In Managing Security in the Age of Zero Trust, BlueAlly introduces Zero Trust as a data-centric approach to security. This involves identifying the data assets and adjusting or creating an Enterprise Information Security Policy (EISP) that protects data and takes a risk-based approach to security.
So, what exactly is a “risk-based” approach from a technological perspective?
Risk-Based Technology
From a security management standpoint, there is a risk-based methodology called the “CIA Triad”: Confidentiality, Integrity, and Availability (CIA). Confidentiality means that only authorized users and processes should be able to access or modify data. Integrity describes that data should be maintained in a correct state, and nobody should be able to improperly modify it, either accidentally or maliciously. Finally, Availability describes that an authorized user should be able to access data wherever and whenever they need it.
Availability Defined
Availability is often simplified to backups, Disaster Recovery (DR), and system design. But it more accurately means that data should be available to users whenever and wherever it’s needed to support the business.
As a result, there is a substantial crossover with Integrity.
Again, as with Integrity, the ultimate safeguard is immutable storage. This is where copies of the data that cannot be modified are made. This is emerging as a primary defense against Ransomware attacks, where the attacker encrypts the data and holds it hostage to extort money. With one client, we designed a solution for moving the immutable backups to a colocation facility not visible from within their environment. This kind of offsite storage is also a safeguard against many DR scenarios.
The Zero-Trust approach with Integrity is to integrate the approach across all IT silos. This means implementing least privileged access technologies such as role-based access controls (RBAC) and attribute-based access control (ABAC). This emerging technology standard can apply context to the permissions. It also involves coordinating encryption technologies, certificate management, and backups, including immutable storage as needed.
Finally, we need to examine the system from an availability mindset. This means more than simply providing redundancy, it means thinking through what the end user needs from a readiness standpoint.
In reliability engineering, we discuss ‘5 9s’ as an available system (HA). That number was inherited from the Telecommunication Service Provider industry. The literal definition of this is that the system is 99.999% available. This results in an expectation that there be no more than 5.26 minutes of downtime per year.
But what if you need continuous availability? And how does one maintain these systems?
Even more challenging is that for the user to be able to interact with the data, the discrete systems include:
- Data storage technologies being used
- The database and file storage systems utilizing the physical storage
- The application suites involved
- The network infrastructure between the users and the data
The result is that the combination of these 4 systems results in a combined availability of less than 5 9’s. To achieve 5 9s for the complete system, each component must be at 6 9s.
This does not even answer the question of continuous availability.
Before we continue, let us consider why so-called HA systems fail (and we have seen this regularly over the years). This often happens through lack of maintenance, resulting in preventable failures. Remember that at 5 9s, they only get 5.26 minutes of downtime annually. Failures in these systems point out that we tend to design to meet minimum requirements within the context of capital or operational budgets in IT. We fail to think about how to design for the real world. This involves thinking about designing for operational environments.
A system that can sustain only a few minutes of downtime per year will likely be in terrible shape from a security and operations standpoint. As a result, designing a system or a system of systems that can operate during maintenance permits the system to remain current and up to date with security and other patches.
Availability Examples
Loss of availability is defined as data being unable to be accessed, modified, or added. A public example of a security breach based on Availability is a Distributed Denial of Service (DDoS) attack. This type of attack consumes a firm’s Internet infrastructure, making it difficult to do business.
A more subtle example would be loss of access due to a systemic IT issue, a failed design, or a facility’s loss. Such a loss could be due to power, weather, a cybersecurity incident, or, as with 9/11, a physical attack.
This brings up disaster recovery and business continuity planning. Many organizations fail to plan on the length of the recovery period and the amount of work to ensure the plans will deploy successfully. A good example was the Colonial Pipeline hack. News outlets have reported that the ransom was paid, despite backups, because the time to decrypt the data was significantly shorter than that for restoration from backups.
Vendor Choices
In our work, we partner with Cohesity, HPE, and Pure Storage for backups, immutable storage systems, and Disaster Recovery. We also work with traditional vendors such as Cisco, Fortinet, Palo Alto, and Zscaler for identity-based secure access and segmentation.
However, availability analytics, high availability (HA), and non-stop architecture have always been core strengths at BlueAlly. We have been doing this part of the Triad for over 20 years.
Ongoing Call to Action
EISPs and the downstream technological policies need to be living systems and kept up to date as the business evolves and changes. As a result, a governance process needs to be established to tie the senior management team with the technology teams tasked with protecting and managing the firm’s data assets.
For a practical view on including the CIA Triad within your Security Practice, you can read our blog on this subject: Architecting an information security program for the Enterprise.
BlueAlly consultants are always here to assist and guide your journey to a more secure future.
To learn more, contact us about the assessments we can perform to address any concerns and improve your security.