Trust and security. How do you marry the two?

Security pros at all levels of government and throughout the commercial sector are asking themselves ‘Who do I trust?’ and ‘How do I establish trust?’ within their organizations.
Written by Ken Ammon, Contributor on
Commentary - In the wake of the Wikileaks fiasco, 2011 is ripe for continued challenges with controlling insider access to critical business assets. Security pros at all levels of government and throughout the commercial sector are asking themselves ‘Who do I trust?’ and ‘How do I establish trust?’ within their organizations. According to a 2010 Forrester Research report, one of the biggest issues facing information security professionals is that the traditional trust model is broken. (“No More Chewy Centers: Introducing The Zero Trust Model Of Information Security”)

What’s broken? The traditional model of trust
Historically, organizations have trusted people in a blanketed way. The common trust model recognized users as either being insiders a.k.a. employees on the payroll or untrusted outsiders. IT efforts focused on creating a wall around business and IT infrastructure with security defenses set up at the network perimeter. Now, this thinking has significantly changed based on factors such as the modern definition of “employee” and the capacity in which individuals interact with organizations. Today, for example, third party vendors and outsourced contractors are accessing systems directly, or at least in a fashion that requires an extension of trust to these users. Also, the booming mobile workforce has countless on-the-go employees accessing internal resources by external means. With new computing models such as virtualization, mobility and cloud computing in place, organizations are outsourcing infrastructure and assigning to third party vendors the same level of trust that they would traditionally have reserved for internal staff only.

Then there is the compliance factor. For example, governmental regulations call for continuous monitoring of compliance requirements, putting agencies in a position of needing to deploy more technology-based solutions as opposed to relying on written IT policies alone to support compliance demands. And as NIST produces their next version of 800-53 they are looking to increase their focus on insider threat. Based in part on rising compliance factors, organizations today have to enforce written policy with technology functionality and report on it on a regular basis.

Goal architecture: A trust model that works
The combination of privileged users with access to critical information, infrastructure and data and rigid compliance requirements has caused organizations to have to take significant measures to enforce fine-grained access controls, trace policy to technology and find a trust model that works – all in an attempt to help achieve a secure network architecture.

But, a cautionary note to those in the market for an access control solution to enforce privilege controls: a plethora of technologies can be used to address an organization’s need for trust and least privilege user enforcement, but the drawback is, they each deal with a sliver of the overall issue. In an attempt to control, contain and audit users, a top financial institution, for example, tried an integrated solution of SSL VPN, Firewalls, router ACLs and Citrix. However, this approach only met 75-percent of the institution’s needs and was completely unmanageable.

Manageability is key for any security technology or model to be useful. But how do you perform all these tasks—user access control, containment, logging and recording—with a solution that doesn’t require complicated redesigns or disruption to the network? This issue is complicated by the need to create a distinction between information that you’re providing as opposed to access to and control of infrastructure. Another pain point is figuring out how to restrict users so that they only have contact with the platforms for which they are allowed access.

The solution requires a paradigm shift that’s gaining foothold today. It’s called the zero trust model, which features a granular approach to establishing access permissions based upon the role that individuals are assigned and the information they need to do their job.

Today, technology advances have made it easy to deploy and manage a least privilege access control environment, which allows for a dramatic step forward in the effort to secure against the insider threat. Several recommended measures for an effective role-based trust architecture include:

• Controlling access from the endpoint out where all endpoints are viewed as un-trusted and unmanaged, and doing it on a fine-grained per user and per group basis. Organizations should not only be able to allow the command that is permitted but also be able to alert security operation centers on a real time basis when a violation of policy has occurred, which allows for rapid response actions and limits potential loss to the organization.

• Containing users to platforms or authorized areas based on their roles. Users should not have unfettered access through the enterprise.

• Monitoring and logging continuously. There is a tremendous amount of value in audit data if it is placed in context and reported in a timely fashion to those who can investigate it.

• Maintaining identity awareness. Users identity needs to be tied to whatever they’re accessing or whatever they’re doing in the infrastructure

• Succeeding without doing an infrastructure swap-out. You can achieve zero-trust by adding some technology and realigning existing infrastructure without re-building the network or throwing away previous investments on existing infrastructure.

By using technology specifically built with a zero trust or least privilege approach in mind, security pros can now meet the evolving challenges of controlling insider access to critical IT infrastructure and business assets.

Ken Ammon is the chief strategy officer at Xceedium.

Editorial standards