A recent industry phishing report showed that 4% of users are prone to click on anything sent to them. That is a scary statistic given that phishing is one of the primary methods ransomware attacks are carried out. Ransomware is extremely damaging for a business due to its relatively low cost to execute and high value rate of return. Four percent might seem like a low number, but just one user falling victim to a phishing attempt is one too many. We, as cybersecurity professionals, need to be right 100% of the time, whereas the attacker only has to be right once. With 4% of users clicking on just about anything and opening attachments, the odds are definitely stacked against us.
Another alarming consideration: 24% of data breaches are still due to a malicious insider. This could be an employee, a contractor or some other trusted entity with access to your systems and data for legitimate business purposes, but in fact is misusing the level of access they have been granted.
The Traditional Model – Trust But Verify
We are all used to the traditional security model where we authenticate ourselves to an application or perimeter device – such as a VPN – then continue on carrying out our responsibilities.
This model assumes everything inside an organization’s network is trusted, so once a user is authenticated to the VPN, they can move around to any resource to which they have access. The assumption is made that the user is who they say they are, the user’s account is not compromised and that the user will act responsibly.
According to Microsoft, 81% of data breaches occur because of weak, shared, default or stolen credentials. All it takes is one compromised account to one legacy application to cause a catastrophic breach and your company is catapulted negatively into the headlines. Privileged access was implemented to solve the problem of “shared credentials”. BUT a pandemic-forced, remote work situation exacerbates a dissolving perimeter with more cloud based workloads as well as IT sprawl, making privileged access extremely vulnerable.
For an attacker, compromising credentials is key. Once they can walk through the front door, the objective is to lay low and move laterally across the network with the purpose of finding a way to elevate privileges – meaning attempting to gain more access than they currently have.
In short, the traditional cybersecurity model leaves organizations vulnerable to external credential theft and malicious insiders.
Embracing a ZERO Trust mindset and operating a system geared towards ZERO Trust principles better positions your organization to secure sensitive data, devices, and applications
ZERO Trust Security – Never Trust, Always Verify
It’s been well over a year since millions of businesses were forced to adopt a pandemic, work from home strategy. Most businesses are now actively planning on what a return to the office could look like. Part of the challenges they face is the workforce has evolved and is no longer limited to the four walls of a company to perform their work. Organizations are now having to adapt to the modern workplace where the focus is on embracing technology and being less tied to physical locations. Users, applications, devices and data are spread across multiple networks, servers, physical locations and in the cloud. The priority now is to find the best way to provide efficient, fast, and secure access.
Enter ZERO Trust Security Architecture
The traditional security model relies on a “Trust But Verify” strategy. Authenticated users are trusted on the network. Everything users do on the network, they are allowed to do since they have verified themselves by way of authenticated credentials.
ZERO Trust is not a technology, it’s a methodology. You can’t simply go to a security vendor and say ‘I want to purchase ZERO trust security
ZERO Trust never trusts and always verifies. This means eliminating any trust that previously existed for users, credentials, network, permissions. Instead, ZERO trust continuously validates who is attempting to gain access to data, applications, servers, resources, etc. to ensure they are who they say they are. This is done by vetting of parameters or attributes such as:
- System Integrity
- User Behavior
This validation and authentication is done on a continuous basis for every connection attempt, file access, data request, server access and command issued to ensure every user is who they say they are supposed to be. Real time monitoring encompasses this activity to immediately raise alerts if something is outside of normal behavior.
ZERO Trust is not a technology, it’s a methodology. You can’t simply go to a security vendor and say “I want to purchase ZERO trust security”. A security methodology first described by John Kindervag of Forrester Research in 2010, its main goal is to reduce the uncertainty of enforcing access decisions. ZERO Trust reduces the risk of presenting a username/password and gaining access to an application, then depending on the permissions granted to you by the application, you can move around the application and its data. With ZERO Trust, every time a user tries to access a new screen, a new data set, a SQL query, a combination of the parameters mentioned above will be interrogated and validated. Every time. The ZERO Trust combination of technologies laid out in a strategic architecture ensures the methodology is properly followed.
Benefits of ZERO Trust
Embracing a ZERO Trust mindset and operating a system geared towards ZERO Trust principles better positions your organization to secure sensitive data, devices, and applications. ZERO Trust also provides the following benefits:
- Prevent the lateral movement of an attacker once a system or network is compromised. If we’re constantly interrogating and validating attempts to access a resource and if the parameters we interrogate don’t match, they’re not gaining access to that system. Whatever or whomever is attempting to gain access will not be able to move around the network. This will give you a fighting chance to detect that an individual system has been compromised and a chance to mitigate it before they can do further damage.
- It gives you greater visibility across the enterprise. It will ensure you have the proper real time monitoring and alerting in place to know that something is out of line.
- Securing your mobile workforce is paramount in today’s world. Zero trust allows users to connect from a variety of locations using different devices with minimal impact to their workload, while establishing the proper security controls for the organization.
- Simplify IT Management and Reduce Cost. Most IT ecosystems have disparate systems that are not confined to just one location. Each system requires authentication, policies, roles, access permissions, configuration and more. Simplifying all this into a single identity where everything lives will ensure that IT management isn’t cumbersome. Consolidating simplifies IT management and simplifying management reduces cost.
XYPRO and HPE Expand Partnership
Recently, XYPRO announced the expansion of a decades-long partnership with Hewlett Packard Enterprise (HPE) to deliver XYPRO’s entire suite through HPE NonStop systems. HPE NonStop systems, which tackle mission-critical environments requiring 100% fault tolerance, are now available with expanded XYPRO Zero Trust solutions for optimal threat detection and security management capabilities.
This expansion extends the availability of mission critical database management, security and integration solutions to help customers implement Zero Trust to protect their mission-critical environment. This expansion includes XYPRO’s flagship product – XYGATE SecurityOne, a patented security, compliance and threat detection platform and XYGATE Identity Connector, the first and only SailPoint and CyberArk integrations for HPE NonStop systems. Customers can now meet requirements to secure and monitor their mission-critical investment with these solutions using HPE NonStop systems.
ZERO Trust and HPE NonStop
With the expanded HPE and XYPRO relationship, HPE customers can now implement full ZERO Trust security for their HPE NonStop environment. The goal is if an attacker compromises an area of the system, subsequent trust layers are purposefully set-up to slow down and narrow the field of attack.
XYPRO deconstructed the layers for HPE NonStop servers to identify where the system or data is most at risk. We apply the ZERO Trust strategy based on the risk involved, the type of data we are aiming to protect, and how different layers can interact with each other for risk mitigation. We ended up with the trust layers illustrated below.
The Network Layer
The Network layer is the outermost layer of the system and most likely to be targeted first. This layer is essentially your system’s perimeter, where applications are exposed and data is in motion, communicating with other systems and endpoints. Unlike subsequent layers, the system does not necessarily need to be compromised for an attack to be successful at this layer. Therefore, it’s critical to ensure all data flowing in and out of the system at this layer is properly protected using secure protocols such as TLS, SSH, SFTP etc… and ensuring no suspicious ports or services are available for external fingerprinting or other reconnaissance activity. Implementing security at this layer will cause a potential attacker to look elsewhere.
The System Layer
The system layer controls who is allowed to have access into your system. This is where logon controls are set up, credentials are validated and additional integrations, such as Multi-factor Authentication provided by XYGATE User Authentication (XUA) are implemented. An often overlooked but equally important understanding is that access isn’t only for users or logging into the system. Processes, objects and subsystems also need to properly authenticate themselves to access system resources and data. Think of this layer as the front door to your house. A thief would typically need valid credentials, or keys, to proceed any further. Although hardening your defenses here is a must, assume a motivated and patient adversary will bide their time and eventually get the keys they are looking for. And not to mention those pesky insider threats who may already have validated access to the system.
The User Layer
The user layer approach takes the position that users should not have unchecked permissions on a system, even after they’ve been granted access. Assume an attacker was road blocked at the Network Layer, but was able to compromise a user’s credentials at the system layer and logged on to the system. Deploying a proper ZERO Trust strategy at these next two layers will ensure access to the “Data in Use” is properly controlled and managed. Once granted access to a system, users shouldn’t have free reign to browse and run applications and utilities as they please (although I have seen this happen more than I’m comfortable admitting). Controlling what a user can access in terms of utilities and system locations based on their role, job responsibilities and other factors is a critical approach to executing a proper security strategy. Privileged Access Management (PAM) and Role Based Access Control (RBAC) is provided by XYGATE Access Control (XAC) at this layer.
XAC takes traditional RBAC a step further, by restricting control to the subcommand level within utilities and programs. Unless a user is explicitly granted access to a utility or program, or even a subcommand within a utility, they will be denied. Further controlling what a malicious user may or may not do if they manage to get down to this layer.
The Object Layer
The object layer ensures access to resources is granted only to authorized users. Resources may include files, volumes, subvolumes, databases and other objects. Building on the previous trust layer that restricted access based on actions, protection at the object layer will ensure an authorized user, running an authorized application can only access authorized objects. XYGATE Object Security (XOS) provides full coverage for all of your NonStop file, system, application and database resources.
The Data Layer
The data layer is data stored within files, databases and other data repositories containing critical business data, payment card data, customer data and other critical data necessary for your operations. This is typically referenced as “Data at Rest”. If an attacker made it this far, your last line of defense would be to make the data completely unrecognizable. Solutions to tokenize or encrypt data at rest make sure that even if the data was exfiltrated, it would be of no use to the thief.
The Volume Layer
To protect the volume layer, HPE offers solutions that protect data at the disk level. One solution is Volume Level Encryption (VLE). VLE protects against physical threats. If someone were to walk into your data center and walk out with a hard drive containing critical data, using VLE, that drive would be unusable to them. VLE does not protect application access to the data once the system is on and running. This concept differs slightly in the virtual NonStop world, but the objective is still the same.
Audit and Real Time Monitoring
Implementing controls without auditing and monitoring is ineffective and can ultimately be the Achilles heel that sinks a ZERO Trust strategy. Generating audit records at every layer for critical activities and reviewing those in a timely fashion will help gain insight into a security strategy. Security intelligence and analytics are no longer buzzwords. Solutions like XYGATE SecurityOne® (XS1) give you views into your systems and the data like never before. Tilt the scales in your favor with modern analytics solutions to slow down or even stop a costly breach. You can add defenses at every layer, but without the ability to analyse what is happening at those layers, you’re flying blind and cannot ensure your defenses are working the way you intended.
ZERO Trust is a modernized and intelligent approach to the layered security concept. It’s based on the understanding that IT assets live in a variety of environments hosted by multiple providers. Workers access IT assets from multiple locations from a variety of devices, therefore a security strategy must be adopted that can keep up with today’s workforce. ZERO Trust eliminates any assumed trust based on network or permission levels.
In XYPRO’s long history of delivering risk management solutions for HPE NonStop systems customers longer than anyone, we strive for meaningful and strategic business relationships while providing great support and leading edge security solutions. Our strong relationship with HPE is why several XYPRO solutions have shipped with the HPE NonStop operating system for more than a decade. Making the rest of the XYPRO’s solution suite available through HPE provides customers with required ZERO Trust security and consistency at significant value.
XYPRO also presented “What is ZERO Trust Security” at HPE Discover 2021. Click below to watch
Steve Tcherchian, CISSP, PCI-ISA, PCIP is the Chief Product Officer and Chief Information Security Officer for XYPRO Technology. Steve is on Forbes Technology Council, the NonStop Under 40 executive board, and part of the ANSI X9 Security Standards Committee.
With over 20 years in the cybersecurity field, Steve is responsible for the strategy and innovation of XYPRO’s security product line as well as overseeing XYPRO’s risk, compliance, and security to ensure the best experience for customers in the Mission-Critical computing marketplace.
Steve is an engaging and dynamic speaker who regularly presents on cybersecurity topics at conferences around the world.