In fascinating 2018 testimony before a US congressional subcommittee on terrorism and illicit finance, Lillian Ablon provides insights into what threat actors are really after when they carry out cyber-attacks against their enterprise and agency targets. Obviously, different threat actors and groups have different motivations, and the testimony lays all of that out very clearly. What is apparent in the testimony, though, is the fact that an organization’s data is by far the main prize. Whether they gain entry into a data environment through security holes or plain human error (like misconfigurations), or anything in between, threat actors want sensitive information so that they can leverage it, weaponize it, and ultimately monetize it for their own gain. Hopefully most people won’t be shocked by this statement: threat actors aren’t after network resources or application resources for any reason other than to intercept, collect, and exfiltrate information traversing them so that they can use stolen data for their own nefarious purposes. They want your company’s information, not your IT resources or assets!
This blog post is the second in a series focused on the increasingly popular Zero Trust cybersecurity framework and data-centric security.
If you recall from the first post in this series, I summarized some of the principles of Zero Trust, which is a framework for preventing any bad actors from gaining access to an IT environment and doing what Lillian Ablon discusses in that testimony. Some of those ZT precepts include reducing reliance on perimeter-based network protection, granting no trust to any user, device, or application solely based on location within the network, and constantly challenging requests for data or services instead of simplistic “one-and-done” authentication methods. Look at the ways in which most vendors and even governmental agencies describe the principles of Zero Trust, and usually you will see a diagrammatic representation of the different focus areas in implementing ZT emphasizing different “pillars” of the infrastructure, such as the network, the device pool, and the user base. As a matter of fact, the US Department of Defense builds its entire reference architecture around these pillars and uses them to describe the different tools, methods, and best practices within each one that, if implemented correctly, can bring an organization closer to an effective Zero Trust model. These pillars must be the best way to represent a ZT framework, because who’s going to argue with the US DoD?
OK, so while I wouldn’t dare argue with the clarity and utility of the reference architecture the DoD establishes, I might quibble about one important matter: data as a pillar. My argument may be a semantic one (or both), but in my opinion data is not a pillar. Bear with me here while I discuss architecture a bit (not IT architecture but, you know, buildings and structural architecture). I’ll even seed your imagination first by asking you to think of something like the Greek Parthenon. Go ahead, close your eyes and think about it (or just scroll back up to the header image if memory fails you). What’s there? Pillars. Lots of them. Big, heavy, stone pillars intended for a single purpose (okay, two if you include aesthetic quality): structurally supporting what’s above it.
Now, I’m not going to get into classical architectural design with references to entablatures and triangular pediments, because that’s a conversation for people who actually know a lot about those things (which admittedly I don’t other than what my own favorite search engine can provide me), but without the pillars, those fantastic, ornate stone pediments, well, they don’t stay up for very long. In an incredible example of “things just don’t seem to change through the years,” my own porch has columns, with a triangular pediment and roof structure all intended to keep me dry as I sit on my rocking chair as it’s raining. The columns (pillars) are there to support that roof, which is arguably the more important part of any column’s or pillar’s raison d’etre (pardon my French).
Get to the point, Morgan (something I’ve heard quite a bit in my life). My ultimate point is, data isn’t a supporting part of the IT infrastructure the way networks and devices and applications are. Data is the point, and those resources support data, from its creation through its evolution and storage all the way through to its final destruction. Now we’re back to the testimony given before Congress—those bad folks are after your data, trying to exploit those supporting pillars to get to it. Data is on top, king of the hill, the crowning glory of your IT infrastructure and your entire organization. We call it information technology for a reason.
Which raises an important question. If we buy my argument that data is not a pillar but is instead the focus of it all, is it more important to guard and protect the supporting infrastructure, or the data itself? I have some thoughts on that, so come back for #3 as I argue for the predominance of data-focused security, what we call data-centric security, within the Zero Trust paradigm.