Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

12/23/2019
08:00 PM
Curtis Franklin Jr.
Curtis Franklin Jr.
Edge Features
100%
0%

Santa and the Zero-Trust Model: A Christmas Story

How would the world's most generous elf operate in a world of zero-trust security? A group of cybersecurity experts lets us know.

On Christmas Eve, snow will fall, Yule logs will blaze, visions of sugarplums will dance in children's heads, and in the eyes of zero-trust experts, countless security breaches will happen in homes around the world.

Zero-trust security has blanketed IT like the snow Bing Crosby sang about. Based on the idea of maintaining strict access controls and not trusting anyone or any component by default — even those already inside the network perimeter — zero trust seeks to prevent intrusion wherever possible and minimize the damage from intrusions that do occur.

Each Christmas Eve, though, a party we've never met and know only by reputation enters our homes and leaves packages. The question Dark Reading put to security experts is whether this "Santa Claus" can be made compliant with the requirements of zero-trust security — or whether modern security might mean the end of children's dreams.

"For far too many years, we’ve given carte blanche to Santa Claus to ignore basic security best practices —— not to mention safety issues bringing potential carcinogens with him down the chimney," says Willy Leichter, vice president at Virsec. "Simply saying we 'trust' the big guy is dangerous and naïve."

"Santa's visit has been invited, typically, by one of the junior members of the household. This junior staffer is likely to have also given Santa a list of items that can be used to bribe his way through security," points out Kevin Sheu, vice president of product marketing at Vectra.

This reality makes it likely, experts say, that Santa Claus will be able to make his way through the outer perimeter, so the focus shifts to minimizing potential damage. How might that work when it comes to the jolly, ol' elf?

Background Basics
"First and foremost, Santa needs a background check before we go any further," says Tyler Reguly, manager of security research and development at Tripwire. "I want to know everything about where this magical elf that makes it around the globe in 24 hours has been. I want to know everything about him."

Getting deep background on a possibly imaginary individual isn't enough of a challenge. The required knowledge doesn't stop with Santa, himself. Reguly points out that Santa seems to have an extensive supply chain, and that the supply chain and support staff should come under scrutiny, as well. That means Mrs. Claus, the sly Elf on the Shelf, and the elves at the North Pole manufacturing and shipping facility must be accounted for.

When it comes to Santa authentication, Sheu points out that the zero trust's evolution means a simple one-time event might not be enough. Instead, he points out, it's about the one-time decision and then long-term follow-up to make sure that the authorization is still appropriate. After all, the Santa authenticated at the North Pole might or might not be the Santa who shows up on our roof — and not everyone is willing to outsource the interim security to NORAD's Santa Tracker.

Santa Supply Chain
Other experts brought up the fact that Santa himself is only the most visible end of a very long supply chain. "Do we know that Santa has effectively assessed the reliability of his elves and of the production process?" asks Bob Maley, CSO of NormShield. "Have the reindeer been trained to land on the roof safely?"

Maley suggests that the level of supply chain verification can be subject to consideration of just how critical the risk is, and points out that, historically, the risk of Santa-inflicted damage is low. Still, that doesn't mean Santa should necessarily be given free rein within the household.

"There's got to be some clear communication of who's arriving and an announcement of who he is, with confirmation that he is who he says he is before he even lands," says Reguly. "And then, assuming you have a chimney, I think the next step, of course, has to be authentication at the chimney."

(Continued on next page: Segmentation, and about those gifts...)

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio
 

Recommended Reading:

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2019 | 1:04:02 PM
Re: Risk
Agreed, I think I would follow that up with even with Santa having diminished access, it still requires scrutiny to a degree. A lot of the time we completely neglect this aspect in lieu of review for more privileged/authoritative access but there is a point where lower level accounts will need to be reviewed.

An escalation vulnerability could turn Santa from the kind hearted low level access into a full blown Krampus and tht is the last thing as Security Practioners we would want.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2019 | 1:01:27 PM
Re: Authentication
Definitely agree here. I think one platform that can very much help in these instances are Privileged Access Management (PAM) platforms. Not a silver bullet of course but a step in the right direction.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2019 | 1:00:06 PM
Re: zero-trust security
The opposite sentiment of the old KGB addage, "Trust but Verify". As a security professional, I much prefer Zero-Trust and Verify to its Russian counterpart.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2019 | 12:58:30 PM
Re: Supply chain
Contractors tend to be the weakest link because their access isn't as heavily regulated typically as full time employees. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2019 | 12:57:43 PM
Re: Basics
Background checks are pivotal. It seems now that background checks are very much singling in on financial background checks in lieu of other categories which is somewhat of a paradigm shift for how they use to be performed.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2019 | 12:56:01 PM
Re: zero-trust security
Most definitely, I also find it entertaining that many of the articles being written currently are holiday centric. Adds to the enjoyment of these insightful reads.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/29/2019 | 2:14:09 PM
Risk
the risk of Santa-inflicted damage is low. Still, that doesn't mean Santa should necessarily be given free rein within the household. Another good point. We can accept some risks but we need to do risk analysis to identify that.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/29/2019 | 2:11:46 PM
Authentication
it's about the one-time decision and then long-term follow-up to make sure that the authorization is still appropriate. Agree. Authentication should not be a point in time, it should be as needed process. Authenticate as services being asked.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/29/2019 | 2:09:41 PM
Re: zero-trust security
Yes, I like it very much too. Zero-trust and verify is a good approach in security.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/29/2019 | 2:08:22 PM
Supply chain
Santa seems to have an extensive supply chain, and that the supply chain and support staff should come under scrutiny, as well. This is another good point. Contractors are tend to be the weakest link.
Page 1 / 2   >   >>
Name That Toon: The Lights Are On ...
Flash Poll