Access has always been a conundrum for security professionals. The level of access privileges you give to your employees exposes you to insider threats. The recent data breach faced by OpenSea exposes another layer of risk: third-party vendors, after the web3.0 marketplace’s supplier, customer.io, was found to be responsible for a breach that saw the unauthorised exposure of thousands of users and newsletter subscribers’. The bad actor was a senior engineer within customer.io with a certain level of clearance, meaning that their access privileges allowed them to download and work with the data. Considering that OpenSea boasts 1.8 million users, the impact was wide-reaching.
Trust is at the heart of access privileges and companies must consider the risk-benefit trade-off when granting access privileges to any employee. I.e., the risk of an employee stealing or misusing data versus the access privileges required for them to effectively fulfil their role. Balancing this risk is not an exact science, but there are also some useful security principles to help you decide which access privileges to give and this philosophy is embedded in the Zero Trust principles. While Zero Trust might not have blocked this insider threat, let’s dig into how it can help you manage access privileges within your workforce. We’ll also review security options that can protect your assets in case an employee with legitimate access goes rogue.
USING ZERO TRUST PRINCIPLES WHEN GIVING ACCESS PRIVILEGES
I talk to lots of people about Zero Trust, and there are misperceptions about its implementation. It is not about locking down systems so strongly that they become difficult to use, but about mitigating risk to protect your business and its end-users. The Zero Trust approach to network security relies on three core principles:
– All networks are untrusted: every machine, user, and server should be treated as untrusted.
– A rule of least privilege access must be enforced: a user has the minimum levels of access or permissions needed to perform their job.
– Continuous monitoring and authentication
Older security models were flawed because they tightly controlled access at the perimeter but offered no protection against threats that managed to get inside. However, simply connecting from a particular network must not determine which services you can access.
At its core, Zero Trust is an information model that denies access by default. It promotes explicit policies, such as Multi Factor Authentication that can leverage biometrics and hardware tokens to verify authentication. Ultimately, Zero Trust principles lay the foundations to protect your data and resources and mitigate internal risks by limiting access to employees who do not need it to perform their job when used in addition to functions, such as data encryption (at rest and in transit), data classification, data asset classification and sensitivity analysis, data leakage prevention (DLP), and file integrity monitoring (FIM). You already have a lot of these foundational building blocks, so when you execute this programme, you can build on your existing infrastructure.
HOW TO DEFEND YOURSELF AGAINST A ROGUE EMPLOYEE
You can restrict the data and resources an employee can access, but this shouldn’t prevent them from doing their job. So, what tools do you have at your disposal to defend against insider threats with legitimate access to sensitive data? Data loss prevention allows your organisation to identify and block sensitive or confidential data uploaded from a corporate network and transmitted to the public Internet. A data loss prevention solution can scan and identify personally identifiable information (PII), financial and credit card information, and health-related information. This solution may have prevented the rogue customer.io employee from sharing email addresses with a nefarious third-party while still allowing them to have access to the resources needed to perform their duty.
Another way to detect the risk of an insider threat is to apply user and entity behaviour analytics (UEBA), which tracks the behaviour of users and devices over time and identifies suspicious activity. For example, if the regular working hours of a device are daytime business hours, but suddenly it connects in the middle of the night, the system would be able to detect this anomaly and temporarily restrict its access privileges. Rogue employees are likely to conduct their nefarious activities outside of business hours, which is something that behaviour analytics can identify and prevent.
Looking at Customer.io’s response to the OpenSea data breach, it won’t come as a surprise that they are now implementing stronger security policies, such as preventing employees from exporting customer data. Trust will continue to be a risk factor, due to the intrinsically human element at stake. You can’t celebrate your employees while restricting and monitoring their every move. But you can’t endanger your business operations by blindly entrusting your employees with sensitive data. Insider threats will be around for the foreseeable future. But you already have tools at your disposal to help you grant access in a secure manner to reduce your exposure – from Zero Trust principles to data loss prevention and user and entity behaviour analytics.
Richard Meeus, Director of Security Technology & Strategy EMEA at Akamai Technologies
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.