Security in a World of Zero TrustBy
We have arrived at a point where personal privacy can no longer be guaranteed online. The dark web offers digitally lethal malware at affordable prices, and many of these tools no longer require expertise to wield. Yet in the cloud-first environment, our dependence on data grows exponentially, increasing our exposure.
While working as the CTO for NetGear in 2014, electrical engineer Jeff Capone realized that the growing number of devices companies use and the amount of unstructured data that pass through them presented a “massive threat.” International Data Group (IDG) last year projected that by 2025, there will be 163 zettabytes (1ZB = 1 sextillion bytes) of data circulating worldwide, and most of that (80%) will be unstructured. Unstructured data is defined by Wikipedia as “information that either does not have a predefined data model or is not organized in a predefined manner.” It can be text, pictures, bar codes, library records, and much more. In an article for Security Today, Capone wrote, “One of the most problematic data types to secure is unstructured data. The dilemma for security professionals is how they can effectively manage the huge volumes of unstructured data that are shared across all types of documents and formats and spread internally and externally.” As network perimeters were becoming more porous due to multiple paths in and out with numerous device types and cloud destinations, what was needed, Capone decided, was an opt-out model for security.
The then-conventional approach assumed that internal networks should be secured and that external networks weren’t to be trusted. Internal files that were selected for protection were put behind firewalls, and traditional perimeters were assumed to be enough protection against the rising tide of unstructured data.
Capone saw four key vulnerabilities of the traditional opt-in model:
- With numerous entry points in a cloud-first environment, companies no longer owned or secured the servers where their data was kept.
- The threats weren’t just coming from external networks. A McAfee survey showed 43% of data breaches are caused internally, by carelessness or malicious intent.
- Internally securing a confidential file isn’t enough. Copy-and-paste sections from the file might be exported to other reports or presentations, and emailing the file or some content from it may have created derivative works unprotected by the original security.
- Even with proper training, you can’t always count on employees to keep data secure.
The market research company Forrester has defined a new model with an approach it calls Zero Trust, which has three requirements:
- Ensure that all resources are accessed securely, no matter the location.
- Adopt a least-privilege (very restrictive) strategy, and strictly enforce access control.
- Inspect, log, and audit all traffic.
Jeff Capone ultimately cofounded a cybersecurity company, Secure Circle, (www.securecircle.com), which is built on the Zero Trust mandate. Its system assumes all files require encryption in all three possible states: while they are being used, when they are sent somewhere, and while they sit stored on disks or in the cloud.
Capone’s system is opt-out, based on the assumption that “It’s easier to protect everything and decide what is not important and can be shared outside the organization.” The system allows users with legitimate reasons for doing so to release files from protection, i.e., to opt-out.
SecureCircle’s Transparent File Encryption has a number of unique features, including complete transparency. Users and applications can interact with encrypted data as they would with unprotected files. The files are opened in the same way, file names or extensions aren’t changed, and the user won’t see any difference unless, or until, they do something they aren’t supposed to.
The protected files are tracked each time the authorization process logs in a user or application. Because of the encryption that follows them, the files are retractable, and, when necessary, can be disabled no matter their location.
An additional function called the Similarity Detection Engine understands and keeps a record of the DNA of the file content. When that file’s DNA is found in another file, as in copy-and-paste or save-as duplications, the derivative material is automatically protected.
No one expects the amount of unstructured data to decrease, but the good news is that corporate security is evolving.