Protecting Data in the Event of Breach with Zero Trust

This article is shared from the archTIS blog

New Zealand’s Central Bank File Sharing System Hacked

This weekend New Zealand’s Central Bank announced its third party file sharing system was hacked. While details around the incident are scarce at this time, hacking of information technology systems is a chronic cybersecurity issue. The breach, while now contained, is thought to have involved commercially and personally sensitive data, to what extent is under investigation. There are ways protect your data in the event of breach like this, because let’s face it in today’s cybersecurity landscape it’s just a matter of time before you become a victim. Now is the time to apply a Zero Trust approach to your data access.

Protecting Data in the Event of a Breach

While not much is known about the breach at this time, the reference to the branch of a “third party service” being illegally accessed provides some clues. It is very likely that a cloud based file sharing system that was hacked. Most breaches of this type are generally caused by a compromised user account via malware, phishing or weak password, or “over-sharing”. For example, sharing with “Everyone” or sharing via an anonymous sharing URL (i.e. a sharing URL that contains an authentication token and does not require the individual user to authenticate).

There is a significant flaw with most security software and with many security policies that makes data vulnerable: the login process is not robust enough to guarantee that the logged in user is who they say they are. So, if someone logs in with stolen credentials, they can use the access and privileges of the compromised account to navigate systems and data, stealing as they go.

Instead, a strong security policy should be based on ‘Zero Trust’ – it should not automatically trust any user inside or outside your perimeters, instead verify anyone trying to connect to any systems, applications, or individual data files before granting access to them. Attribute-based access control (ABAC) is a Zero Trust security model that evaluates attributes (or characteristics of data and/or users), rather than roles, to determine access. It uses a data centric security approach that evaluates each file’s attributes including security classification and permissions, as well as user attributes such as security clearance, time of day, location and device to determine who is able access, as well edit and download files.

This gives organizations granular, real-time control over the access of information by making intelligent decisions in real-time on whether the user should be given access to the requested information based on all of these parameters. If the user scenario does not match, or appears suspicious, then access is denied or a restricted view of the data is provided. For example, if an authenticated user is trying to access a sensitive file they own, but it is outside of busines hours and they are using a BYOD device in another country, file access will be denied – effectively thwarting a hacker using stolen credentials.

Benefits of Real Time, Attribute-based Access & Sharing Control

Using a solution leveraging ABAC policies to control access to sensitive data has many benefits and affords granular controls including:

  • User specific encryption and DLP – Secure information every time a file is opened using security policies that are specific to each user. For example, ensure each user opens their own encrypted copy of the original document. Lock down functions such as print, save as, copy, paste based on the sensitivity of the document.
  • Time limited access – When a file is provided to a user, a policy of minimal access time should be enforced. For example, if a user opens a file for editing, they should have at most 8 hrs to perform the editing before it should be saved back to its origin. Outside of this window, access should be denied to the authenticated user.
  • Secure Reader – If a user only requires read access, force viewing in an in-app secure reader rather than the standard editor.
  • Personalized Watermarks that incorporate user attributes such as name, date, time, etc. to track chain of custody of printed materials and to deter photographing, an easy way to bypass security measures.
  • Reduced attack surface – Document proliferation is an unpleasant side effect of many collaboration platforms. When a user adds a file to a chat message, sends an email or uses a cloud based editor, copies of the document are left lying around – often in locations far less secure than the source document. Robust security protection should prevent this and instead force users back to a single source, master document.

A Zero Trust Security Model is the Way Forward

Today organizations must assume they will be compromised by a bad actor, disgruntled employee, or malicious software. Zero Trust should not just be employed for system and application access, it must also extend to individual file access. Only by using intelligent, real-time data security controls that leverage ABAC policies, can you prevent a compromised user account from resulting in data loss.

Learn more about data security solutions using ABAC controls for zero trust data access.

LEARN MORE ABOUT NC PROTECT

NC Protect is both content and context aware to automatically find, classify and secure unstructured data on-premises, in the cloud and in hybrid environments. The platform is fully integrated with Microsoft Office 365, SharePointTeamsYammerDropbox and files shares to centrally secure your collaboration tools.

LEARN MORE ABOUT KOJENSI

Kojensi is a highly secure and trusted platform for sharing sensitive and classified files and document collaboration.