Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

11/29/2018
02:30 PM
Ojas Rege
Ojas Rege
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Establishing True Trust in a Zero-Trust World

Our goal should not be to merely accept zero trust but gain the visibility required to establish true trust.

The term "zero trust" was coined by Forrester in 2010. The concept was also central to the BeyondCorp architecture that Google was designing around the same time. Traditionally, companies assumed their corporate networks were secure. Google provocatively stated that the corporate network was no more secure than the public Internet and that every organization needed a security architecture that did not take trust for granted. Forrester described it less as myth-busting about network security and more as a necessary framework for data and computing outside the perimeter.

Whether corporate networks are secure or not, it is true that the traditional arbiters of trust — next-gen firewalls, VPNs, web gateways, network access control, network data loss prevention, locked-down PCs — have minimal value outside the perimeter. This is a growing issue because all new enterprise application innovations happen in the cloud, not on-premises, so a company that cannot compute outside the perimeter will rapidly get left behind.

Every company must find its answer to the zero-trust problem.

What Is Zero Trust, Really?
Trust is based on visibility. If I can see where my data is going and assess the corresponding risk, then I can make an appropriate decision about whether to allow access to my data in that environment. If I have zero visibility, however, I must assume zero trust. I cannot trust what I cannot see.

Because traditional security solutions provide minimal visibility outside the perimeter, organizations have a rapidly growing blind spot as data spreads across an information fabric that spans mobile endpoints and cloud services.

Our goal should not be to merely accept zero trust but to gain the visibility required to be able to establish trust in what otherwise would be a zero-trust world. Without trust, you cannot enable your users. Without enablement, they cannot do their jobs. The challenge is to enable them with the services they need without putting your business data at risk.

Every company must implement a new model of trust.

Is User Trust Enough?
Outside the perimeter, there is one element of trust that traditional security infrastructure can still (mostly) validate: user trust. I can usually establish whether users are who they say they are. But is that enough? No.

User trust is an essential element of the modern trust model. It is necessary, but not sufficient. The reason is that a trusted user in an untrusted environment should not have access to company data. Context matters.

Here's an example: Let's say I owe you $1,000. We can decide where to meet so I can give you that money. We can meet at my home or we can meet on a street corner in a dangerous part of town. You, the person standing across from me, are still the same, trusted individual. But my willingness to hand you that money should absolutely be different in those two environments. In one, the transaction will be successful. In the other, you'll likely get mugged within a block. User trust is not enough. Context is critical to establish trust in a zero-trust world.

3 Steps to Get Started
Risk and trust balance each other. Don't assume that more risk means less access, because the outcome will be that your users won't be able to do their jobs. The more risk that exists in an environment, the harder you must work to establish enough trust to justify access to corporate data.

Like almost everything else in security, starting with basic hygiene and establishing a foundational process and architecture are the most important steps:

Step 1: Start with the user.
Technology is secondary. First, understand the environment in which business users want to do their work, not the environment in which you want them to do their work. Otherwise, you will end up establishing trust in an environment that no one is using, while the real work and actual data flows are outside your vision, completely unprotected.

Step 2: Respect the edge.
Mobile devices and apps have become a primary means for employees to consume data and access business services. That means data will be resident on a constantly growing number of mobile devices. Organizations must establish a data boundary on the device that prevents business apps from leaking data to consumer apps while also protecting the privacy of personal information.

Step 3: Assume constant change.
Think of it as a "dynamic-trust" world instead of a "zero-trust" world. Context is dynamic in modern computing. Change is the nature of both mobile and cloud: Devices move across networks and locations; new apps are downloaded; and configurations are modified. The key is to establish an automated and tiered compliance model that monitors for contextual changes and then automatically takes appropriate actions, such as notifying the user, asking for a second factor, expanding or blocking access, and provisioning or retiring apps.

Establishing True Trust
Your goal is to protect data across an increasingly fragmented information fabric outside the comfort zone of traditional security approaches. The modern access decision requires constant assessment because context is constantly changing. The path forward is moving to this dynamic model of modern security versus the static "I'm in, you're out" model of the traditional firewall.

True trust is the combination of user trust with contextual trust: OS, device, app, network, time, location. Establishing true trust in a zero-trust world as the centerpiece of an automated compliance model gives users the freedom they need to get on with their work without losing company data.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Ojas Rege is Chief Strategy Officer at MobileIron. His perspective on enterprise mobility has been covered by Bloomberg, CIO Magazine, Financial Times, Forbes, Reuters, and many other publications. He coined the term "Mobile First" on TechCrunch in 2007, one week after the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16413
PUBLISHED: 2019-09-19
An issue was discovered in the Linux kernel before 5.0.4. The 9p filesystem did not protect i_size_write() properly, which causes an i_size_read() infinite loop and denial of service on SMP systems.
CVE-2019-3738
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key.
CVE-2019-3739
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys.
CVE-2019-3740
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys.
CVE-2019-3756
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P3 (6.6.0.3), contain an information disclosure vulnerability. Information relating to the backend database gets disclosed to low-privileged RSA Archer users' UI under certain error conditions.