The nature of business today is increasingly decentralized. Cloud applications are exploding. Data is everywhere. And a large number of users will continue to work remotely even post-COVID-19. While all of these things increase business agility, they also increase an organization’s attack surface. The concept of Zero Trust is generating a lot of buzz as a panacea for these new risk exposures—and for good reason. If implemented correctly, a security architecture designed around a Zero Trust ideology has the potential to protect against data breaches, ransomware attacks, and even insider threats. However, Zero Trust that is coarse-grained and too restrictive carries a higher potential for a failed implementation.
The recent White House Executive Order on cybersecurity was drafted in response to escalating instances of data breaches and ransomware attacks. A continuous Zero Trust mindset is central to the advanced controls described by President Biden—as is the need to be more data-centric. This means that least-privileged access should be applied for every access decision—where the answers to the contextual questions of who, what, when, where, and how are critical for appropriately allowing or denying access to resources.
Why Zero Trust needs data context to succeed
If all you know is the user’s identity, you’re only going to get so far with Zero Trust. To apply successful controls that keep the business running while eliminating risks, you need more contextual information about both the user and the surrounding details involving how and why they’re interacting with the organization’s data and applications. This may include:
- What business group is the user in?
- What’s their device posture—is it a managed versus unmanaged device?
- What resources do they need access to? Is it a private application that they need to access a browser? Or do they need special protocol access to SSH because they’re a system administrator?
- Are they a contractor working on a project and do they need access to the corporate Office 365 account and specific content so they can collaborate with project stakeholders?
- Once you grant them access, what are they doing? What activities are they trying to perform? Are they downloading data? Are they uploading data? Are they sharing data? Are they editing data? Or are they creating data? What is the sensitive nature of the data?
There are also several different activities that you also want to not only monitor but put Zero Trust controls around. I’ve put together five real-world scenarios where data context should inform the level of trust assigned to user access. They are as follows:
Scenario #1: Users need access to an internal or private application
The example here is a user on the marketing team who just needs browser access to the company’s learning management system (LMS). But then a different user on the sysadmin team needs special SSH access so they can administer the server that runs the LMS application.
The old way of managing application access has been to either make the app publicly accessible or to provide VPN access. But this kind of management leaves the opportunity for bad actors to gain access and move laterally. Even though both users are trying to access the same application, different contextual decisions need to be made about the level of access being granted to the LMS app based on the user’s specific business group.
Scenario #2: User needs access to a popular, but high-risk, cloud storage app
Another user (also in marketing) wants access to a popular cloud storage application so they can quickly upload and share data. There are more than 2,400 cloud applications used in the average enterprise. A majority of those applications are used outside of IT, which means IT doesn’t have administrative access. The concern with using these kinds of Shadow IT apps is that they can introduce opportunities for data loss by careless employees or perhaps employees intending to steal data, simply because many of them lack adequate security capabilities. Do you really want sensitive data uploaded to one of these apps? In the past, IT managers simply blocked the use of cloud apps to cut off these attack vectors with blunt force. But the demands of business agility and the effects of digital transformation make coarse-grained access controls nearly impossible to enforce.
This same user likes the app they have chosen because it’s really simple