360 Advanced says zero trust and least privilege are the new paradigm in service-provider data security
"Castle walls" are no longer your best defense against data breaches
TAMPA, Fla., June 23, 2014 /PRNewswire/ -- There is a major paradigm shift occurring in data security in the service-provider industry, and according to 360 Advanced , it has to do with the very foundations of how networks are protected.
"System administrators traditionally have protected corporate networks like a castle," observes 360 Advanced's Dave Smith. "They built layers of impenetrable walls to prevent an outside attacker from getting a foothold into the network to begin with."
However, as we know now, some of the biggest threats on any network are the users and devices that are perfectly authorized to be on the network, inside the network, inside those castle walls.
"Throughout our work in penetration testing for various clients across diverse industries, one constant remains true: one of the most universally successful attack vectors is through people," Smith observes. "When crafted right, we can almost always find someone to click a link and either download an exploit or voluntarily give up their credentials."
Enter the zero-trust model, where trust is not granted merely because a device/user/process/file exists on the inside of the network boundary. Now, care is taken that there are no open shares, unnecessary services, abandoned network devices or even internet access to rogue or unauthenticated devices on the network. Here, the guiding strategy is the principle of least privilege, which states that no user, device, application, etc., should have any more access than absolutely necessary to complete its job function.
Best practices in a zero-trust model include encryption of network traffic wherever possible. On the outside of a network, technologies such as SSL have been around for some time. Inside the network, the predominant mentality has historically been that there was far less need for such protections because the perimeter was the main area of concern. Those days are gone.
The most extreme examples of zero-trust networking even segment unfamiliar machines to a separate VLAN (virtual network) until they prove they are authorized to access the main network, and then and only then they are allowed to communicate with other devices on the trusted network.
YOUR NEW PARADIGM ACTION LIST
- Scan the network for open shares and restrict access to authenticated users.
- Structure file shares and data by role and only allow access to each share by users who actually need that data in their current roles.
- Scan the network for network devices with administrative web, telnet and SSH interfaces and ensure that the default password is not in use on any of these devices, even devices not considered critical or not considered to have access to critical data.
- Encrypt all possible internal traffic. Use SSL for internal/intranet websites. Use SSH instead of telnet or FTP. Disable insecure interfaces.