In most computing environments, once a hacker obtains unauthorised access, they can usually move unimpeded across multiple system segments and applications.
Traditionally, computing environments have relied on firewalls and VPN technologies as their first line of defence, but once these are penetrated the hacker is generally regarded by the computing system as a trusted user. The hacker is then able to move laterally across the system and in many cases may add a ‘back door’ access to gain further unauthorised access with impunity.
In the last few years, a relatively new technology known as zero trust networks (ZTN) has matured into a very useful security tool that enables micro-segmentation of the network. Micro-segmentation means that every data resource and application will be classified and will only be accessible to those persons who have the right credentials.
This requires the Chief Security Officer and the Chief Information Officer to understand what resources are available and who should be able to access each and every resource utilised by the system. Once a person’s credentials have been authenticated, they will be given ‘least privilege’1 access only to those limited resources that match their privilege.
That is, unlike VPN, access will not be given to the entire computing environment, but will be restricted to specific functionality, applications and data sets that match the credentials associated with the access. For example, access could be restricted to the use of email services only, with no other application being available. Not only can access be restricted, but all non-credentialled applications will be hidden from the view of the end user.
Assume a software company operates an athlete health monitoring system and it employs a Chief Marketing Officer (CMO). The CMO needs access to the organisation’s promotional material and data related to strategic marketing stored on the company’s computing environment.
Does the CMO need to have access to each athlete’s personal health details stored in the network? No.
In expanding this scenario, assume the CMO has a gambling problem or that the CMO’s credentials are compromised by an industrial hacker who acts for a betting syndicate. Should the CMO’s credentials be used to gain access to each athlete’s health records? Using insider information for betting purposes is an offence in many jurisdictions. For example, in Australia, the Queensland Criminal Code was amended in 2013 to insert Chapter 43, headed ‘Match Fixing’.2
A prosecutor, to establish an offence under chapter 43, must prove that:
- The CMO possessed insider information. This should be relatively easy to establish by presenting the audit logs of the computer system showing that the CMO accessed the relevant information.
- The CMO knew or was reckless as to whether the information was not publicly available. This too should also be relatively easy to establish.
- The information, if made available, would impact the betting of the particular event, and
- The CMO used that information by either giving the information to a third party to place a bet or the CMO personally placed a bet on the relevant event.
However, the crime may actually be committed by an industrial thief who has obtained the CMO’s credentials, or the CMO communicated the information to another person where the CMO knew or ought reasonably have known the other person would, or would be likely to, bet on the relevant event.
Chapter 43 deals with post-event impact statements. That is, if anyone is caught contravening this law then certain consequences result, including possible imprisonment. The law does not prevent a crime occurring as opposed to deterring a contravention. The penalty stated is there to deter a contravention.
Ideally the organisation operating the athlete management system would like to be in a position to prevent the carrying out of the crime in the first place. That is, use of the CMO’s credentials should be controlled and restricted to legitimate authorised personnel. The CMO’s credentials should be granted a ‘least privilege’ access to the organisation’s system, only to gain access to the information and applications necessary to perform their job.
A flow-on impact of this scenario concerns reputation. Most software-as-a-service providers sell their systems as being secure and trustworthy. However, it is not uncommon for the provider to also sell the expertise of the staff as being highly competent and trustworthy. Thus, if the nefarious activities of the CMO in the scenario were to occur, there would also be substantial damage to the reputation of the provider. Consequently, it is important that senior management, including the board of directors, understand the risk and implement appropriate policies, procedures, and security technology that reduce the risk to correspond with the organisation’s risk appetite.
One technology to assist is the deployment of zero trust networks (ZTN).3 Least privilege access is a principal security function of a ZTN. A ZTN will only grant access to those functions, applications, and data sets that relate to the end user’s credentials. In essence, an end user may only operate within their respective micro-segment that corresponds to their least privilege access rights.
The above is one example only. The application of a ZTN also benefits any environment where sensitive data needs to be segmented so that least privileged access is only ever granted. In essence, trust no one and always require proof of who is gaining access, and when and what they are asking to access.
Zero trust networks
Micro-segmentation restricts access only to those persons who have been authenticated and are authorised to gain access to each applicable accredited segment or application within the computing environment.
ZTN technology grants least privilege access to a ‘segment’ within a computing environment and not to the entire environment. Each segment can be defined by an application running on the computer as well as data sets stored on the computer system.
An end user may be granted multiple segments but will only be granted access to such segments if their credentials match the segment authorisation. Consequently, a computing environment may be comprised of many hundreds of segments each being separately classified, and there will be a matching authentication function to ensure that anyone who is granted access is only granted a least privilege access to those segments that match the end user’s credentials.
A substantial functional position of a ZTN is that the computing environment operates under a ‘software-defined perimeter’ and not through a ‘hardware-defined perimeter’. A software-defined perimeter defines what access privileges should be granted, no matter where the end user is located.
Even with a ZTN deployed there remains a vulnerability as at least one person must have unlimited access. Usually this would be the Chief Technology Officer, Chief Information Officer, Chief Security Officer, or a combination of these roles. If suspicious access is identified, then one or more of these persons will be designated to investigate and rectify the issue. These trusted executives may be granted super authority and thus have substantial lateral visibility within the company’s computing environment.
Since these persons wield substantial IT authority, they also become natural targets, such as through a social engineering attack. If a hacker is able to surreptitiously obtain access to the credentials of a person who has any of the above roles, then the hacker could move laterally across the entire computing environment. The protection of the credentials concerning these persons becomes a major focus from a security perspective.
Hardware security modules
To counteract a hacker’s access to a corporate officer’s credentials, it is recommended that a ‘hardware security module’ device (HSM) that is physically held by the relevant officer or officers be utilised.
To better increase the trust associated with any commercial computing environment, the organisation should not only deploy HSMs to selected corporate officers but should consider all authorised end users including employees, contractors and temporary authorised end users.
If third parties are issued with an HSM, then the CSO should be able to remotely disable the device at will. Further, it is not uncommon for the third party to provide a deposit to cover the cost of the HSM and if the HSM is not returned to the issuing organisation within a set period after a demand, then the deposit will be forfeited. It is not a difficult task to ensure contractual obligations are included to cover this possibility.
The HSM should be designed and certified to military-grade security and store all private keys needed to gain access, such as FIPS 140-2 level 3 certification. In addition, depending on the criticality of the information being stored or the computer environment involved, the credentials could involve the use of multiple private keys that could be stored across multiple HSM devices.
Splitting the access keys among a number of people substantially decreases the risk of a single rogue employee taking advantage of the computer system and increases the security framework against infiltration. The split-key environment would require a hacker to obtain each of the split keys to obtain access. This mechanism materially reduces the risk of infiltration.
Key splitting is generally known Shamir’s secrete sharing (SSS). A security environment could rely upon SSS of three out of five keys. Even though the key has been split into five shares any three shares when combined will be capable of gaining access to the relevant section of the computer system. A second major advantage of SSS is that it is quantum-crypto resistant.
Mergers and acquisition transactions
Most information in a M&A transaction is usually digitised and thus access to the documents is now via remote access so as to increase productivity in the process. The digital access might be an anytime and anywhere access, provided every party granted access has been properly authenticated and granted a least ‘privilege’ view of the documents. M&A transactions must operate on a need-to-know basis and this is where a ZTN can greatly enhance the security against leakage of vital information. In such a situation, it may be a requirement that any accessed documents cannot be stored locally on an end user’s machine. This requires not only the end user being authenticated, but also every machine being authenticated.
The combination of a ZTN and HSM technology can be utilised to better protect an IT infrastructure. Corporations should consider the deployment of appropriate policies that address their risk environment, and which enforces ZTNs and SSS within an HSM environment for their critical business environments. In essence, this is a fundamental corporate risk management structure.
There are a number of reputable providers of ZTNs as well as HSM providers who have implemented SSS as a security structure. The author is aware of one system presently on the market that combines an HSM device with a ZTN framework to better secure corporate and government information and that has been developed by LOKBLOK, a silicon-valley secure systems provider, but in all likelihood others will follow suit especially in the protection of critical commercial information.
This article appears courtesy of the Queensland Law Society Privacy and Data Law Committee. Dr Adrian McCullagh is Deputy Chair of the committee and the founder of ODMOB Lawyers. He is the only practising lawyer in Australia with a PhD in IT security.
1 Rose, S, Borchert, O, Mitchel, S, and Connelly, S, ‘Zero Trust Architecture’, NIST Special Publication 800-207.
2 Parallel legislation exists in New South Wales, Victoria, South Australia and the ACT and the Northern Territory.
3 Op cit note 1.