How do we address Internal Threat?

#SoftwareSecurityMyth - Our application is meant for internal users, they access it from within our company network, it must be safe! We shall better spend our time and energy on protecting internet facing applications.

The Challenge

A recent headline about data breach at Tesla caught my attention. In May 2023, there was a media report of massive data breach at Tesla and two months later, investigations revealed that it was a job of two insiders.

While internet facing applications receive disproportionate share of attention from security perspective, internal applications exposed to internal users are often considered safe (implicit trust).

I have seen large enterprises categorizing their applications under various risk categories (to direct their energies towards most critical applications) and often public facing applications are classified as High Risk from security perspective while internal applications are bucketed under Medium to Low-risk categories.

The fundamental problem with this approach is that it is not the data/asset that we access via the application which drives the risk factor, but it is the user base or internal/external network that drives the categorization (also knowns as perimeter-based security).

This bias towards internal applications is based on few underlying assumptions:

• We trust our internal users,
• Internal/Corporate networks are assumed to be secure

While these assumptions hold true until few years (or decades) back, but not anymore. With rapid adoption of cloud technologies , blurring of work-home boundaries (with many companies adopting hybrid working model), ?as well as new initiatives like BYOD (Bring your own Device) – we are in a situation where “implicit trust” cannot be assumed. Any small lapse in security can expose us in the same way as public facing applications does.

Is there any solution that can address the contemporary requirements of modern work environment while ensuring safeguards of the organizational assets?

The Solution

The risk involved with internal applications is no different than external applications. In fact, many a times Internal threat is more effective compared to external threat. Hence, have a comprehensive relook at the way we secure our applications and change approach from “implicit trust” to “zero trust” architecture. ?

The main concept behind Zero Trust Architecture (ZTA) is to not trust devices or users based on their location (inside or outside perimeter) instead

• Put strict control over verifying the identify of user and compliance of devices before granting access
• Follow principles of “Least Privilege” and grant access only for the limited time period (session) after applying all the policy checks for the specific scope of the work (no general access grants)
• Implement micro-segmentation strategy to effectively contain potential risk and prevent it from spreading laterally (in case of breach, damage is controlled by protecting the spread by restricting internal lateral movement)
• Implement Dynamic policy control, which takes into account various Telemetry inputs to decide to grant the access (location, device, time of the day etc)

There are many definitions of Zero Trust Architecture (ZTA). Here are few examples:

Forrester, who originally coined the term “Zero Trust” defines it as:

“An information security model that denies access to applications and data by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices. Zero Trust advocates these three core principles: All entities are untrusted by default, least privilege access is enforced, and comprehensive security monitoring is implemented.”

NIST, a US Standards Body, defines ZTA as

“Zero Trust is an evolving set of cybersecurity paradigms that move defenses from static and network-based perimeters to focus on Users, Assets and Resources. It is an end-to-end approach to enterprise resource and data security that encompasses identity (person and nonperson entities), credentials, access management, operations, endpoints, hosting environments, and the interconnecting infrastructure.”

Microsoft, an ardent promoter of ZTA, defines it as follows

“Instead of assuming everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an open network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify.” Every access request is fully authenticated, authorized, and encrypted before granting access. Microsegmentation and least-privilege access principles are applied to minimize lateral movement. Rich intelligence and analytics are utilized to detect and respond to anomalies in real time.”

“The Open Group” defines Zero Trust as:

"(Adjective) A characteristic of an asset-centric information security approach that enables organizations to secure and manage data/information, applications, APIs, and any data integrations on any network, including the cloud, internal networks, and public or untrusted (Zero Trust) networks."

“(Noun) An asset-centric information security approach that enables organizations to secure and manage data/information, applications, Application Program Interfaces (APIs), and any data integrations on any network, including the cloud, internal networks, and public or untrusted (Zero Trust) networks."

?And it defines ZTA as

“The architectural implementation of a Zero Trust security strategy that follows well-defined and assured standards, technical patterns, and guidance for organizations."

ZTA is a journey rather than a destination. As threat landscape evolves with the adoption of modern technologies, we need to evolve security posture as well.

It is also not about rolling out a new technology but is all about the new thinking. In fact, the technology required to implement ZTA is already available today – and the best part is - it leverages existing technologies.

As Malcolm Shores (a well-known authority on cybersecurity) puts it nicely, “The new ABC of the modern Security is Assume Nothing, Believe No One & Check Everything” – and this is the gist of ZTA.