

Accounts with overly broad privileges are the source of substantial mischief when compromised or misused by disgruntled insiders. The recent Twitter kerfuffle, for example, happened because a compromised insider account had the authority to modify end-user accounts with few restrictions and no checks and balances. There are plenty of other stories outside of Twitter about admin account abuse. It is a big problem.

The least-privileges first principle says accounts should be able to access only what’s needed and nothing more. Of course, we still need administrative accounts with potentially dangerous permissions – so the goal is containment of the blast radius should something go wrong. Together, least privileges and zero trust deliver a powerful model for protecting specific assets with access based on expertly tailored permissions. Sounds like something you’d want for your unstructured data, right?

APPLYING ZERO TRUST/LEAST PRIVILEGE TO UNSTRUCTURED DATA

Without a doubt, applying these first principles will dramatically improve unstructured data security. But the devil, as they say, is in the details.

Firewalls. Like firewalls for the network before Zero Trust, folders are the most common control points for unstructured data. And just as we now focus on the resource and not the network location, Zero Trust directs our attention to the file, not the folder. That means each file needs to be protected based on its sensitivity – but who’s to say what’s sensitive, and what’s not?

Assets. Traditional Zero Trust focuses on assets that are easy to find and relatively static, such as databases or interfaces to networked applications. Unstructured data, on the other hand, is a different animal. The users who create and use it, aren’t always thinking about where to store and how to secure their files. Files get copied, modified, emailed and linkshared. Unstructured data is wild and wooly, and it doesn’t lend itself to careful construction of micro segments.

Privileges. Modifying your team’s access privileges for those easy-to-find and static resources is also not a big problem. But the least-privilege imperative gets way more complicated when the target resource is an individual file. Is it realistic to ask an IT staffer to figure out access control for a specific legal contract or price list, for example? Probably not. Sound like a tough problem? It is, but don’t despair. Protecting unstructured data is a worthy goal and there are emerging solutions that’ll help us join the zero-trust/least-privilege movement. There are two problems to be solved, and both are unique to unstructured data.

KNOWING WHAT YOU HAVE

“Like we’ve mentioned, traditional zero-trust focuses on resources that are pretty easy to get your arms around.” Unstructured data, on the other hand, is fantastically complex and diverse (see details in this study).

Specialized data, such as a contract or a sales strategy, might be both strategically valuable and difficult for outsiders to understand. To date, pattern matching and end-user file markup techniques have been used to find business-critical data. Neither option is working very well.

KNOWING WHAT TO DO

Developing policies for networked resources, while not easy, is at least manageable. Unstructured data is different. It’s diverse and dynamic, changing with time and business imperatives. Data loss prevention (DLP) technologies take a stab at the unstructured data policy problem, but DLP implementations are highly complex beasts bordering on unmanageable. Knowing what policies to apply to each file is a very tough problem.

ZERO TRUST/LEAST PRIVILEGE WITH DEEP LEARNING

At this point, you might be wondering if there’s any hope for zero-trust/least-privilege approaches. Fortunately, over the last few years deep learning technologies, specifically natural language processing have matured and now offer some exciting new capabilities. The two problems we’ve identified, discovering/ categorizing your data and defining appropriate access policies, are now solvable with automated deep learning solutions.

Deep learning reveals document meaning and context to provide accurate, granular categories that reflect business criticality. These categories are essential for zero trust security solutions. Deep learning, being far more accurate than pattern matching and far easier to implement than end user classification programs, is the answer.

Once categorized, deep learning can establish a security baseline for each category. That baseline encompasses how files are permissioned, shared, stored, and managed, and it reflects the policy decisions made by the people who know those files best, the owners and end users. From here it is an easy step to find and fix at-risk files, automatically and accurately.

Zero Trust/least-privilege security is possible for unstructured data. By categorizing data and discovering the most appropriate security policies for each file, we’ve kicked away the barriers to effective, efficient and focused security at the file level. We’re finally ready to apply one of the decade’s most powerful security frameworks to the millions of files and documents our users create and manage every day.

This article originally appeared in the November / December 2020 issue of Security Today.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3