Trust no one:  A better way to close the security gap?

Trust no one: A better way to close the security gap?

Agencies are increasingly turning to predictive analytics to root out fraud, but those aren’t the only tools being used to spot and control anomalous behavior. New identity security tools are emerging to help enterprises that might be victimized in fraud schemes enabled by insiders or attackers using insider credentials. Those users have been at the center of several recent high-profile attacks. Their privileges were exploited as the result of sophisticated spear-phishing attacks, including the one on health insurer Anthem earlier this year in which 80 million records were stolen.

“These are privileged users with access to everything in the database — not just their records; they have the ability to go from system to system inside a corporate or government infrastructure,” said Ken Ammon, chief strategy officer at Xceedium.

 “What happens is criminals target those individuals because they know their roles or their accounts are extremely powerful in the organization,” Ammon said. “If they can send them an email that they might click on, it installs as a super user who now can download the entire corporate database from network to network.”

To help defend against that vulnerability, Xceedium has embraced a policy of “zero trust,” whereby access is extended only for a specific reason and for a specific amount of time.

“It’s a method in which you are now managing the enablement rather than trying to curtail certain transactions on the network,” Ammon said. It gives network managers “a very small subset of items [that] an individual has credentials and capabilities to do.”

The company’s Xsuite is built around that policy. “A big component that has been missed in authentication — which the government is really in a game-changing position to demonstrate the value of — is around tying a unique identity to the authorization process,” Ammon said. Without that capability, security managers “really have no idea who you are.”

Xsuite denies network access to all systems and applications except those that are expressly allowed. The product also monitors, records and audits privileged access to systems in legacy IT, cloud or hybrid configurations and provides DVR-like recordings of privileged user sessions, which eases continuous monitoring and forensic activities.

“If you have 10,000 people in an organization, you might have 700 people or less that you might consider privileged,” Ammon said. The tool gives those high-level users “the equivalent of a video camera watching their screen for everything that they do. And we will enforce a policy while they’re doing the job.”

Identity security is behind another application designed to flag the activities of agency employees who might be involved in or subjected to fraud. InfoZen’s IDentrix continuously monitors personnel data, starting with prehire background checks, to alert organizations to potential internal threats.

The software checks more than 65 public identity attributes, including criminal and court records, to keep employees’ risk profiles continuously updated and correlated through their entire work history.

“The concept of continuous monitoring is what everyone is now waking up to,” InfoZen CEO Raj Ananthanpillai said. An individual whose security status is not updated “can do significant damage in 10 years. If you had alerts set up saying, ‘If anything in these categories happens to that individual,’ you could investigate and take preemptive action.”

However, he added, “I’m not saying this is going to solve problems, but at least you would mitigate a big chunk of the problem.”

Partial fixes to big threats might ultimately cut the fraud problem down to size, but unfortunately anti-fraud developers don’t see fail-safe solutions in the near future.

About the Author

Paul McCloskey is senior editor of GCN. A former editor-in-chief of both GCN and FCW, McCloskey was part of Federal Computer Week's founding editorial staff.

inside gcn

  • AI regulation

    Congress takes first steps toward regulating artificial intelligence

Reader Comments

Mon, Sep 14, 2015 Trent

While zero trust sounds good, if you read the article there's a degree of adapting to user needs that comes out i every example. Adaptive Trust is a message & philosophy that seems to work better for mobile environments here at Aruba/HP.

Tue, Aug 25, 2015 Neil

Oh, default deny? I have pushed this security philosophy every time my opinion has been asked since 1995. CIOs are too scared of the immediate cost and blowback from users. It's kind of stupid since they'd rather lose their jobs when they get hacked, than implement security that really works and get some complaints. Marcus Ranum has always advocated ground up default deny network design. This is not a new idea.

Fri, Aug 21, 2015 Adam Boone Certes Networks,

This article is spot on. I can speak from personal experience based on knowledge of hundreds of security architecture designs that follow this same "No Trust" or "Zero Trust" model. The fundamental flaw in the typical security architecture is the assumption that the internal enterprise networks and IT assets are "trusted" or "safe" because of a perimeter based on firewalls. As we have seen in breach after breach, this notion is compeltely wrong. In fact, it's dangerous, because it lulls IT managers into a false sense of security. In case after case, hackers targeted a contractor or an employee and, once they had those credentials, the hackers used those credentials to access an application or resource and hop from app to app to app. The problem is especially dire if the attackers succeed in compromising a privileged user like the users Xceedium is talking about. In the "trusted" environment model, nothing restricts lateral movement or enforces access controls to block them. The bottom line is that you are only as safe as your least secure partner or user. And if that user is a super-user, then you face an even graver risk. But the "No Trust" model assumes that any users can and will be compromised, that hackers will make it past the firewall, or are already inside. The architectures I have seen built on this premise use application access controls that are tightly aligned with user roles and identity, and that use segmentation to isolate applications even on internal networks. These two steps ensure that only authorized users have access to the applications they need and, should one be compromised, the attackers are contained and cannot move laterally into the most sensitive applications. Adam Boone

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group