Zero trust has become ubiquitous in cybersecurity. Walk any vendor hall at a conference (once we are allowed to have them again) and I am willing to bet you won’t make it three booths before seeing a zero trust marketing message—and that’s not necessarily a bad thing. Zero trust is a great methodology that makes a lot of practical sense—always verify the identity of something before granting access rights to resources. However, the challenge with zero trust has always been in the details of the implementation. The fine-grained policies provided by a zero trust approach is great from a security perspective but can quickly become untenable from a management perspective.
Application of Zero Trust
To date, most zero trust solutions have been focused on two main areas: remote access control and internal access control. Zero trust applied to remote access controls has seen the most success in the market because the fine granularity of the policy enforcement is exactly what security teams need and are used to with traditional remote access controls. The only difference is policies now give access to specific applications rather than network segments. The users accessing the applications don’t change all that often relative to the dynamism of modern computing environments which means the management complexity doesn’t increase too much when compared to traditional policies. The users are also relatively easy to identify and classify for security teams which makes policy definition easy. Making a mistake with a policy has limited impact and results in a user being blocked from accessing an application but doesn’t typically impact the application availability for others.
In contrast, zero trust internal access control has struggled to be adopted in the market because there is a noticeable increase in management complexity when compared to traditional network firewall boundary definitions. The goal of controlling what applications in an environment can talk to other applications through network firewalling has proven difficult because a lot of environments are immensely complex and ephemeral, and network primitives like IP and port are woefully inadequate for defining robust policies under these conditions. Defining policies to cover all possible permutations of network connections within the environment in a way that makes the policies adaptable to change usually is an impossible task. The stakes are also high in terms of accuracy because getting a policy wrong can take down an entire application if access to dependencies is accidentally blocked.
Data Access Security Broker
Despite the attempts of multiple companies in the past few years, applications of zero trust to internal access controls has yet to be widely adopted. That is why it was very interesting when the TAG Cyber team sat down with SecureCircle to discuss how they are attempting to solve the problem. SecureCircle is tackling this problem by applying control directly to data rather than the network. The policies are defined in Circles which are a grouping of users, devices, and applications. The bytes of files are encrypted the moment they are written to disk in a transparent manner that doesn’t impact the end user. Only authorized users on allowed devices using allowed applications can access the unencrypted bytes which allows the company to always have complete control of their data. By applying policies to data, SecureCircle creates a zero trust Data Access Security Broker (DASB) that allows data to be migrated from on-premises to the cloud or from cloud to cloud while remaining protected at rest, in transit, and while in use.
The DASB approach removes some of the management complexity that traditional network-based approaches to zero trust internal access control have encountered. DASB policies are not tied to network primitives which makes them more robust and better able to adapt to ephemeral environments. DASB also utilizes principles that are familiar to security teams by treating access to data much the same as remote user access to internal environments. This will be very important as many zero trust internal access control projects struggle to get started simply because security teams don’t have the knowledge required to define which applications should be communicating with other applications in an environment.
By shifting the focus to the data, security teams will have less reliance on application teams to define policy. Continuing to minimize operational overhead will be key to the success of solutions using zero trust for internal access controls, and SecureCircle’s DASB solution removes some of the complexity by applying policies to data.