Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/1/2021
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Strengthening Zero-Trust Architecture

Organizations that want to stay ahead of cybercriminals will find that going beyond user trust and device trust is critical for outwitting their adversaries.

The invention of the term "zero trust" is generally credited to former Forrester analyst John Kindervag more than a decade ago. Although it's not new, the concept has received renewed interest and market traction amid 2020's widespread shift to remote work and the evolution of the cloud. As a concept, zero trust doesn't refer to a specific piece of technology; instead, it relates to the idea that users should have only the bare minimum access they need to perform their job.

Related Content:

Zero-Trust Security 101

Special Report: Understanding Your Cyber Attackers

New From The Edge: Understanding TCP/IP Stack Vulnerabilities in the IoT

Within zero-trust architecture (ZTA), users can't access areas of the network, data, and applications to which they do not specifically require access. In a way, this means that zero-trust implementation is a journey rather than a destination. A "perfect" zero-trust environment isn't something that one can quickly achieve. More realistically, organizations should strive for a lean least-privilege structure of trust. Recently, organizations, including MITRE and the National Institute of Standards and Technology (NIST), have released frameworks highlighting how technologies like deception and concealment can contribute to zero-trust implementation.   

Understanding and Reframing Zero Trust
The fundamental ethos of zero trust sounds like something out of a spy movie: trust no one. In practical terms, this means that an organization should trust no entity accessing a network. Instead, the entity must continually prove that it has the necessary rights and permissions to access a given area or asset. For example, even if a user validated an account via username and password, the system doesn't automatically assume that person to be "trusted." With an effective ZTA, the network will continue to provide access only to areas for which that user has specific permissions. The right security tools can flag the user's behavior as suspicious and raise an alert if they attempt to access something outside their usual purview.

With this in mind, there are five elements to practical zero trust: device trust, user trust, transport/session trust, application trust, and data trust. Today, most zero-trust technology focuses on the user and device trust areas, which is understandable because securing individual user accounts and devices factors heavily into how most organizations think about cybersecurity. But other areas, such as application trust and data trust, are becoming increasingly important in today's world. Rather than addressing zero trust from only an identity standpoint, which most companies are actively building into their programs, security teams should add breadth to their programs by also addressing it from a controlled access standpoint.

Making Zero Trust Work
Earlier this year, NIST released a special publication on ZTA. Like the recent MITRE Shield framework, the document highlighted several areas where technology such as deception and concealment can make a significant difference for defenders. The areas of data trust and application trust stand out as particularly important to consider when expanding an organization's zero-trust programs.

First, it's helpful to consider zero trust in terms of the need for controlled access management that does not negatively affect the business. Specifically, organizations must establish a zero-trust environment that limits access to individuals with the proper authority but doesn't interfere with daily operations. One way to accomplish this is through a data-trust lens. Rather than granting blanket access to validated users, organizations should hide specific files and data from those who don't have the authorization to access them, strengthening data protection beyond user-level permissions without impacting authorized users. By hiding objects like files, folders, or mapped network and cloud shares, attackers cannot find or access the data they seek. This function can serve as a powerful defense against data theft and ransomware attacks.   

Application trust likewise takes security beyond user privileges. Merely focusing on whether a query is authorized isn't enough — it's also vital to consider the application invoking that query. Doing so can prevent unauthorized access from applications such as Windows command line or PowerShell, which regular users wouldn't typically use to access data. Application trust can also help identify and deflect attackers attempting to probe open ports and services to compromise. Identifying this type of unauthorized activity allows defenders to take prompt action to expel the attacker from the network or can choose to misdirect them to a decoy environment in the interest of gathering adversary intelligence.

An Expanded Understanding of Zero Trust Is Essential
User and device trust are critical for ensuring that authorized users have secure access to conduct their business. It is, however, not enough to prevent attackers who impersonate a real user from gaining access. Adding conditional trust for applications and data is an essential element to a comprehensive zero-trust architecture. Hiding sensitive or critical assets, such as data, credentials, and Active Directory objects necessary for privilege escalation, can efficiently prevent access by attackers using unauthorized tools or resources. And because an organization can tailor these solutions to avoid interfering with daily operations, they make a valuable and frictionless addition to any zero-trust architecture.  

Although zero trust isn't a new concept, our understanding of it and how we can apply it continues to evolve. Applying zero trust or, more likely, lean trust and "just enough access" principles to users and devices is a good start, but today's changing threat landscape requires expanding zero trust to more elements. Areas such as data, application, and session trust are taking on increased importance, and organizations hoping to stay one step ahead of modern cybercriminals will find that going deeper into the trust stack is critical for outwitting their adversaries.

Carolyn Crandall is the Chief Security Advocate and CMO at Attivo Networks, the leader in cyber deception and attacker lateral movement detection. She is a high-impact technology executive with over 30 years of experience in building new markets and successful enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-2322
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
CVE-2021-20019
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
CVE-2021-21809
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
CVE-2021-34067
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.
CVE-2021-34068
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.