Once upon a time, security and risk professionals defined borders that limited and restricted users as well as a visible set of threats, such as worms and viruses.
Today, an organization's functional network extends well outside of its controllable borders. As organizations add new connection options and new devices like smartphones and tablets to the network, the potential attack surface expands well past the virus-infected laptop. Business partners, contractors and user-owned devices make locking down a network even harder. Known as the "extended enterprise," this new network is dynamic and organic. It constantly shifts with the movement of users, the rise of new technologies, the inclusion of new partners and supply chains, and the advent of new attacks.
In an extended enterprise where the IT infrastructure changes frequently and assets (both external and those that you control) come together dynamically to deliver an enterprise function, one thing remains predictable: enterprise data and the value it represents. Attackers rarely strike networks or users just for fun; they attack to steal data. As a result, an effective data protection strategy needs to take on a data-centric view rather than an infrastructure and device-level view. Let’s look at how to protect data in the extended enterprise using a new type of defense paradigm: the Zero Trust Model.
To prepare a network for any device, anywhere, at any time, Forrester recommends organizations use Zero Trust principles to create a methodology for data protection. The Zero Trust Model of information security simplifies how information security is conceptualized by assuming there are no longer "trusted" interfaces, applications, traffic, networks or users. It takes the old model -- "trust but verify" -- and inverts it, since recent breaches have proven when an organization trusts, it doesn't verify.
By applying these principles to the extended enterprise, companies can begin to create a robust plan for pervasively securing their data, and consequently their users and networks. There are three simple ideas behind the Zero Trust Model:
Ensure all resources are accessed securely -- regardless of location.
Clearly, there are many different types of users who need data access from an innumerable number of venues. Place is no longer important because of an ever-increasing mobile workforce. Whether they're inside or outside of the primary network, it is critical to ensure users will access data securely. To do this, security professionals must rely on more encrypted tunnels and real-time traffic inspection via network intrusion prevention systems (IPSes) or layer 7 firewalls.
Adopt the principle of least privilege, and strictly enforce access control.
When a company considers a user "trusted," it typically allows the user nearly free rein on the network. By adopting a Zero Trust posture and applying granular data access control, a company limits the ability of unauthorized users to steal or reveal data they don't need access to for their job function. In the future, expect security vendors to more closely intertwine NAC, identity and access management (IAM), and entitlement as they seek to create new and simpler methods of access control.
Inspect and log all traffic.
Data provided in the Verizon 2011 Data Breach Investigations Report shows that "good evidence of the breach usually exists in the victim's log files waiting to be used." However, most companies don't know they're in a breach state until a third party notifies them. To achieve the type of situational awareness necessary in the modern threat environment, security and risk professionals must inspect and log all traffic, both internal and external. This should be done through a combination of threat mitigation controls such as firewalls and network IPSes, security information management (SIM) products, and network analysis and visibility (NAV) tools. This combined approach will provide an organization with significant insight into the network traffic and the inherent potential threats that may be embedded in that traffic.
By adopting a posture of Zero Trust and coupling that with good data protection strategies, companies can go a long way toward mitigating the ever-changing threats against our data that enterprises constantly face. More specifically, Forrester recommends organizations:
1. Conduct a data discovery and classification project.
Data leaks and breaches often happen because users (both business and IT) have widely disseminated toxic data – i.e. data that an enterprise is compelled to protect by legislation or by contract – and security has lost track of its location. Before an enterprise can protect its data, it must conduct an inventory. At the very least, it must inventory all its toxic data.
Data classification is the second fundamental step in creating a data-centric security organization. A data classification scheme must be simple and manageable, with a limit of three or four tiers. For example, "classified, internal and public" is a simple classification scheme. Anything more complex and you run the risk of users ignoring it, or you fail to understand where to concentrate the deployment of specific security controls like data leak prevention (DLP) or encryption.
2. Embrace encryption.
Encrypting or tokenizing data covers a multitude of sins. These technologies effectively “kill” data, making it useless to attackers. Cybercriminals can't monetize tokenized or encrypted data. In addition, breached data that a security professional has tokenized or encrypted may not be subject to state or industry breach laws or regulations. For example, some states offer Safe Harbor if the breached data is encrypted. Many would agree, and there is theoretical evidence to back it up, that in the absence of the keys, encrypted data is not actually data at all.
3. Deploy NAV tools to watch data flows and user behaviors.
The modern security professional must have situational awareness over the entire network in order to protect data from theft or misuse. Currently, most mature organizations have deployed firewalls, IPS and SIM technologies to protect the perimeter, but the internal network remains wide open. One way to get situational awareness over the internal network is to deploy NAV tools to proactively monitor the network for threats or malicious behavior.
4. Begin designing a zero-trust network.
Many of today’s security challenges are network design issues. Our current networking design paradigms were created in an era before today’s sophisticated security threats, while many network designers are infrastructure specialists with little security experience or awareness. In the future, enterprises must embed security into the fabric of the network itself using the principles found in the Zero Trust Model.
About the author:
John Kindervag is a principal analyst at Forrester Research, serving security & risk professionals. Forrester's experts will speak at the upcoming Forrester Security Forum, May 24-25, 2012, in Las Vegas.