Perspectives On Integrated Security Zero Trust Integrated Security In the Age of Automation & Digitization Whitepaper V0.1 Q4 2020 _________________________________ _________________________________ _________________________________ “ It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it. ” – Stéphane Nappo Global Chief Information Security Officer Société Générale International Banking ____ ______________________________________________________________________________________________ Zero Trust Integrated Security In the Age of Automation & Digitization WhitePaper v0.1 _________________________________ _________________________________ _________________________________ ~ Abstract ~ Business is founded on & maintained through trust. Whenever somebody goes to their local deli, they trust that the deli sourced its produce with quality in mind. Whenever a person deposits their money into a bank account, they trust that the bank will handle the money responsibly as promised. As technology continues to swallow the world and every aspect of human life becomes all more digitized and automated, two systemic, structural primitives become all the more prevalent; Integration & Security. It is no secret that integrating systems brings exponential benefits to a business's operations. It is also not a secret that security vulnerabilities have been the catalyst responsible for a failure rate as high as 33% in startup businesses. These two primitives underpin what Trust is and where to find it; when properly implemented/synthesised, a system is optimized for trust & efficiency. Trust is a binary principle; either trust exists or it does not. However, the implementation of trust is varied across institutions & industries. In relation to Business, trust exists in two paradigms, internally and externally. On the one hand there is the trust that end users have towards the institution/product, known as external trust. On the other hand, we have Internal trust, trust that regards the team/internal operations that the institution has towards itself. At the intersection where security & integration meet, known as integrated security, (internally & externally) the concept of Zero trust is found. ____ ______________________________________________________________________________________________ Zero Trust Integrated Security In the Age of Automation & Digitization WhitePaper v0.1 _________________________________ _________________________________ _________________________________ ~ Integration ~ Integration is synonymous with automation & interoperability. At a high level, it is the symbiosis of separate systems into a single unified solution. Example : Looking to Facebook as an example, we can understand that successful products are not siloed apps, rather they are aggregates of multiple other applications. Facebook has integrated into human life so deeply that it is not uncommon for people who rendezvous physically to ask one another to connect through Facebook. It is colloquially referred to as a social network; but what does that mean & what defines a social network? Facebook is not just a single platform that presents users with the ability to post to a bulletin board. Facebook allows for posting not only messages but also pictures, videos, and audios. Facebook lets its users sign in & register accounts on different platforms (using their Facebook credentials). Facebook even lets developers build applications that run on Facebook’s networks. Taking this a step further, whenever a site is being built and requires some of Facebook’s functionality (such as posting, liking, or selling) it is readily available. Integration brings about exponential adoption. When Facebook acquired Instagram, the platforms had 3 billion & 100 million users respectively. & The key benefit of integration is the streamlining of processes. Streamline Simulation Facebook Activity & Notification Not Streamlined Streamlined -- Post is Liked, Commented, Hashtagged -- Activity is observed by a moderator -- Moderator publishes post in Hashtag -- Moderator goes to email platform -- Moderator manually input activity -- Moderator sends e-mail Total time: 15 minutes -- Post is Liked, Commented, Hashtagged -- Activity is digested by algorithm -- Algorithm publishes Hashtag + sends email Total time: 2 seconds ____ ______________________________________________________________________________________________ Zero Trust Integrated Security In the Age of Automation & Digitization WhitePaper v0.1 _________________________________ _________________________________ _________________________________ Whenever platform operations are streamlined a slew of direct & indirect benefits arise, namely: reduction in friction, scalability, & an enhanced user experience. Friction is the result of delays incurred due to processing. A lapse in continuity. Nowhere is this more prevalent than in commerce, specifically payments. Whenever a payment is made digitally, the buyer should not wait 72 hours in processing time to finalize a purchase. Rather payments must be as easy as possible. Taking Amazon's “one-click buy” as a case study, we can see that the further friction can be removed the easier & more fluidly the customer is to buy. Amazon makes the process so easy that it is almost satisfying to buy from them. The “one-click buy” put together 4 separate point of frictions and streamlines them into a single step; 1) locating card info → 2) inputting a card info → 3) inputting personal info → 4) checkout Scalability is a project's ability to sustainably grow. By making as many functions & processes hands-off as possible directly translates to more processes & functions to include. Scalability through integration can be seen with backends systems. Whenever a new project is launching one of the greatest areas that they struggle with is backend management; storage, security, privacy, computation, etc. While taking the inhouse solution to build new databases is possible, however, integrating with a 3rd party solution that provides all of the necessary backend infrastructure removes the difficulty in maintaining while allowing the project to grow at almost any rate. Making the project more efficient since they can now focus their efforts on growth rather than technical maintenance. User Experience is everything. Any improvement in an application’s/project’s ability to grow & process faster inhibits increased user satisfaction and therefore attraction & retention. ____ ______________________________________________________________________________________________ Zero Trust Integrated Security In the Age of Automation & Digitization WhitePaper v0.1 _________________________________ _________________________________ _________________________________ ~ Security ~ With the exponential influx of Data derived from technological advancements in IOT, DLT, AI Cloud Computing & blockchain it (data) has been heralded as “the new oil”. Becoming an easily accessible, intrinsically valuable commodity Data became the pinnacle of interest for financially incentivized malicious actors. Cybersecurity was at one point not more than some firewalls and anti-virus programs. However, as hackers got more advanced, prior security standards became obsolete & new methods of security compromise (with social engineering) became more prevalent, cybersecurity has become a mathematically complex, computational demanding, moving target. As per the 2017 data breach study funded by IBM & conducted by Ponemon Institute, the global average for the costs of a data breach supersedes $3.5m and is only expected to grow. Coupled with the James A. Clark School of Engineering’s study of cyber attacks which revealed that a cyber attack happens every 39 seconds on average with 20 records compromised per second; the ballooning $6 trillion Industry remains as one of the most critical aspects of any project/business/application’s lifecycle. Cybersecurity exists alongside a spectrum. The security requirements that satisfy the demands of one application/ function does not satisfy another’s. With solutions ranging from version control systems, authenticators, sensitive data storage, protection against internal subversion, video recording, audio recording, and even going so far as implementing remote 3rd party monitoring services & physical security personale; it can become a chaotic mess as well as a tremendous resource consumer. ____ ______________________________________________________________________________________________ Zero Trust Integrated Security In the Age of Automation & Digitization WhitePaper v0.1 _________________________________ _________________________________ _________________________________ ~ Integrated Security ~ In the context of technology & computer science, integrated security is a modularized, customized, end-to-end solution covering every angle of the cybersecurity spectrum. As briefly mentioned in the previous section on security; the spectrum for cybersecurity is broad and cannot be defined within the context of a single universal mold. Rather the security requirements vary depending on their application. Where a gaming application would require a security system heavily focused on intra-game subversion a financial application for a bank would require a radically different system that extends beyond the digital realm. Traditional solutions for security demand a chaotic system of detached applications. Security is layered into systems ad hoc and served by different providers; translating into a sharded model that forces extensive manual hands on involvement (for organizational purposes), which again translates into large overhead expenditures in terms of maintenance via salaries. At the forefront of issues in security is APT (Advanced Persistent Threats). As the name specifies, APT are “advanced” meaning sophisticated & “persistent” meaning constant risks that happen silently and can go on for prolonged periods of time undetected. Attacks that can entirely disintegrate the trust-worthiness of a company. Integrated security looks to bolster trust by circumventing APT’s with constant surveillance across multiple verticals of security. Integrated security takes the best of both worlds (integration & security) and combines them to arrive at a solution that satisfies the privacy & security needs of a business externally & internally. ____ ______________________________________________________________________________________________ Zero Trust Integrated Security In the Age of Automation & Digitization WhitePaper v0.1 _________________________________ _________________________________ _________________________________ ~ Zero Trust ~ So far, cybersecurity has been a reactive process where the goal has been to minimize damage once it occurs. However, under the current dynamic climate of cyber crime proactive processes have been sought, where the goal is to prevent occurrence before it happens. Neither process structure solves for everything, but a hybrid approach that minimizes occurrence on the front end & maximizes recovery on the backend brings about the promise of a First proposed by vice president and principal analyst for Forrester Research, John Kindervag, in 2010, under the premise that traditional security models operate on the outdated assumption that everything within an organization must be trusted; Zero Trust is a framework for security that optimizes a security systems integrity by altering the modality of trust from one that require building it, to one that focuses on the reduction of the surface area points of trust. Typically, an institution bolsters its trust by increasing the trust of the public towards the company. Traditionally this includes methods such as quarterly public documentation & notifications, claims of transparency, and of course enhancements in security (with new protocols or security companies). However, they tend to overlook the trust required within the organization towards itself. Trust (or an illusion of it) is synthetically induced. Under the Zero Trust model, the function of having to trust a central party is minimized by offloading where trust is & how it is established. Palo Alto Network has concisely devised a 5 point implementation guide for Zero trust. 1. 2. 3. 4. 5. Identify the Protect Surface Map the transactions Flow Build a Zero Trust Architecture Create a Zero trust Policy Monitor & Maintain ____ ______________________________________________________________________________________________ Zero Trust Integrated Security In the Age of Automation & Digitization WhitePaper v0.1 _________________________________ _________________________________ _________________________________ Rooted in the “never trust, always verify” philosophy, Zero Trust leverages network segmentation, prevents lateral movements (as encountered through APT’s), granulated access controls, and ultimately provides what is known as Layer 7 protection. Establishing a Zero Trust environment is commonly perceived as being costly, complex, and confusing. This is a misconception. Zero Trust is not a product, it does not deconstruct or disrupt any of the current operations; rather it is an additional interwoven layer to the existing structures. It is an extremely flexible ideology that can be adapted to ever changing environmental demands ad hoc. Zero Trust works by identifying a “protect surface” for a company's DAAS (Data, Assets, Applications & Services); areas that serve the most vital functions. The “protect surface” areas are then mapped against the general infrastructure, ancillary services & the users to identify the interdependencies of the system. These interdependencies are then actuated for the purpose of creating a minimal demand boundary called a “microperimeter” that tracks & constraints access rights moving forward. These nuances are addressed as Layer 7 protection due to the nature of its implementation; it is the outermost layer that establishes a symbiotic feedback between itself and the underlying system. Following this, proper supporting policies are then identified & built, based on the well known Kipling Method ( Who, What, Where, When, Why, & How ). Zero trust can be applied to varying network models for internet & intranet purpose, blending public & private data feeds. With the presence of Zero Trust, security loses its geographic sensitivity & free companies allowing them to focus on mission critical operations such as growth. If you are looking to learn more about Integrated security & Zero trust or are prepared to transition into these more robust models Xentarus is already ready. ____ ______________________________________________________________________________________________ Zero Trust Integrated Security In the Age of Automation & Digitization WhitePaper v0.1 _________________________________ _________________________________ _________________________________ A United Stated based Technology Infrastructure service provider & Technology Consultancy for Enterprise X entaurs 5151 California Ave, Suite 100 Irvine, CA 92617 Trust * Excellence * Camaraderie * Humanity IAC | SDI | Cloud A+ | DevOps | Security+ Phone: +1-949-668-0320 Visit: https://xentaurs.com | Email: info@xentaurs.com A full resource of Xentaur Solutions can be found here General Inquiries and contact form can be found here Introductory videos to Xentaurs can be found here Xentaurs Academy can be found here The Xentaur Blog can be found here ____ ______________________________________________________________________________________________ Zero Trust Integrated Security In the Age of Automation & Digitization WhitePaper v0.1 _________________________________ _________________________________ _________________________________ ~ References & Citations ~ [1] Security Magazine, February 10, 2017, “Hacker Attack Every 39 Seconds”, Security Magazine https://www.securitymagazine.com/articles/87787-hackers-attack-every-39-seconds [2] James A. Clark School of Engineering, February 9, 2007, “Study: Hackers Attack Every 39 Seconds”, University of Maryland https://eng.umd.edu/news/story/study-hackers-attack-every-39-seconds [3] Rick Charney, September 18, 2019, “5 Benefits of an Integrated Security System”, Stealth Monitoring https://stealthmonitoring.com/security-blog/5-benefits-of-an-integrated-security-system [4] ScienceDirect Archives, Accessed October 5, 2020, “Integrated Security - An Overview”, Elsevier B.V. https://www.sciencedirect.com/topics/computer-science/integrated-security/pdf [5] Sintrol News Archives, September 10, 2018 “What is an Integrated Security System? And Why Does it Help Me?”, Sintrol Security https://sonitrolde.com/integrated-security-system-help/ [6] Kaspersky Archives, accessed October 4, 2020, “What is an Advanced Persistent Threat (APT)? ”, AO Kaspersky Lab. https://www.kaspersky.com/resource-center/definitions/advanced-persistent-threats [7] Palo Alto Networks Archives, accessed October 5, 2020, “What is Zero Trust?”, Palo Alto Networks INC. https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture [8] Mark K. Pratt , January 16, 2018, “What is Zero Trust? A model for more effective security”, CSOonline, IDG Communication INC. https://www.csoonline.com/article/3247848/what-is-zero-trust-a-model-for-more-effective-securit y.html [9] Joe Galvin, May 7, 2018, “ 60 Percent of Small Businesses Fold Within 6 Months of a Cyber Attack. Here's How to Protect Yourself ”, INC.com https://www.inc.com/joe-galvin/60-percent-of-small-businesses-fold-within-6-months-of-a-cyber- attack-heres-how-to-protect-yourself.html [12] Micke Ahola, October 18, 2019, “The Role of Human Error in Successful Cyber Security Breaches”, Usecure LTD. https://blog.usecure.io/the-role-of-human-error-in-successful-cyber-security-breaches ____ ______________________________________________________________________________________________ Zero Trust Integrated Security In the Age of Automation & Digitization WhitePaper v0.1