Zero trust architecture is undoubtedly the future of cybersecurity. However, it does not typically extend beyond network access, which is a shortcoming that will eventually come back to bite the information security community as a whole, says Pete Smith, archTIS VP and General Manager of EMEA.
It’s easy to be seen as paranoid in cybersecurity. The threats we face are often silent and complex; the solutions we create to combat them are quietly implemented, not giving attackers any more information than they already have on what they are up against. This creates a lot of noise around the issues, and virtually nothing when it comes to solutions.
The push to zero trust architecture is a breath of fresh air to the status quo. It is a real, proactive response to the constant looming threat of breach from increasingly sophisticated hostile actors. It changes the ‘default state’ to denying access to outside the network, unless they can verify themselves. This fundamental shift in ethos moves the security industry forward.
There is, however, a blind spot not currently being addressed, and because of it, we’re likely to see a deflation of the Zero Trust hype: securing the data itself. Without applying the same principles of Zero Trust to the data behind the network it protects, we’re still in for the host of data breaches caused by what the security world calls ‘insider threats’. The term covers everything from corporate spies and moles deliberately leaking information or selling it to the highest bidder, through to negligent office workers leaving a laptop on a bus or sharing a file with the wrong email address.
Let’s use an example from right here on British soil: the recent breach of UK Special Forces personal data via WhatsApp. There are few organizations globally with more incentive to keep personal data secret than the MOD officials who deal with personnel in sensitive units such as the Special Air Service, Special Boat Service and the Special Reconnaissance Regiment. Yet, this individual could download a sensitive excel file with their names, ID numbers and previous roles within the military completely unimpeded and subsequently share it with the world on WhatsApp.
The incident is just one of many. Corporate security teams are full of stories where user error or malicious actions completely invalidate millions of pounds spent shoring up the perimeter. Unfortunately, it simply does not matter how resilient your network is; these solutions are not built to detect threats coming from within the perimeter. Other solutions that attempt to address this gap, such as SIEM and behavioural analysis tools detect potential issues after the fact and can take months to identify a problem. Fortunately, there is a solution to stop data loss from negligent and malicious insiders altogether: Attribute-Based Access Control (ABAC).
ABAC extends the zero trust security model to the file level. Instead of being able to access a document on a server automatically because you are already authenticated into the system, it will instead determine whether you can access the file by evaluating attributes (or characteristics of data and/or users) to determine a given file’s access, usage and sharing rights.
The advantage of a data-centric ABAC-based security approach is that an individual file’s access rights can be dynamically adjusted based on the sensitivity of the file and the user’s context in real-time to evaluate and validate each file’s attributes. This includes security classification and permissions and attributes such as security clearance, time of day, location, and device type to determine who can access, edit, download, or share a particular file. Like Zero Trust network architecture, ABAC sets the default to deny access unless these attributes can be validated against business policies governing access and sharing conditions.
According to the 2021 Verizon Data Breach Investigation report, data mishandling by insider threats is the top source of insider-related data breaches. Additionally, the pandemic has made it possible to collaborate virtually with software such as Microsoft 365 across many different geographies. This is a perfect environment for insider threats to flourish.
- Securing the supply chain: why it’s time for a zero trust approach
- Why zero trust is Vital – and achievable – for endpoint and IoT security
- Why companies should implement zero trust
- Zscaler is set to be the industry’s first security vendor to integrate active defence into a zero trust architecture
With the push to Zero Trust, we have a rare opportunity not just to fix today’s pressing cybersecurity issues, but to nip the next step that attackers will likely take to circumvent the onerous task of breaching a network, stealing credentials and utilizing insider threats. ABAC is that solution, but only time will tell if we adopt it in time.