Vulnerabilities / Threats //

Advanced Threats

11/29/2018
02:30 PM
Ojas Rege
Ojas Rege
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Establishing True Trust in a Zero-Trust World

Our goal should not be to merely accept zero trust but gain the visibility required to establish true trust.

The term "zero trust" was coined by Forrester in 2010. The concept was also central to the BeyondCorp architecture that Google was designing around the same time. Traditionally, companies assumed their corporate networks were secure. Google provocatively stated that the corporate network was no more secure than the public Internet and that every organization needed a security architecture that did not take trust for granted. Forrester described it less as myth-busting about network security and more as a necessary framework for data and computing outside the perimeter.

Whether corporate networks are secure or not, it is true that the traditional arbiters of trust — next-gen firewalls, VPNs, web gateways, network access control, network data loss prevention, locked-down PCs — have minimal value outside the perimeter. This is a growing issue because all new enterprise application innovations happen in the cloud, not on-premises, so a company that cannot compute outside the perimeter will rapidly get left behind.

Every company must find its answer to the zero-trust problem.

What Is Zero Trust, Really?
Trust is based on visibility. If I can see where my data is going and assess the corresponding risk, then I can make an appropriate decision about whether to allow access to my data in that environment. If I have zero visibility, however, I must assume zero trust. I cannot trust what I cannot see.

Because traditional security solutions provide minimal visibility outside the perimeter, organizations have a rapidly growing blind spot as data spreads across an information fabric that spans mobile endpoints and cloud services.

Our goal should not be to merely accept zero trust but to gain the visibility required to be able to establish trust in what otherwise would be a zero-trust world. Without trust, you cannot enable your users. Without enablement, they cannot do their jobs. The challenge is to enable them with the services they need without putting your business data at risk.

Every company must implement a new model of trust.

Is User Trust Enough?
Outside the perimeter, there is one element of trust that traditional security infrastructure can still (mostly) validate: user trust. I can usually establish whether users are who they say they are. But is that enough? No.

User trust is an essential element of the modern trust model. It is necessary, but not sufficient. The reason is that a trusted user in an untrusted environment should not have access to company data. Context matters.

Here's an example: Let's say I owe you $1,000. We can decide where to meet so I can give you that money. We can meet at my home or we can meet on a street corner in a dangerous part of town. You, the person standing across from me, are still the same, trusted individual. But my willingness to hand you that money should absolutely be different in those two environments. In one, the transaction will be successful. In the other, you'll likely get mugged within a block. User trust is not enough. Context is critical to establish trust in a zero-trust world.

3 Steps to Get Started
Risk and trust balance each other. Don't assume that more risk means less access, because the outcome will be that your users won't be able to do their jobs. The more risk that exists in an environment, the harder you must work to establish enough trust to justify access to corporate data.

Like almost everything else in security, starting with basic hygiene and establishing a foundational process and architecture are the most important steps:

Step 1: Start with the user.
Technology is secondary. First, understand the environment in which business users want to do their work, not the environment in which you want them to do their work. Otherwise, you will end up establishing trust in an environment that no one is using, while the real work and actual data flows are outside your vision, completely unprotected.

Step 2: Respect the edge.
Mobile devices and apps have become a primary means for employees to consume data and access business services. That means data will be resident on a constantly growing number of mobile devices. Organizations must establish a data boundary on the device that prevents business apps from leaking data to consumer apps while also protecting the privacy of personal information.

Step 3: Assume constant change.
Think of it as a "dynamic-trust" world instead of a "zero-trust" world. Context is dynamic in modern computing. Change is the nature of both mobile and cloud: Devices move across networks and locations; new apps are downloaded; and configurations are modified. The key is to establish an automated and tiered compliance model that monitors for contextual changes and then automatically takes appropriate actions, such as notifying the user, asking for a second factor, expanding or blocking access, and provisioning or retiring apps.

Establishing True Trust
Your goal is to protect data across an increasingly fragmented information fabric outside the comfort zone of traditional security approaches. The modern access decision requires constant assessment because context is constantly changing. The path forward is moving to this dynamic model of modern security versus the static "I'm in, you're out" model of the traditional firewall.

True trust is the combination of user trust with contextual trust: OS, device, app, network, time, location. Establishing true trust in a zero-trust world as the centerpiece of an automated compliance model gives users the freedom they need to get on with their work without losing company data.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Ojas Rege is Chief Strategy Officer at MobileIron. His perspective on enterprise mobility has been covered by Bloomberg, CIO Magazine, Financial Times, Forbes, Reuters, and many other publications. He coined the term "Mobile First" on TechCrunch in 2007, one week after the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: New camera 2FA closed loop!
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20059
PUBLISHED: 2018-12-11
jaxb/JaxbEngine.java in Pippo 1.11.0 allows XXE.
CVE-2018-20056
PUBLISHED: 2018-12-11
An issue was discovered in /bin/boa on D-Link DIR-619L Rev.B 2.06B1 and DIR-605L Rev.B 2.12B1 devices. There is a stack-based buffer overflow allowing remote attackers to execute arbitrary code without authentication via the goform/formLanguageChange currTime parameter.
CVE-2018-20057
PUBLISHED: 2018-12-11
An issue was discovered in /bin/boa on D-Link DIR-619L Rev.B 2.06B1 and DIR-605L Rev.B 2.12B1 devices. goform/formSysCmd allows remote authenticated users to execute arbitrary OS commands via the sysCmd POST parameter.
CVE-2018-20058
PUBLISHED: 2018-12-11
In Evernote before 7.6 on macOS, there is a local file path traversal issue in attachment previewing, aka MACOSNOTE-28634.
CVE-2018-20050
PUBLISHED: 2018-12-10
Mishandling of an empty string on the Jooan JA-Q1H Wi-Fi camera with firmware 21.0.0.91 allows remote attackers to cause a denial of service (crash and reboot) via the ONVIF GetStreamUri method and GetVideoEncoderConfigurationOptions method.