SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Where should zero trust end?
Fri, 1st Oct 2021
FYI, this story is more than a year old

Zero trust architecture does not typically extend beyond network access. This limited thinking might be how the next generation of breaches happen.

Cybersecurity is undergoing its most significant transformation since its inception. After decades of building ever-more-formidable perimeters, we find ourselves on the precipice of zero trust strategies becoming widely adopted.

Zero trust architecture is a giant leap forward for the industry. It changes the ‘default state' to assume the organisation has already been breached, with access automatically denied unless users can verify themselves and their right to the information. In this sense, it appears all-encompassing, but in reality, almost all discussion of zero trust architecture begins and ends with network access.

This thinking is limited. Why stop at the network or even the application? We should be thinking of applying the same principles to securing the data itself. After all, data is the highest value asset, not the network.

Even if we successfully secure the network from external threats, it will only partially address the problem. If zero trust principles aren't applied to the data behind the network, data breaches will occur, are caused by what the security world calls ‘insider threats'.

In layman's terms, this is everything from corporate spies and nation-state moles deliberately leaking information through to an everyday negligent office worker leaving a laptop on a bus or sharing a file with the wrong email address. Each one of these incidents is an ‘insider threat'.

The terrifying thing about insider threats is that they can happen to anyone, because humans make mistakes — take the case of the UK Special Forces leaking personal data via WhatsApp. The UK's Ministry of Defence is very likely to have more qualified, much more security-conscious staff than your average enterprise. Yet, it was possible for someone to simply download a sensitive excel file with the names, ID numbers and previous roles of elite military personnel unimpeded.

According to the 2021 Verizon Data Breach Investigation report, data mishandling by insider threats is the top source of insider related data breaches. Due to pandemic restrictions, many are using software such as Microsoft 365 across many different geographies. This is a perfect environment for insider threats to flourish.

Corporate security teams are full of stories like this. It simply does not matter how resilient a network is when it comes to insider threats; these solutions are not built to detect threats coming from within the perimeter. Other solutions that attempt to address this gap (such as SIEM and behavioural analysis tools) detect potential issues after the fact and can take months to identify a problem. Fortunately, there is a solution to stop data loss from negligent and malicious insiders altogether — attribute-based access control (ABAC).

ABAC extends the zero trust security model to the object level. Instead of being able to access a document on a server automatically because you are already authenticated, it will instead determine whether you can access that particular file by evaluating attributes to determine a given file's access, usage and sharing rights.

An individual file's access and usage rights are dynamically adjusted based on the sensitivity of the file and the user's context in real-time. This includes security classification and permissions, as well as attributes such as security clearance, time of day, location and device type to determine who can access, edit, download, or share a particular file. Just as with zero trust network architecture, ABAC sets the default to deny access — unless these attributes can be validated against business policies governing access and sharing conditions.

With the push to zero trust, we have a rare opportunity to fix today's pressing cybersecurity issues and build a better model of thinking about cybersecurity in the process. We just need to extend that thinking beyond the network and solve the whole problem if it is ever going to truly live up to the hype.