As organizations consider their journey to establishing a strong Zero Trust culture, they must adopt a data-centric approach, and this begins with ensuring database security.
Data, or more specifically, knowing your data, is at the heart of Zero Trust. This means databases must be considered critical assets with the appropriate security considerations applied. IT teams often get this fact wrong, as they may believe employing micro-segmentation or enhanced identity and access governance negates the need for strong database security controls.
Just like security focused on applications, devices, users, networks, and the cloud, specific purpose-built security should focus on databases, such as Trustwave's DbProtect. Databases are complex with their authentication subsystems, security configurations, and vulnerabilities, requiring specific monitoring to meet the business's performance demands.
The Road to Zero Trust
The Zero Trust security model eliminates implicit trust in any one element, component, node, or service inside or outside an organization and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses.
This definition sounds complicated, and implementing Zero Trust does require a few preliminary steps, but in fact, it is a goal well within the reach of most organizations, either by making some internal changes or reaching out to a trusted security provider for help.
Let's break Zero Trust down into its component parts so it's easier to understand.
The first building block moves the organization to a Zero-Trust Architecture (ZTA). This required shift does not mean one must rip out the current security controls and starting over. ZTA is almost more of a state of mind. Once you accept the concept the rest can come pretty easily.
As defined by NIST, ZTA is, "an enterprise's cybersecurity plan that utilizes Zero Trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a Zero-Trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a Zero-Trust architecture plan."
There are different approaches to implanting a Zero Trust Architecture. Some organizations might look to implement a micro-segmentation approach, while others pay more attention to enhanced identity and access governance. Organizations should not just adopt the approach that best suits their environment but one that includes the following core components to address the guiding principles. These components include:
Vulnerability and configuration assessment: This allows organizations to continuously understand the current state of their assets and remediate issues to reduce risk to critical functions and data. It includes:
- Sensitive Data Discovery helps to identify sensitive data so it can be classified and protected appropriately.
- VM Scanning using our numerous compliance policies (DISA-STIG, FISMA, CIS, CMMC, etc.), Frameworks feature (DISA-STIG.
- DevSecOps - VM Scan throughout the software development lifecycle (SDLC.)
- Automated discovery scanning and VM audit scans to validate the databases baseline.
Identity access management: This provides management of user accounts and drives access control policies.
- Data Rights Management (RM) - Entitlements Exploration
- Rights management Scan throughout the SDLC
- Validate privileged users’ permissions via RM scanning.
Data access policies and enforcement: These policies set the business rules for who and what has the right access to critical data. To properly enforce these policies, constant privilege validation is necessary.
Continuous monitoring and visibility: These provide detection capabilities and collect valuable information for later analysis. Visibility is needed on users, applications, devices, networks, the cloud, and especially data.
- Intelligence for Endpoint Response - Alerting & Integration with third-party tools.
- In-session Monitoring - Alerting, Integration
- Advanced Threat Protection - Alerting, Integration w/ 3rd party tools (SIEM, SOAR, CDM, other), Active Response
- Incident Response - Alerting, Integration, Active Response.
Threat intelligence feeds: This provides information from internal and external sources to help drive changes needed to policies and configurations.
As a general recommendation, apply the least privilege. Only provide access to data and apps as users need. This principle is amongst the most important in a solid ZTX IAM practice.
An organization needs an annual attestation/access review process whereby managers and app/data owners review user entitlements and grant or revoke them in an identity management and governance (IMG) platform.
Similarly, you must ensure that privileged users don't have access to system admin functions and don't need to do their jobs. As users move from job to job and project to project, be sure to retire their access to assets. Overprivileged users — employees, contingent workers, business partners, customers — and dated access credentials lead to breaches.
How Trustwave DbProtect Helps Set the Stage for Zero Trust
Trustwave DbProtect proactively assesses threats to databases so organizations can gain visibility into the conditions in their on-premises or cloud databases that could lead to a data breach. It automates critical data security by uncovering vulnerabilities that would-be attackers could exploit, limiting user access to the most sensitive data, and alerting on suspicious activities, intrusions, and policy violations.
Security teams are already using DbProtect to adhere to the guiding principles whether or not they are on their journey to Zero Trust.
The principle of least privilege: DbProtect provides a deep analysis of the users, roles, objects, and privileges needed to enforce Zero Trust ideals. Organizations use this information to limit database accounts to the necessary access and adjust and enforce data access policies.
Reducing risk to critical functions and data: DbProtect proactively assesses database security posture, uncovering security weaknesses, like vulnerabilities and misconfigurations, that attackers can exploit that lead to data exfiltration.
Comprehensive security monitoring to identify malicious activity: DbProtect continuously monitors database activity based on specific organization-defined policies and will alert on potential suspicious events based on behavior analytics.
Granular and dynamic risk-based access controls: DbProtect provides granular access control privilege analysis to all database accounts. This allows for the constant validation that the administration, application, and service accounts are limited to the critical function and data access required.
With the focus on data and understanding where it lives and who and what is accessing it, we can see that database security is a critical piece to a Zero-Trust Architecture. It is essential to have the necessary insights into the risk of data in databases, visibility to know when malicious activity is happening, and detailed information to constantly validate that user access is limited to meet the needs of the business.
