This week another data breach hit the news. Considering that 2020 saw close to 4,000 publicly disclosed data breaches, there’s probably another 75 that didn’t make the headlines. Data breaches are becoming all too commonplace — which is exactly why a Zero Trust approach to information security should be as well.
I’ve written before about how Zero Trust can drive better business outcomes. But this latest breach and its potentially dire consequences are testament to why Zero Trust is imperative to doing business.
Here, let me break it down.
On the breached company’s security page, it states that it has implemented the following security controls: Single Sign-on (SSO), Multi-factor Authentication (MFA), Role-Based Access Control (RBAC) with least privilege, Security Information and Event Management (SIEM) and Virtual Private Networking (VPN). It also claims to maintain information security certification from a third-party firm that specializes in enterprise information security assessment and certification (though no audit information is provided).
Still, with all of these security controls in place, an unauthorized third party obtained credentials to the company’s Amazon Web Services (AWS) cloud storage, which allows decrypting of backups.
And this begs the question of how: For an unauthorized third party to gain access with all of these controls in place, it would require either the breach of multiple vendors or a catastrophic failure of monitoring these controls.
Yet it also begs the question of why the disclosure is so underwhelmingly transparent: The lack of transparency screams that there is more to this breach.
Of course, based on what little has been made public about this latest breach, we don’t know the answers. This third party could have been an external threat or come from the inside, perhaps an employee with an axe to grind.
What we do know is that sensitive data could have been compromised and this could also mean a significant General Data Protection Regulation (GDPR) violation. Aside from steep GDPR fines, which can be up to four percent of a company’s annual revenue, the investment in repairing the company’s severely damaged reputation can be equally staggering and possibly never show any returns.
We’re doing what’s necessary to make sure this scenario doesn’t happen to ZenGRC — and to our customers and business partners that would inevitably be impacted. Here are seven security measures we take to ensure Zero Trust security and prevent a similar data breach.
- Build a multi-layered Identity and Access Management (IAM) system.
Access to our AWS is RBAC-controlled via a SSO with enforced MFA. Least privilege is applied to all users with elevated and de-elevated permissions as are required to conduct their task.
- Restrict IP addresses.
Only specific ZenGRC Site Reliability Engineers (SRE’s) have access to production infrastructure, and each SRE’s IP address is listed with our network access control. This means that if they change their location or internet connection, their IP address will change, and their IP address has to be updated to allow access. All other IP addresses are blocked.
- Tie AWS access logins to alerts.
Our AWS “root user” access account requires a password reset anytime it is used (which is only in an emergency), and this will set alerts in our monitoring applications and be very noisy. This could not be done by a hacker without our SRE and security team being notified. In fact, neither our security team nor our SRE team can reset the password without notifying or alerting both of the teams. This is a great example of ZeroTrust in action.
- Use separate SSO and MFA vendors.
Separating SSO and MFA vendors mitigates the risk of using one vendor for both functions. If our SSO vendor was breached and we used its MFA, the attacker would now have both SSO and MFA entry and be able to access our systems. By separating SSO and MFA vendors, both vendors would have to be breached at the same time to obtain access.
- Integrate and continuously monitor security and compliance.
While compliance doesn’t inherently reduce risk, it can certainly give you visibility into risk. For instance, if you’re an online retailer and one of your payment systems goes out of PCI compliance, you can make sure security knows about it in real time, reducing this critical business risk while keeping on top of compliance. Implementing continuous monitoring of compliance and security allows for proactive monitoring, not just in the SOC but also from compliance. As they say, two eyes are better than one.
- Conduct and disclose third-party audits.
We publicly state our compliance on our trust center. We also securely share our security documentation with our customers and alert them to any updates or changes, all which is third-party audited and made publicly available. SOC 2, ISO, PCI, Pen testing and other relevant industry audits and assessments build trust with your customers and validate what you say you do.
- Do not rely on VPN to secure communications.
While some think VPN is a security application, it is not. It is a data link/network layer. Instead of using a VPN, all ZenGRC communications are encrypted with industry-standard encryption in transit and at rest.
At ZenGRC, we get it. As a company, information security is what we do. We’ve walked in our customers’ shoes and know how critical, complex and time-consuming managing risk and compliance can be. That’s why the people who use ZenGRC often say, “The product looks like it was built by the people who use it.”
So while we didn’t coin Zero Trust, we certainly know it’s value. Our adoption of a Zero Trust approach and the actions our teams have taken — and continue to take — are what keep our systems safe, as well as those of our customers and business partners.