Zero Trust — Data Security: We live in a twilight world, and there are no friends at dusk
This will be Part 2 of my series of articles on Zero Trust. And let's start with data, the "chewy core" of the traditional M&M Information Security model. In the traditional cybersecurity model, data is protected via encryption and access control, and an entity (user or device) gains the “trust” to the decrypted data by fulfilling some authentication and authorization requirements. However, there is no real-time check on whether the basis for that trust has changed.
Part of that trust also relies on data being inside the company perimeter because the controls are built into the company network. The modern world requires, even demands, access to the data outside of the company perimeter. So do the hackers. One of the Zero Trust Tenets (yes, the title quote is from the mind-bender Chris Nolan movie) is “explicitly verify”. A new approach is required to protect data regardless of the location of that data and to verify access in real-time with continuous monitoring.
ZT principles are relatively easy to apply at the network layer given the right solutions. However, one needs to also protect the data using ZT principles when it is outside of a controlled perimeter. This means, there is need for a control mechanism that travels with the data. Two solutions can be used to fulfill these requirements.
1. Encrypt data + containerize it (DRM)
By encapsulating the data within a container which has a mechanism to carry an access list or query an access list, it is possible explicitly verify each access attempt before unencrypting the data. This is the basic premise of “Document Rights Management” (DRM). Some document formats like PDF and Office formats are containers for data which can support DRM capabilities. Other formats like TXT and PNG do not. A good ZT solution needs to be agnostic of the document format and protect the data regardless of which form it is in. Thus, most solution providers come up with their own container strategy to overcome the disparity in document format capabilities. Going forward in this article, containers will be used to refer to these DRM based document formats.
Such containers can either have embedded executable code to carry out the access verification and decryption, or it can instruct devices and programs to send the encrypted data to a decryption service.
For end-users this means opening an encrypted document using a specialized client application that can perform the ZT functions. For a system it may mean sending the encrypted data to an decryption API endpoint and receiving the decrypted data. This enables the encrypted data to reside at any location, whether it’s a corporate SharePoint or someone’s personal Google Drive. Decryption only happens on demand and after authorization and access to decrypted data continues to be controlled by the ZT application. This last bit is what brings Zero Trust to Data Protection — continuous monitoring.
Maintaining security on the unencrypted data outside the corporate perimeter remains crucial. For end-users this may take the form of restrictions on print, copy, screenshot and other similar capabilities built into the document viewer. Watermarking and timestamping are other methods to track data loss. For systems this could be done by using temporal data stores for the decrypted data that expire after a time period.
2. Prevent direct access to data
This is an alternative where the ZT client application cannot be installed/run on a third-party system. This method allows the data to remain in the controlled perimeter but enables consumption of the data from any location. This mostly makes sense for users, rather than systems, who can view the decrypted data in an online viewer (via web browser) and have capability to edit and modify without the data actually being available on their local machine. The online viewer performs the same functions as the container model above, but the container lives on a web server that's accessible over the network (Internet or Intranet) and performs the explicit verification of rights every time the data is accessed. The closest analogy would be running a VDI (Virtual Desktop Infrastructure), but much lighter.
Monitoring access to the data outside the perimeter
While enabling these methods of data access, it’s also critical to capture event information and make dynamic access decisions. The access policy engine should be able to capture event information like geo-location of access, device /browser profile, time of access, unauthorized attempts. This can then be used to further enhance protection by disabling access in near-real-time based on anomalies or even to meet compliance regulation (Eg: geo-location may lock a document when it detects access from outside a specific country).
The key takeaway with Zero Trust for data protection is to ensure that the controls travel with your data. And access decisions are based on policy (who is accessing the data, from what device, where and when is the access initiated). Without policy driven decisions, dynamic access control is not possible. More on that in my article regarding Zero Trust networks.
Many vendors now provide DRM solutions that adhere to Zero Trust principles. Some links for further reading are provided below:
- Microsoft AIP
- Seclore
- NextLabs
- Varonis
Most DRM solutions will have parity in data protection features such as encryption and access control. What sets one apart from the other can be determined by asking some of the questions below:
- Can the solution audit and report on each event per document (authorized access, unauthorized access, attempt to share etc)?
- Can the solution provide time-based access (automatic expiration of access, time-based access)?
- Can the solution detect the device posture (is it company managed, is it domain joined, etc)?
- Does the solution enable granular controls (disable print, disable screenshots, disable copy/paste)?
- Can the solution provide dynamic tracking (report of geo-ip locations where document is being accessed, dynamic watermarking etc)
While it takes a leap of faith to allow sensitive data to be taken outside of the corporate perimeter, there are some great vendor solutions that enable these concepts to be applied in reality and leverage the business value of freeing up your corporate data. Data needs to be made available everywhere, but it’s a twilight world out there. And there are no friends at dusk. Fortunately, there may be a protagonist or two to help along with the Zero Trust journey.
