Data-Centric, Zero-Trust Security

by

Let me start by sharing the foundational and most important aspect of our view of cybersecurity operations and the genesis of why we created JupiterOne. Prior to JupiterOne, I was leading the cybersecurity operations teams as a CISO at LifeOmic, a precision health software company. LifeOmic stored and processed, sensitive and protected health data. During my tenure, we built our security on a Data-Centric Model and Zero-Trust Architecture and built a software platform to support this approach.

We not only invested heavily in automated security from our inception but, based on feedback from other software companies, we productized the security management platform that we created as JupiterOne  – effectively delivering "Precision Security".

Data-Centric Model and Zero-Trust Architecture

There's lots of chatters online and promotions by cybersecurity vendors of the zero-trust model recently. Yet the concept is not new. Back in 2006, IBM published a data-centric security model. Forrester and NIST jointly promoted the concept of zero-trust network security in 2010.

It is actually quite easy to understand. First, get a good grip on your data  – the types of data you have, where they are stored, who needs access, etc.  – and then segregate your networks into smaller, protected segments based on data criticality. Access to each network segment should be independently granted and verified based on the principle of "least-privilege", and all traffic should be inspected and logged. This extends the practice of "trust but verify" to "never trust, always verify".

If this is a model that can significantly improve the security posture of an organization, why hasn't it been more broadly adopted yet? Because it is hard  – implementing a data-centric, zero-trust model using conventional IT systems and traditional operational processes is extremely costly, if not completely infeasible. This is especially true for a large, established enterprise battling against decades of legacy.

Luckily, today we have the opportunity to take advantage of the increasingly mature cloud infrastructure and software defined networks to make this happen.

Let's talk about what this meant for my security team at LifeOmic. Keep in mind I am describing one approach, not the only approach. And while this approach works for us, and hopefully many others, it may not be suitable for everyone.

Bear with me on a little more context ...

Most attacks start by taking advantage of vulnerabilities at a relatively low risk system  – usually an end-user device. This gives attackers "a way in" to the corporate environment. After gaining a foothold, the attacker can now try to escalate privilege and move laterally to compromise other devices on the internal network, until the final targets are reached.

How do you ensure, at any given time and at all times, that none of the user systems on the internal network are compromised and therefore cannot further infect and impact others on the same network?

Regardless of the size of your organization, the probability of someone's system getting compromised at some point is practically guaranteed.

What if we completely take that away? What if we don't have an internal network altogether?

No internal network. (Almost) 100% cloud. Fully segregated.

That's exactly what we chose to do at LifeOmic. Each end-user system is fully independent. They are not on an "internal" network that grants them a level of inherent trust or any access to other systems.

Wait, does that mean LifeOmic's workforce is 100% remote? No. We do have physical office locations. We provide gigabit fiber Internet at the office. There is a guest wireless network separated from employee access. However, the key differences are:

No production access. No domain. Individually secured devices.

Let's not kid ourselves. We've tried for decades to lock down all users and all endpoints. It hasn't worked yet and it probably never will. In a zero-trust model, if a user can never have access to critical data, why waste the energy and resources putting up unnecessary constraints that accomplish nothing but generate noise and complaints? Trust me, it's not worth it. We need to take a more targeted approach.

  • LifeOmic users do not have privileged access to production systems. Unless, of course, in an emergency which follows a defined procedure that grants temporary access to only a very limited number of individuals.
  • The end-user devices are not part of an active directory domain. There are simply no "keys to the kingdom". Those are Christmas gifts to the attackers, nightmares to the security team.
  • Each user's device is individually secured and centrally monitored in JupiterOne with a next-generation endpoint security agent. If suspicious activities are detected or the agent is deactivated, the user's access to critical business systems will be revoked. This provides the flexibility to allow users to be a local administrator of their machines.

To sum up ...

The data-centric, zero-trust architecture gives us greater visibility and more focused controls. It allows us to create virtually air-gapped environments to better protect customer data. At the end of day, we cannot guarantee that none of our systems will ever be compromised. But we are doing everything we can to ensure that the compromise of any user, device, or network means the compromise of that environment itself and it alone.

" ...the compromise of any user, device, or network means the compromise of that environment itself and it alone."

We are "trapping" the attackers within the smallest blast radius possible that is very difficult, if not impossible, to expand. It's not a good place to be for an attacker.

This approach dramatically decreases the chance of a compromise replicating into our mission-critical environments and significantly increases the chance of detection before it is too late  – effectively ensuring the security team can always stay one step ahead of the bad guys. This one step ahead is often all that matters.

You may have more questions than answers at this point. That's okay, we are here to help. We'll get there. So far, I've only described the most foundational layer of our security model. For this to work, we have implemented many other controls to allow the level of flexibility and security mentioned above. They work collectively in one cohesive ecosystem  – the lack of any will significantly weaken the overall design. That's why we developed JupiterOne, putting precision in modern cybersecurity operations. #PrecisionSecurity

This article was originally published on LinkedIn.

Erkang Zheng
Erkang Zheng

I founded JupiterOne because I envision a world where decisions are made on facts, not fear; teams are fulfilled, not frustrated; breaches are improbable, not inevitable. Security is a basic right.

We are building a cloud-native software platform at JupiterOne to deliver knowledge, transparency and confidence to every digital operation in every organization, large or small.

I am the Founder and CEO of JupiterOne, and also a cybersecurity practitioner  with 20+ years experience across IAM, pen testing, IR, data, app, and cloud security. An engineer by trade, entrepreneur at heart, I am passionate about technology and solving real-world challenges. Former CISO, security leader at IBM and Fidelity Investments, I hold five patents and multiple industry certifications.

Keep Reading

‘Type and go’ - New JupiterOne search bar enhancements
October 30, 2023
Blog
‘Type and go’ - New JupiterOne search bar enhancements

JupiterOne aggregates and normalizes data from hundreds of different sources so you can identify and triage security risks easily.

Identify and eliminate endpoint device security gaps using the new JupiterOne Unified Device Matrix
October 6, 2023
Blog
Identify and eliminate endpoint device security gaps using the new JupiterOne Unified Device Matrix

It seems like a simple question. “Are any of our deployed user endpoint devices missing an endpoint detection and response agent?”

Why Better Asset Visibility Matters in Cybersecurity | JupiterOne
August 30, 2023
Blog
Back to basics: Why better asset visibility matters in your security program

At the most basic level of the Incident Response Hierarchy, security teams must know the assets they are defending.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.