Can Zero Trust Be Trusted
Responding to breaches or new attack techniques by advancing defensive frameworks
- By Karthik Krishnan
- Dec 03, 2020
Not to be macabre, but cybersecurity
make me think of plane
crashes. Airline safety always
gets better after an
incident because experts analyze what
happened and how to make it not happen
again. Our industry does the same thing.
We respond to breaches or novel new attack
techniques by advancing new defensive
frameworks to meet the moment.
Zero trust/least privilege is one of the
frameworks that has many cyber security
professionals justifiably excited. Most
of the what you’ll read about applies to
networked resources, such as databases or
online applications and services. But can
it also be applied to secure the millions of
contracts, reports, spreadsheets, and other
files your users create and manage?
This so-called “unstructured data” is
notoriously difficult to protect – so, let’s
start by getting a good handle on the
framework’s first principles and see what
we can use.
It’s no surprise that cyber security
defenses took their first cues from the
physical world. Castles have moats. Your
house has a door with a lock. It makes
sense to protect your network with a
firewall. But cyber criminals soon crashed
that plane. Once they got past the firewall,
they feasted on the unprotected targets
behind it. Enter zero trust.
The first principle of Zero Trust states
there are no safe networks. Access can’t
be governed by network locations, IP
addresses or machines, but instead by the
nature of the asset and the authorization
of the user.
Here is another analogy. If you ran a
Zero Trust bar, you’d trade your bouncer
at the door for a staff of ID checkers, each
protecting an “asset,” such as the bar, the
stage or seating areas, with different access
requirements, such as a minimum age to
access the bar or being part of the band to
On the network, Zero Trust implementations
are built with micro-segmentation
(breaking the network down into smaller,
resource-defined areas to control/protect),
and robust identity and access management
(IAM) tools (the blend of authentication,
role and context needed to make a
go/no go access decision). But we’re going
to need a different approach for unstructured
Accounts with overly broad privileges
are the source of substantial mischief
when compromised or misused by
disgruntled insiders. The recent Twitter
kerfuffle, for example, happened because
a compromised insider account had the
authority to modify end-user accounts
with few restrictions and no checks and
balances. There are plenty of other stories
outside of Twitter about admin account
abuse. It is a big problem.
The least-privileges first principle
says accounts should be able to access
only what’s needed and nothing more.
Of course, we still need administrative
accounts with potentially dangerous
permissions – so the goal is containment
of the blast radius should something
go wrong. Together, least privileges and
zero trust deliver a powerful model for
protecting specific assets with access based
on expertly tailored permissions. Sounds
like something you’d want for your
unstructured data, right?
APPLYING ZERO TRUST/LEAST
PRIVILEGE TO UNSTRUCTURED DATA
Without a doubt, applying these first
principles will dramatically improve
unstructured data security. But the devil,
as they say, is in the details.
Firewalls. Like firewalls for the network
before Zero Trust, folders are the most
common control points for unstructured
data. And just as we now focus on the
resource and not the network location,
Zero Trust directs our attention to the file,
not the folder. That means each file needs
to be protected based on its sensitivity –
but who’s to say what’s sensitive, and
Assets. Traditional Zero Trust
focuses on assets that are easy to find
and relatively static, such as databases
or interfaces to networked applications.
Unstructured data, on the other hand, is a
different animal. The users who create and
use it, aren’t always thinking about where to store and how to secure their files. Files
get copied, modified, emailed and linkshared.
Unstructured data is wild and
wooly, and it doesn’t lend itself to careful
construction of micro segments.
Privileges. Modifying your team’s
access privileges for those easy-to-find and
static resources is also not a big problem.
But the least-privilege imperative gets
way more complicated when the target
resource is an individual file. Is it realistic
to ask an IT staffer to figure out access
control for a specific legal contract or price
list, for example? Probably not.
Sound like a tough problem? It is, but
don’t despair. Protecting unstructured
data is a worthy goal and there are
emerging solutions that’ll help us join
the zero-trust/least-privilege movement.
There are two problems to be solved, and
both are unique to unstructured data.
KNOWING WHAT YOU HAVE
“Like we’ve mentioned, traditional
zero-trust focuses on resources that are
pretty easy to get your arms around.”
Unstructured data, on the other hand,
is fantastically complex and diverse (see
details in this study).
Specialized data, such as a contract or
a sales strategy, might be both strategically
valuable and difficult for outsiders to
understand. To date, pattern matching
and end-user file markup techniques have
been used to find business-critical data.
Neither option is working very well.
KNOWING WHAT TO DO
Developing policies for networked
resources, while not easy, is at least
manageable. Unstructured data is different.
It’s diverse and dynamic, changing with
time and business imperatives. Data
loss prevention (DLP) technologies take
a stab at the unstructured data policy
problem, but DLP implementations
are highly complex beasts bordering on
unmanageable. Knowing what policies to
apply to each file is a very tough problem.
ZERO TRUST/LEAST PRIVILEGE
WITH DEEP LEARNING
At this point, you might be wondering if
there’s any hope for zero-trust/least-privilege
approaches. Fortunately, over the last few
years deep learning technologies, specifically
natural language processing have matured and
now offer some exciting new capabilities. The
two problems we’ve identified, discovering/
categorizing your data and defining
appropriate access policies, are now solvable
with automated deep learning solutions.
Deep learning reveals document
meaning and context to provide accurate,
granular categories that reflect business
criticality. These categories are essential
for zero trust security solutions. Deep
learning, being far more accurate than
pattern matching and far easier to
implement than end user classification
programs, is the answer.
Once categorized, deep learning can
establish a security baseline for each
category. That baseline encompasses how
files are permissioned, shared, stored,
and managed, and it reflects the policy
decisions made by the people who know
those files best, the owners and end users.
From here it is an easy step to find and fix
at-risk files, automatically and accurately.
Zero Trust/least-privilege security is
possible for unstructured data. By categorizing
data and discovering the most appropriate
security policies for each file, we’ve kicked
away the barriers to effective, efficient and
focused security at the file level. We’re finally
ready to apply one of the decade’s most
powerful security frameworks to the millions
of files and documents
our users create and
manage every day.
This article originally appeared in the November / December 2020 issue of Security Today.