Managing Security in the Age of Zero Trust

Zero Trust is a data-centric approach to security that involves identifying the data assets that need protection and creating a data classification policy. With this information, an Enterprise Information Security Policy (EISP) can be developed to drive an “All of Enterprise” approach to security.  

So, what exactly is a “data-centric” approach? 

Data-Centric Security 

As a data-centric methodology, Zero Trust takes a risk-based security approach.   

So, what does this mean, and how do you start? 

Every firm needs an Enterprise Information Security Policy (EISP). This consists of a security philosophy and the direction and tone of a firm’s security efforts. Central to this effort is defining what data needs to be protected, where it resides, and how it is used.   

Unfortunately, this is not as straightforward as it might appear. For example, when someone thinks about a hospital, electronic medical records (EMR) come to mind. But hospitals are also large employers with personally identifiable information (PII) on employees and contractors. In addition, they often operate as retail businesses with corresponding payment card industry (PCI) compliance requirements.   

Since the Colonial Pipeline attack, many organizations are now aware that they also operate real-time systems (often called IoT or OT systems) that can impact the physical world. Some IT teams are not even involved with the management of these systems. In some enterprises, this may involve simple CCTV systems and/or door locks, but in others – such as utilities – these systems control water, sewer, gas, and electricity delivery systems. 

Our example hospital will also have hundreds to thousands of IP-based instruments ranging from patient monitors and infusion pumps to complex radiological devices and robotic surgical systems.   

This all results in vital data and control systems that require protection across multiple regulatory boundaries. 

Understanding the data and having your business risk team evaluate the costs of access denial  are essential for producing a risk-based EISP. 

Systems Inventory 

Implementing the new policy-based plan requires a systems inventory of all your assets and operational practices. The NIST Cybersecurity Model outlines five operational functions applied to five asset classes.  BlueAlly has adopted the Cyber Defense Matrix which maps the NIST 800-53 operational functions against their asset classes as shown in Figure 1 below: 

Figure 1: Cyber Defense Matrix (CDM) 

The operational functions are Identify, Protect, Detect, Respond, and Recover. The Asset Classes are Devices, Applications, Networks, Data, and Users. 

Two axioms exist in security: 

• You can’t protect what you can’t see 
• To alert on abnormal behavior, you must have a baseline of normal behavior 

This is where an organization must have a proper census of the user base and what they have permission to do regarding devices, networks, applications, and data access. The relationships between asset classes and their operational use will establish operational awareness. 

It’s also a good idea to map the products and solutions your enterprise uses onto the CDM to uncover areas of overlap or to illustrate gaps. 

On the operations side, this establishes pre-event structural awareness and helps define the post-event response. 

New Recommended Management Processes 

In addition to the risk-based EISP and a cascading set of policies and communications, several items need to be done: 

Crisis management plans need to be in place, and they require: 

• Emergency contact numbers for all key personnel 
• Contact information for external providers like ISPs (internet service providers) and managed services 
• Hardcopies of all run books – tiered to support individual business units and functions 

Of course, all of this must cascade from the top down, and each set of business processes and all IT systems (on-premises, in the cloud, or through software-as-a-service) must be documented. 

Risk-Based Technology and Operational Changes 

From a management standpoint there is a risk-based methodology called the “CIA Triad”: Confidentiality, Integrity, and Availability (CIA). Confidentiality means that only authorized users and processes should be able to access or modify data. Integrity describes that data should be maintained in a correct state and nobody should be able to improperly modify it, either accidentally or maliciously. Finally, Availability describes that an authorized user should be able to access data wherever and whenever they need it. 

From a technological standpoint the methodology is implemented as follows: 

• Confidentiality – Encryption in transit and encryption at rest, role-based access, and identity management 
• Integrity – Trust that the data has not been maliciously modified, including reliable backups for all data – preferably backups that are offline and not susceptible to a network hack (for example, immutable storage) and file permissions 
• Availability – Network, storage, and system design that assumes that failures will and do occur; proper upgrades and patching 

Finally, proper instrumentation needs to be developed and deployed: 

• Large outflows of data should be detected, and alerts should be established (data loss prevention) 
• Behavioral analytics should be deployed to react to unusual or non-standard changes in the environment 

Ongoing Call to Action 

EISPs and the downstream technological policies need to be living systems and kept up to date as the business evolves and changes. As a result, a governance process needs to be established to tie the senior management team with the technology teams tasked with protecting and managing the firm’s data assets. 

As always BlueAlly consultants are here to assist and guide your journey to a more secure future. 

To learn more, contact us about the assessments we can perform to address any concerns and improve your security.