Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/1/2021
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Strengthening Zero-Trust Architecture

Organizations that want to stay ahead of cybercriminals will find that going beyond user trust and device trust is critical for outwitting their adversaries.

The invention of the term "zero trust" is generally credited to former Forrester analyst John Kindervag more than a decade ago. Although it's not new, the concept has received renewed interest and market traction amid 2020's widespread shift to remote work and the evolution of the cloud. As a concept, zero trust doesn't refer to a specific piece of technology; instead, it relates to the idea that users should have only the bare minimum access they need to perform their job.

Related Content:

Zero-Trust Security 101

Special Report: Understanding Your Cyber Attackers

New From The Edge: Understanding TCP/IP Stack Vulnerabilities in the IoT

Within zero-trust architecture (ZTA), users can't access areas of the network, data, and applications to which they do not specifically require access. In a way, this means that zero-trust implementation is a journey rather than a destination. A "perfect" zero-trust environment isn't something that one can quickly achieve. More realistically, organizations should strive for a lean least-privilege structure of trust. Recently, organizations, including MITRE and the National Institute of Standards and Technology (NIST), have released frameworks highlighting how technologies like deception and concealment can contribute to zero-trust implementation.   

Understanding and Reframing Zero Trust
The fundamental ethos of zero trust sounds like something out of a spy movie: trust no one. In practical terms, this means that an organization should trust no entity accessing a network. Instead, the entity must continually prove that it has the necessary rights and permissions to access a given area or asset. For example, even if a user validated an account via username and password, the system doesn't automatically assume that person to be "trusted." With an effective ZTA, the network will continue to provide access only to areas for which that user has specific permissions. The right security tools can flag the user's behavior as suspicious and raise an alert if they attempt to access something outside their usual purview.

With this in mind, there are five elements to practical zero trust: device trust, user trust, transport/session trust, application trust, and data trust. Today, most zero-trust technology focuses on the user and device trust areas, which is understandable because securing individual user accounts and devices factors heavily into how most organizations think about cybersecurity. But other areas, such as application trust and data trust, are becoming increasingly important in today's world. Rather than addressing zero trust from only an identity standpoint, which most companies are actively building into their programs, security teams should add breadth to their programs by also addressing it from a controlled access standpoint.

Making Zero Trust Work
Earlier this year, NIST released a special publication on ZTA. Like the recent MITRE Shield framework, the document highlighted several areas where technology such as deception and concealment can make a significant difference for defenders. The areas of data trust and application trust stand out as particularly important to consider when expanding an organization's zero-trust programs.

First, it's helpful to consider zero trust in terms of the need for controlled access management that does not negatively affect the business. Specifically, organizations must establish a zero-trust environment that limits access to individuals with the proper authority but doesn't interfere with daily operations. One way to accomplish this is through a data-trust lens. Rather than granting blanket access to validated users, organizations should hide specific files and data from those who don't have the authorization to access them, strengthening data protection beyond user-level permissions without impacting authorized users. By hiding objects like files, folders, or mapped network and cloud shares, attackers cannot find or access the data they seek. This function can serve as a powerful defense against data theft and ransomware attacks.   

Application trust likewise takes security beyond user privileges. Merely focusing on whether a query is authorized isn't enough — it's also vital to consider the application invoking that query. Doing so can prevent unauthorized access from applications such as Windows command line or PowerShell, which regular users wouldn't typically use to access data. Application trust can also help identify and deflect attackers attempting to probe open ports and services to compromise. Identifying this type of unauthorized activity allows defenders to take prompt action to expel the attacker from the network or can choose to misdirect them to a decoy environment in the interest of gathering adversary intelligence.

An Expanded Understanding of Zero Trust Is Essential
User and device trust are critical for ensuring that authorized users have secure access to conduct their business. It is, however, not enough to prevent attackers who impersonate a real user from gaining access. Adding conditional trust for applications and data is an essential element to a comprehensive zero-trust architecture. Hiding sensitive or critical assets, such as data, credentials, and Active Directory objects necessary for privilege escalation, can efficiently prevent access by attackers using unauthorized tools or resources. And because an organization can tailor these solutions to avoid interfering with daily operations, they make a valuable and frictionless addition to any zero-trust architecture.  

Although zero trust isn't a new concept, our understanding of it and how we can apply it continues to evolve. Applying zero trust or, more likely, lean trust and "just enough access" principles to users and devices is a good start, but today's changing threat landscape requires expanding zero trust to more elements. Areas such as data, application, and session trust are taking on increased importance, and organizations hoping to stay one step ahead of modern cybercriminals will find that going deeper into the trust stack is critical for outwitting their adversaries.

Carolyn Crandall is the Chief Security Advocate and CMO at Attivo Networks, the leader in cyber deception and attacker lateral movement detection. She is a high-impact technology executive with over 30 years of experience in building new markets and successful enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32077
PUBLISHED: 2021-05-06
Primary Source Verification in VerityStream MSOW Solutions before 3.1.1 allows an anonymous internet user to discover Social Security Number (SSN) values via a brute-force attack on a (sometimes hidden) search field, because the last four SSN digits are part of the supported combination of search se...
CVE-2020-23263
PUBLISHED: 2021-05-06
Persistent Cross-site scripting vulnerability on Fork CMS version 5.8.2 allows remote attackers to inject arbitrary Javascript code via the "navigation_title" parameter and the "title" parameter in /private/en/pages/add.
CVE-2020-23264
PUBLISHED: 2021-05-06
Cross-site request forgery (CSRF) in Fork-CMS before 5.8.2 allow remote attackers to hijack the authentication of logged administrators.
CVE-2021-27941
PUBLISHED: 2021-05-06
Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the...
CVE-2021-29203
PUBLISHED: 2021-05-06
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gai...