FEATUREDApplication Development & Modernization
In Managing Security in the Age of Zero Trust, BlueAlly introduces Zero Trust as a data-centric approach to security. This involves identifying the data assets and adjusting or creating an Enterprise Information Security Policy (EISP) that protects data and takes a risk-based approach to security.
So, what exactly is a “risk-based” approach from a technological perspective?
Risk-Based Technology
From a security management standpoint, there is a risk-based methodology called the “CIA Triad”: Confidentiality, Integrity, and Availability (CIA). Confidentiality means that only authorized users and processes should be able to access or modify data. Integrity describes that data should be maintained in a correct state, and nobody should be able to improperly modify it, either accidentally or maliciously. Finally, Availability describes that an authorized user should be able to access data wherever and whenever they need it.
Integrity Defined
Integrity is often simplified to mean checksums, backups, and/or DR. But a more accurate definition would mean maintaining data in a correct state, with no person or process being able to modify it improperly.
As a result, there is a substantial crossover with Confidentiality. Encryption prevents several vectors, and RBAC and ABAC define user access to data. For example, this creates an environment that segments access so users can’t modify what they can’t reach.
But the unique contribution is with data integrity, and that is maintained through technologies such as digital certificates, digital signatures, hashing, and yes, backup and recovery technologies. This establishes the goal of ensuring the data is trustworthy and tamper-proof.
The ultimate safeguard is immutable storage. This is where copies of the data that cannot be modified are made. This is emerging as a primary defense against Ransomware attacks, where the attacker encrypts the data and holds it hostage to extort money. With one client, we designed a solution for moving the immutable backups to a colocation facility not visible from within their environment. This offsite storage safeguards against several Disaster Recovery (DR) scenarios.
The Zero-Trust approach with Integrity integrates the approach across all IT silos. This means implementing least privileged access technologies such as role-based access controls (RBAC) and attribute-based access control (ABAC). This emerging technology standard can apply context to the permissions. It also involves coordinating encryption technologies, certificate management, and backups, including immutable storage as needed.
Integrity Examples
Loss of Integrity is defined as data being modified without authorization. A public example of a security breach based on Integrity is defacing a public website to sully a firm’s reputation. A more insidious example would be breaching an administrative account and changing file permissions to permit changes.
However, this could also be a technological or systems failure. We have worked on a couple of cases where a backbone network was taking errors at a rate just below the threshold for circuit failure but high enough that the bit error rate was producing packets with multi-bit errors. At a high enough rate, multi-bit errors can result in data corruption.
To fight this, we need all the technologies deployed for Confidentiality and operational excellence. On the Integrity-specific side, the technologies needed include digital certificate management, backups, disaster recovery planning, and immutable storage.
No single company has a complete product or even product set for Integrity, let alone Zero-Trust, but perfection is the enemy of progress. As a result, we should be looking for solutions that improve the current situation and move us forward.
Vendor Choices
In our work, we partner with Cohesity and Pure Storage for backups, immutable storage systems and Disaster Recovery. We are partnered with vendors such as Cisco, Fortinet, HPE, Palo Alto, and Zscaler for identity-based secure access and segmentation.
Ongoing Call to Action
EISPs and the downstream technological policies need to be living systems and kept up to date as the business evolves and changes. As a result, a governance process needs to be established to tie the senior management team with the technology teams tasked with protecting and managing the firm’s data assets.
For a practical view on including the CIA Triad within your Security Practice, you can read our blog on this subject: Architecting an information security program for the Enterprise.
BlueAlly consultants are always here to assist and guide your journey to a more secure future.
To learn more, contact us about the assessments we can perform to address any concerns and improve your security.
