Recently a critical bug was discovered in Fluent Bit, a popular open-source cloud logging tool used by all significant CSPs and several cybersecurity vendors. Like many third-party vulnerabilities, it can lead to cross-tenant data leaks despite customers' internal access controls and security frameworks, including Zero Trust Network Access (ZTNA). Vulnerabilities like these underscore a key issue with access control-based security measures, including ZTNA — they do not protect the data itself.
The Reality Check: Is Zero Trust Really Achievable?
ZTNA is an acronym for Zero Trust Network Access, but is true zero trust even possible?
The acronym may have been coined in 2019, but the broader concept of “never trust, always verify” has been around for several decades. With ZTNA, trust is never implicit; it must be earned via credentials and a historically strong security posture and maintained through adherence to acceptable behaviors and authorized actions.
The concept is promising, but here’s the catch: 94% of ZTNA solutions in the market today fail to deliver the complete security coverage as promised. Most solutions have yet to implement the core ZTNA principle of continuous adaptive trust, focusing only on point-in-time verification. A lot can happen after that initial verification, including abuse of trust.
Zero Trust Network Access Can't Prevent Trust Abuse
The problem with zero trust is that any kind of network access or transaction requires some level of trust. Too much trust can lead to breaches, while too little trust can hinder all business operations and make security impractical. Current ZTNA deployments struggle to strike the right balance — invoking just enough trust to enable authorized and validated network activities without granting the level of control that could be abused.
To highlight some of ZTNA’s trust issues, consider a few examples of how “authorized” entities can breach ZTNA’s trust:
Authorized insiders can encrypt and send data to external networks and applications.
Third-party cloud providers and SaaS applications depend on hundreds of thousands of components and services with undiscovered vulnerabilities that can lead to data loss.
Identity Service Providers’ (IDPs) products enable identity-based access controls, but bad actors can exploit them to compromise credentials, gain trust, and exfiltrate data.
User devices may already be infected with malware, leading to encryption and theft of locally stored corporate data.
Authorized system components with higher privileges can be compromised and exploited by bad actors with lower privileges to perform actions on their behalf. Even if all components behave within their scoped privileges, this can lead to data exfiltration.
Client-based ZTNA solutions don’t cover personal or BYOD devices, whereas cloud-based ZTNA struggles to protect data downloaded locally on devices. A hybrid solution also has its limitations. It doesn’t account for what happens with the data once it leaves ZTNA’s protective zone through one of the ”authorized” avenues mentioned above.
Extending Zero Trust to Data via Data-centric, Granular Security Controls
A simple solution to prevent trust abuse would be to lock down data completely. However, such an approach creates a crippling trade-off: absolute zero trust means zero access, zero transactions, zero innovation, and zero business! A more nuanced approach would be to apply data-centric security controls at a much more granular level. In simple terms, extending ZTNA’s least privilege access to data and data fields within applications and documents.
Selective Encryption to Reinforce ZTNA
To offer advanced data protection, ZTNA must go beyond validating the identity and integrity of users and devices to inspect access requests and actions at the data layer, down to the individual data fields and portions. It means implementing data controls like encryption at a much more granular level, allowing users to access only the parts of information relevant to them and their job roles. Sensitive information, such as PII, financial details, figures, or corporate secrets, should stay encrypted except for users with explicit permissions on a need-to-know basis.
Granular Controls Beyond Initial Access
However, data-centric security controls must extend beyond access to other actions like edits, downloads, and sharing. In other words, limiting what authorized users can do with the data. For instance, these controls could disable the re-encryption of data to prevent bypassing DLP (Data Loss Prevention) solutions. It can prevent established connections from abusing the trust ZTNA must inevitably grant after initial verification. Finally, these advanced data protection controls must be embedded within the data itself so that wherever data goes, the encryption and other controls follow.
Introducing Shift-up ZT…
At Confidencial, we refer to data-centric ZTNA as “Shift-up” ZT, which overcomes ZTNA’s limitations concerning implicit trust. It does so by implementing zero-trust principles at the data layer itself.
Learn more about the upcoming paradigm shift within ZTNA implementations as data becomes the new perimeter. Download our latest whitepaper, “Data is the New Perimeter: “Shift-up” Zero-Trust to Cover Application Data”, now to get exclusive insights into the future of ZTNA implementations.
Comments