IT security has long operated on a simple principle: Because the firm owns all user endpoint devices that access company information, securing the devices means that data on them is secure. But what if that foundational principle no longer applies? The increasingly insistent and inconvenient spread of sensitive data to non-company-owned devices suggests that it doesn't.
Conversations with enterprises in the manufacturing, media and seasonal services verticals uncovered some unconventional wisdom: Control does not necessarily require ownership. Moreover, successfully controlling the spread of sensitive information on the network requires inverting conventional wisdom entirely by planning as if the enterprise owned no devices at all. Forrester calls this strategy the Zero Trust Model. To put the strategy even more simply: Treat all endpoints as hostile.
In recent research, Forrester identified five data security design patterns for implementing the Zero Trust strategy: thin client, thin device, protected process, protected data, and eye-in-the-sky. None of these patterns assume that the enterprise owns the endpoint devices. By dismissing the age-old conflation of ownership and control, enterprises will be able to design a network endpoint security policy that encompasses all possible ownership scenarios, including "technology populism," offshoring and outsourcing. To that end, look to secure your company's information with the following:
- Thin client: Process centrally, present locally
Thin client is the old war horse of the Zero Trust strategy, encompassing a variety of technologies, including OS streaming, hosted desktop virtualization and workplace virtualization. Implemented in a security context, sensitive data stays centralized in hardened bunkers, with remote devices allowed to view it only via thin-client terminal applications. Because network access is required, thin client doesn't support offline use.
The advantage of the thin client is that data never leaves the server: It is only rendered on the endpoint. For additional security, IT can restrict host copy-and-paste operations, limit data transfers and require strong or two-factor authentication using tokens.
- Thin device: Replicated data, with device-kill for insurance
The thin device pattern constrains access by limiting the type of device that can be used to access the data. Point-purpose devices like smartphones, for example, can keep only limited amounts of sensitive information on them. The information they keep is replicated, with master copies stored in data centers. Because of their size, storage capacity and comparatively modest processing power, applications are limited to email, light Web surfing and simple Web applications, rather than general data processing. With the thin device pattern, IT security groups can still control the security of devices, even when they don't own them. Using native management tools or third-party mobile device platforms like those made by Sybase Inc., smartphone security policies that can typically be imposed include backup and enforced encryption. For insurance, thin devices can be remotely wiped, making them truly disposable, unlike PCs. However, IT security may find it technically or politically unfeasible to impose IT security policies on non-company-owned devices.
- Protected process: Local information processing in a secure "bubble"
Unlike the thin client pattern, which keeps sensitive data off of client devices entirely, the protected process pattern allows data to be processed locally on non-IT-owned machines. Sensitive information sits inside a compartmentalized processing environment that is separated from the user's local operating system environment -- essentially a "bubble" -- of which the security and backup properties are controlled by IT. The protected process pattern has many advantages: local execution, offline operation, central management and a high degree of granular security control, including remote wipe capabilities. But keep in mind that most operating system and application virtualization products are Intel- or Windows-only.
- Protected data: Documents protect themselves regardless of location
Whereas all of the previous patterns seek to control the operating environments that process information, the protected data pattern protects the data itself. Technologies like enterprise rights management (ERM) enshrine access rules into documents directly. These rules, which rely on cryptography for enforcement, apply no matter where the document rests, which is a key advantage. Of all the patterns in the Zero Trust data security strategy, protected data is the most fine-grained and effective because it focuses on the information, not its containers.
One of the disadvantages to this pattern is that ERM requires client-side agents on every participating endpoint. The technology can also be challenging to deploy: Organizations tell Forrester that ERM business unit users sometimes create policies that are too tight, making data difficult to access, and policies don't adapt well to organizational changes.
- Eye-in-the-sky: Know when important information leaves
The fifth Zero Trust data security design pattern is a supplementary data control technique for detecting, logging and optionally blocking sensitive data that leaves the physical or logical enterprise perimeter. Data leak prevention (DLP) technology, and, to a lesser extent, security information and event management (SIEM) tools, form the backbone of this pattern.
The primary advantage of the eye-in-the-sky pattern is that it can detect sensitive data as it moves outside the logical security boundaries, making it ideal for understanding the velocity and direction of information flow and for detecting anomalous transmissions. Unfortunately, most enterprises aren't able to require their business partners to install DLP agents on their computers. For this reason, enterprises should regard the eye-in-the-sky pattern as one that supplements other protection capabilities for outside PCs.
About the author:
Andrew Jaquith is a senior analyst at Forrester Research, where he serves security and risk professionals. He will speak at Forrester's 2010 Security Forum in Boston, Sept. 16 -17. Andrew's colleague, John Kindervag, will speak at the Forum as well on the subject "No More Chewy Centers: The Zero-Trust Model Of Information Security."
This was first published in September 2010