Understanding Insider Threat and the Zero Trust Information Security Model
The decades-old concept of the hardened defensive perimeter as the cornerstone of network security has proven to be just as ineffective as the once-vaunted Maginot line was at defending France’s western border with Germany. At the outbreak of World War II, German tanks bypassed the major French strongpoints and in six weeks, successfully drove their armies into the heart of Paris. General Maginot’s line of defenses became a proverb for the false security that comes from following yesterday’s tactics when strategy and technology changes. Cyber attackers frequently bypass strong network perimeters to bring failure to security practitioners who over-rely on strong perimeters. It is high time to update corporate security models by taking into account the emergence of the insider threat as a growing source of network breaches.
The Imperatives for Adopting a Zero Trust Security Model
Now is the time to acknowledge over-reliance on layered defenses; protected network enclaves only provide an illusion of security. When trusted insiders deliberately breach strong perimeter security controls in pursuit of personal or hacktivist agendas, or outright theft of intellectual property, valuable corporate data is at risk. Can we afford to keep trusting insiders who so frequently prove to be untrustworthy? Strong perimeters provide little security against insider threats.
On April 21, 2015, during RSA, newly appointed CEO Amit Yoran’s first keynote address “Escaping the Dark Ages of Security” stated, “The security industry is failing… It has failed.” (Hacket, 2015) The failure was due in part to security practitioners’ failing to recognize the full impact of changes in how and where people work. The decision to rely on hardened perimeters to create artificial boundaries of trust is one reason the security industry frequently failed to protect data and systems. Unless we come to grips with the reality imposed by our increasingly mobile workforce, and the changing nature of the threat, we will continue to fail in the future. Business has changed. Our transition to a mobile workforce changed how and where employees routinely worked. These changes should prompt us to reexamine our ideas about trust and consider if it is time to redesign our networks to reflect the new realities.
Why a Perimeter-Heavy Defense is Inadequate
The changes in our work habits made the traditional hardened perimeter defense paradigm as outdated and ineffective as the Maginot line in World War II. Warfare in World War I was based on fixed lines defended by strongpoints. Improvements in technology after World War I provided combatants greater mobility and speed, which made strong static defenses irrelevant. The French built the infamous Maginot Line with the assumption that the Germans would carefully mass their forces at the French strongpoints. General Maginot expected the Germans to deplete their strength in a long and costly war of attrition. The Germans simply went around the French defenses. They found lightly protected areas along the Belgian border and bypassed the defensive strongpoints to drive deep into France.
Modern changes to technologies contributed to many recent failures of traditional perimeter-based network security. Organizations began opening holes in their IT defensive perimeters so mobile workers and third-party contractors would be more productive when working outside the office. Virtual Private Networks (VPNs) brought remote workers inside the firewall perimeter so they could freely access needed business applications. However, the mobile workers operating outside the protection of the company’s physical perimeter routinely faced greater risk and threats to security. When these workers fell prey to phishing and social engineering attacks, hackers found ways to misuse trusted employee remote VPN connections. Hijacked connections and credentials circumvented perimeter defenses and permitted outside attackers to exploit internal company resources from inside the defensive perimeter at their leisure. Insider threat forces us to reevaluate our security paradigm. Every connection in a network should be inspected and routinely monitored for validity. In short, this is the concept of Zero Trust.
User trust in strong perimeter defenses can lead to risky security behaviors because of an unwarranted sense of confidence and the illusion of security. Overconfidence in the strength of perimeter security measures leads many organization’s security staff to be less vigilant looking for signs of cyber intrusion. Many organizations do not inspect any traffic that originates inside the network. Relying on strong perimeter security with unwarranted trust in internal traffic can increase vulnerability to cyber intrusions and data exfiltration.
Why Trusting No One on the Network is Good
The solution for greater network security is to discard the archaic notion of trusted and untrusted users or connections and implement a technical architecture built on a policy of trusting no one. Networks designed around a policy of “Zero Trust” are inherently more secure because they inspect and verify all traffic, whether it originates from inside or outside of the organization’s perimeter. Forrester Research coined the term “Zero Trust Network” in their 2013 Zero Trust concept paper to the National Institute of Standards. Forrester stated, “Zero Trust takes into account the possibility of threats coming from internal as well as external sources and protects the organization from both types of threats.” (Western, 2013) Forrester correctly identified the trend for growth in insider threat before many organizations saw the need to take concrete measures against insider threats.
Hackers look for ways to maneuver around strong perimeter defenses to find easier methods of attack. The most vulnerable part of the computer network is nearly always the human user. It is time to accept the reality and begin to design and architect networks less vulnerable to the abuse of trust through ever-present human frailty. Unless we change how we implement network security, we will continue falling victim to hackers who exploit the weakness of our users and the security community’s over-reliance on the illusion of strong perimeter security.
Adopting a Zero Trust security model presents many unique challenges. It can generate additional costs and complexity due to the additional security infrastructure required inside the perimeter. Ongoing support of packet inspection, forensic analysis, and data-loss protection measures require dedicated personnel for policing inside the network. Companies may need to spend more on skilled security analysts to manage this new infrastructure, but fortunately, through third-party Security Operation Center services, this can be done without substantially increasing headcount. Many organizations can improve their capabilities while lowering their costs by purchasing external SOC services. It is a small price to pay for effective security when weighed against the potential liability and expenses associated with a major data breach. A 2016 Ponemon study sponsored by IBM estimated the average total cost of a typical corporate data breach today at $4 million, with an average cost per stolen record of $158 (IBM, 2016).
Security practitioners cannot be satisfied with the illusion of security. We must strive to implement specific measures and technologies capable of withstanding the types of dynamic and adaptable threats that exist in our constantly changing world. A Zero Trust approach to network security is imperative in a business environment dominated by frequent offensive network penetrations from state-sponsored, criminal, and activist hacking groups.
Next-generation security products incorporate many protective measures from the zero-trust security model. These systems come with traffic monitoring engines designed to inspect both internal and external connections with extensive libraries of security policies and rulesets to simplify security policy inside the network. These systems are designed to conduct a stateful inspection of both internal and external connection traffic and to decrypt and inspect SSL traffic. All connections are validated to see if they conform to expected behavior and the correct use of protocols. Such solutions add layers of complexity, but they also provide the ability to monitor connections in real-time and immediately stop data movement when unusual traffic occurs. The ability to stop data-exfiltration based on monitoring internal traffic flows is an important aspect of security. The Zero Trust Model requires security leaders to abandon the idea of trusted insiders inside their network and acknowledge the realities of our modern lifestyle.
The Zero Trust security model demands a holistic approach to security. Many organizations today would benefit from an external assessment to determine how they can move beyond traditional external perimeter security protections. Fortunately, there are new security products that can address insider threat and data loss protection. There are cloud-based solutions provided as a Software as a Service (SaaS) with advanced features such as software-defined networking, user behavior analytics, and cloud access security brokers. These products make it much easier to provide the granular access controls required to implement Zero Trust policies within an organization. Now is a great time to consider moving data storage and processing to the cloud, rather than continuing to make piecemeal investments in yesterday’s technology. PeriCertum specializes in cutting infrastructure costs while increasing security and we would be happy to assist your organization to make the transition to a Zero Trust Network.
Hacket, R. (2015, April 21). ‘Security has failed’ : Exclusive preview of RSA president’s conference keynote. Paragraph 4. Retrieved from Fortune: http://fortune.com/2015/04/21/rsa-conference-amit-yoran-keynote/
IBM. (2016). Cost of Data Breach Study, Paragraph 2. Retrieved from IBM, Incorporated: http://www-03.ibm.com/security/data-breach/
Western, M. (2013, April 08). Cyber Security Framework, Page 4, paragraph 2. Retrieved from NIST: http://csrc.nist.gov/cyberframework/rfi_comments/040813_forrester_research.pdf