Who are you? Are you allowed to be here? And, what are your intentions? – it’s an odd way to begin an interaction and seems rather counterproductive to all things human, but this model of “never trust, always verify” has overstayed the normal length of time for a buzz term giving it legitimacy.
You have probably guessed it by now. I am talking about the stellar rise of the Zero Trust Model. A security concept which has become ubiquitous across much of IT and garnered much attention, spawning its own NIST Special Publication and White House Federal Memorandum. But what exactly is zero trust and what is its real-world application in the context of file transfer and data exchange solutions?
What is Zero Trust?
A Zero Trust model eliminates the assumption of trust and insists on verifying everything. Under the model, designed to takes the principle stand-point that no user, system, device, network or service operating within or outside the security perimeter is to be trusted. This overarching approach means that no user or device should have preference or heightened access based on who uses it, whether the device is business-owned or not; or where it is geographically located. All access attempts are assumed to be of high risk and thus needs to satisfy the highest levels of security available.
However, what Zero Trust actually means is somewhat subjective, and depends on its application. The model laid out in NIST SO 800-207 gets closest to a pure definition, in which its objectives are to improve security posture by assuming no trust and verifying everything. With the overall principle being that no user nor device assumes preference or heighted access based on who uses it; whether the device is business-owned or not; or where it is geographically located. All access attempts are assumed to be of high risk and thus needs satisfy the highest levels of security available.
Examples of this can be drawn from the world around us to make it easier to understand. I have seen a few bank heist movies in my time and there is one frequent technique which is used, whereby we see the characters dressing as a delivery driver or maintenance crew to get access to a restricted location. They may craft their own fake ID cards, steal some uniforms or brand their vehicle to appear legitimate. They are then waved through any entry points, by-passing any security and validation on the basis of trust and familiarity.
A zero trust model in this case prohibits the assumption of trust and requires scrutinising ID, validating the vehicle and maybe even applying biometric checks to those attempting to gain access.
All well and good, but how is this applied to file transfer solutions?
Authentication
This is applicable to both user and device. Solutions should be re-authenticating user accounts regularly. This doesn’t need to be something which the user themselves need action interactively, but any session cookies or keys should be re-validated. In addition to this, there should be no assumption made about the safety of a user account or device, regardless of familiarity.
For the world of file transfer, this means no whitelisting IPs, devices; ensuring that administration accounts are separate from those used for BAU and therefore not used for regular file transfer activity. All of which are the hallmarks of any well established file transfer solution, but ultimately not complementary to the security aims of a zero trust model.
Micro-Segmentation
The principles of micro-segmentation is rooted in theories which permeate beyond the realms of IT. Specifically, castle building comes to mind – steeped in the need to contain, trap or slow-down invading forces via the use of moats, chambers and walls. It is probably the most interesting way for me to convey the idea that ensuring access is provided as small a locality as possible, helps to contain any issues which would arise from unauthorised access. Sometimes referred to as “least privilege”.
With regard to file transfer solutions, this takes two primary forms. The more obvious of the two is not giving accounts or devices any more permission than its specifically needs for its required tasks – irrespective of the account, device or its location. We sometimes see customers creating accounts between internal services which have administrative or wide-reaching permissions because of the safety assumed by it being an internal service.
The second of the two is which is known as access based enumeration. In layman’s terms, this means that accounts and devices once authenticated, are sent to a home folder, which is theirs only and contains only those files or folders it requires. It cannot see the full folder structure outside of its home and it cannot traverse it. Even the display of folder names, without access into those folders, could give away information about its contents.
Encryption
Encryption at-rest – thankfully – is no longer a debatable topic and you would be hard-pressed to find a tool or storage technology which doesn’t encrypt at-rest. What is sometimes a less settled topic is the use of encrypted protocols of transfer, otherwise known as encryption in-motion.
Following on from the theme, you’ll not be surprised to hear that a zero trust model requires that the highest levels of data confidentiality is required and that no assumption on reducing that should be made based on user account, device or locality. However, I would go as far as saying that this shouldn’t be a decision at all, given that encryption both at-rest and in-motion is transparent to the user and not impactful at all.
When it comes to file transfer, much like micro-segmentation, we find there to be relaxed attitudes to internal device communication. I personally have come across many file transfer implementations in which the unencrypted FTP is used for internal transmissions. The problem here being that the internal sender or receiver is assumed to be safe based on its location. File transfer protocols should always exclusively be protected using TLSv1.3 or SSHv2, irrespective of any other condition than suitability.
Data Leakage Protection (DLP) & Malware
You’ll probably start to notice a pattern here.
My introduction to the world of file transfer came from the fledgling beginning of an information security career; and as such I have been a part of a number of DLP projects. In that time I was witness to many implementations which started with blanket policies and then over time had various exceptions added due to perceived interruptions in the operating function of teams and individuals, who were ultimately deemed to be trustworthy enough to justify that exemption. Again, this assumption of good-standing is at conflict with a zero trust model.
While file transfer solutions often do not include DLP and anti-malware technology themselves, they will interoperate or be connected to solutions which do provide this functionality; and the temptation remains to include exemptions. However, this shouldn’t be the case. On the basis that nothing is trusted, all files bi-directionally should be challenged and scanned.
Zero Trust in Summary
Having worked in file transfer and information security for almost two decades, I find myself often quoting that there is nothing new under the sun. This, I believe, is also the case for the zero trust model, which on the face of it, is simply a grouping of sensible security practices under a mantra of “never trust, always verify”. However, this shouldn’t be taken as cynicism. I welcome the simplification or bannering of security into principles which are easier to consume; but more importantly, easier to convince stakeholders of. In each of the areas above, we have seen many customers fall into the trap of allowing exceptions. Backed with the convincing argument of convenience or avoiding interruption these exceptions have been hard to combat. A wider model such as zero trust, gives greater weight to security’s cause, giving it a stronger weapon to yield in its fight.
Particularly in the case of file transfer, while not always labelled as zero trust, the principles are fundamental to its existence. With most file transfer solutions handling personal data, business sensitive data or intellectual property, a breach or loss of such data could have a wide-reaching impact on its abilities to execute on its long-term objectives.
If zero-trust is a model you want to follow in your business, and apply to your file transfer infrastructure but don't know where to start - one of our team can help. We can review your existing deployment and provide recommendations on how to secure your system with zero trust in mind. Visit our contact page today.