Trust No One-A New Security Model for Today's New Threat Landscape
o Inside threats can lay open data across a network, and leakage can last for years.
o The new Forrester Research report argues for internal controls as rigorous as external security measures.
o Trust no one is at the heart of Zero Trust Model of Information Security.
o Automated tools exist now to implement multi-layer, internal security, stop "trusting packets like they're people."
Ask many network security professionals where their networks are most vulnerable and they'll say at the perimeter, where it meets the outside world. That's fine when it comes to external attacks, but what happens when the malicious user is on an internal network?
For years, the saying "We want our network to be like an M&M, with a hard crunchy outside and a soft chewy center" summed up system safety, according to a new Forrester Research report.
But times have changed.
That was a motto based on the assumption that security shells could be made impermeable, a virtual wall which malicious individuals could bang their heads against but not breach. Today's new threat landscape has made such thinking not only pass? but dangerously ineffective, the Forrester report argues.
If attackers get past the shell and into the network-and they often do, sometimes lurking for years-all the network's resources are vulnerable, according to Forrester senior analyst John Kindervag, lead author of the report, "No More Chewy Centers: Introducing the Zero Trust Model of Information Security."
Kindervag and his co-authors-Stephanie Balaouras and Lindsey Coit-argue for a new approach to safeguarding data that calls for an end to the two-tier corporate network. Instead of dividing network traffic according to trusted (usually internal) and untrusted (usually external) sources, Zero Trust network security requires that all resources be verified and secured, that access control be limited and strictly enforced and that all network traffic be inspected and logged.
An overreaction? Consider the case of Philip Cummings, a help desk employee at TeleData Communication Inc., a maker of credit bureau software. Because Cummings supported the software run by Equifax, Experian and TransUnion, he had access to client passwords, subscription codes and a lot of consumer financial information.
Selling that information to an international crime syndicate would have been bad enough, but Cummings, who later was sentenced to 14 years in prison for his part in selling credit reports at $60 a pop to a Nigerian crime gang, preprogrammed a laptop that enabled his collaborators to download credit reports from the three bureaus, even after he'd left his job.
It wasn't until Ford Motor Co. began investigating numerous consumer complaints about identity theft and fraud that the credit bureaus and TCI was alerted, four years after the scheme's inception. Total damage: approximately 30,000 stolen identities, resulting in a direct financial loss of at least $2.7 million, according to federal estimates.
According to Forrester, anyone in information security who believes in "trust but verify" is taking an awfully big risk. Ronald Reagan knew that when he said it to Mikhail Gorbachev as the two concluded a nuclear weapons treaty. Security is never a matter of trust, it's a matter of verification.
"Forrester's research shows that a new threat landscape is emerging in which organized crime and even nation-states are creating more significant targeted attacks," Kindervag said. "Security professionals must stop trusting packets as if they were people."
The Zero Trust Model rests on three basic concepts, much of whose implementation can be automated, the Forrester report said.
The first is to ensure secure access for all resources by protecting internal data from insider abuse as well as protecting external data on the public Internet. The key here is consistent use of encryption.
The second concept is to control access to restricted resources, based on a least-privilege strategy. The key here is easily implemented role-based access control, which security professionals already are using to determine the how much system access a given employee needs to do a given job.
The third concept is to inspect and log all network traffic. It isn't enough to log the traffic on an internal network. The Zero Trust Model requires real-time inspection as well, verifying that network users are not misusing any of the resources they are allowed to access. This goes for all network traffic, both external and internal.
"Forrester recommends deploying network analysis and visibility tools in conjunction with your traditional security information management system," Kindervag said. Network analysis and visibility, or NAV, tools are a diverse set of products that include network-discovery tools as well as tools that analyze flow data, that dissect packet captures, that look at network metadata and that examine a network forensically.
These tools help strengthen network security in two ways. First, they let security professionals see what's going on in their network so they can verify access and behavior. Second, their use sends a message to potential malicious insiders.
"If people know that their actions are monitored, they're less tempted to do questionable things," Kindervag said.
The starting point is taking trust out of information security. Trust creates vulnerabilities throughout the organization. The second step is to use the Zero Trust Model as a reference for future plans and development, especially when integrating new technologies.
With the Zero Trust Model, it is possible for a credit union IT department to inspect and log every user, every device and every access point, creating a stronger, more stable and more efficient business foundation.
Zero Trust is not a one-time project but an overall security framework that takes into account current threats and those in the future, a new way of thinking about information security, Kindervag concluded.