If You Don’t Have Data Sovereignty, You Don’t Have Zero Trust Security
by Andreas Wuchner
Here’s what’s wrong with zero trust when it comes to communication and data sharing platforms: it often doesn’t exist.
Don’t get me wrong: most applications that offer comms and data sharing do have security:
Slack protects their customers by encrypting “data at rest and data in transit for all of our customers,” and other ways like their Enterprise Key Management (Slack EKM) tool.
Telegram has their “multi-data center infrastructure and encryption,” which, according to them, is faster and more secure than WhatsApp.
And Microsoft Teams enforces “team-wide and organization-wide two-factor authentication, single sign-on through Active Directory, and encryption of data in transit and at rest.”
However, everyone witnesses the constant stream of articles about data breaches, stolen account information for sale in hacker forums, ransomware attacks, and so on.
The problem? Data sovereignty.
Data sovereignty is the idea that data are only subject to the laws and governance structures within the nation it is collected. However, Zero trust applications often hold customer data in a place that is ultimately out of their hands. If this is the situation, then you don’t have zero trust. You are trusting platforms and servers not to share sensitive information. And this trust may be misplaced.
The Problem with Teams
In a news report published by The Register, the US House Committee on the Judiciary met to hear testimony regarding the government's apparent practice of secretly subpoenaing cloud service providers.
During the hearing, Microsoft VP of customer security & trust Tom Burt testified that federal law enforcement have been presenting Microsoft with 7-10 subpoenas every day, demanding access to user data they have collected. This, according to his testimony, comprises at least a quarter of all legal demands that the company receives.
"The fact that law enforcement requested, and courts approved, clandestine surveillance of so many Americans represents a sea-change from historical norms,” Burt said in his testimony.
He further clarified that this practice was not only exclusive to one party or the other, but that it’s a rather “ongoing problem since the ascendancy of cloud computing."
The fact that Microsoft is receiving, and actually complying with these information disclosure demands everyday from federal law enforcement renders their “protection” capabilities moot.
We are also now seeing this same reality for other cloud providers around the world, where once it may have been limited to the US.
Application Trust (or Lack, Thereof)
The federal government demanding user data is not the only problem.
The reason why zero trust security is an important concern for enterprises is the fact that without it, organizations are more prone to digital risks like data exfiltration, brand damage, or financial losses.
Some context for those who are unfamiliar: The zero-trust approach to protecting your business has 5 key pillars – device trust, user trust, transport/session trust, data trust, and application trust, which is the topic of my writeup today.
Application trust means enabling your employees to seamlessly and securely access any application instance from any device. Two common ways to do that is to either allow single sign-on (SSO), or to isolate traditional applications (those not designed for zero trust) through a virtual desktop or application environment.
Sadly, most companies don’t bother with this, whether it’s because of a lack of proper tools and platforms to make this possible, or because to them, it’s a “hassle” to constantly go through these protocols just to access one app.
Case in point: 76% of CEOs admit to bypassing or circumventing security protocols to “get something done faster,” exchanging security for speed and convenience.
Expanding Your Attack Surface
Apps also expand an enterprise’s attack surface by simply… being there.
An example: An MS Teams vulnerability was discovered earlier this year. The exploit was revealed to grant attackers access to emails, messages, and personal files.
According to Evan Grant, a staff research engineer at Tenable, the attack relies on a vulnerability in the platform’s Power Apps tab functionality. An unpatched version of Teams enables bad actors to set up a malicious tab which allows them access to the victim’s private documents and communications.
And it’s not just Teams...
Hackers stole billions of dollars worth of source code and data from EA Games. Their mode of entry? Stolen Slack cookies sold for $10 online.
On the other hand, a new remote access trojan (RAT) called “ToxicEye” is putting Telegram users at risk. Not only can this malware steal data or lock up a user’s files ransomware-style, it can also hijack the mic and camera on the victim’s PC.
The other ways that applications can expand your attack surface are as follows:
It only takes at least one click to forward sensitive information outside the organization, whether by hackers compromising an account, insider threats, or even as simple as user error.
Some applications enable users to add external members, and other team members in that channel might make the mistake of sending confidential or proprietary information to those people.
Employees can share anything within these platforms, from office gossip to GIFs of cute puppies or kittens, because users often assume these apps don’t have monitoring or archiving protocols unlike emails.
Once an account is compromised, a hacker can use this to attack the other end-users within the organization or spread malware across the entire enterprise account, whilst being seen as an ordinary member of the team.
Protecting Your Instances
How should one protect their application instances, then?
One of the basic ways would be to educate everyone in the organization on the best practices. Yes, everyone, including the executives. Human Cyber risk is a big topic and still today, 90% of all successful cyber-attacks start with a wrongdoing of a user. Addressing the underlying behaviors of users on why they click on things to create a habit (transform) of staying secure, while accessing their applications can go a long way. Great providers like CybSafe offer all kinds of very useful resources for this, including free courses online, so what have you got to lose?
Keeping your security infrastructure and other traditional security tools updated will work, too. Granted, they won't be enough to cover all your application instances, but they’ll do a good job of protecting your systems from basic exploits and hacking attempts.
Still, an organization will need a dedicated solution to enforce zero-trust security across the board. Here’s what to look for:
Zero trust, military-grade encryption
Find a solution that allows secure sharing through Microsoft Teams. Provable end-to-end encryption means you have complete confidentiality wherever your service provider stores your data. It should also decentralize the risks of your average application instance.
Regulatory compliance by design
Your company produces incredible amounts of data everyday through its communication. By virtue, your solution should retain your peace of mind over your company’s data by protecting your enterprise against unauthorised or unlawful processing from any third party in any jurisdiction.
Data localisation
Your zero-trust solution should keep all your conversations, files and collaboration within your own control. Never expose your company's crucial data to unclear third-party risk.
___________
Because of the sudden spur in the adoption of these applications, many of their issues and vulnerabilities have come to light. Deploying a zero-trust security program and decentralizing your data is only natural if you want to protect your organization from these digital threats and risks.
After all, no one wants the government to pore over their private chats, nor would anyone like to see their data displayed and sold in a hackers’ forum, right?
I’m lucky to be involved with a fantastic company, @Worldr, who have developed a powerful real Zero Trust Teams solution.
Is your data encrypted? Does Microsoft have access to it? Do the admins of that data sit within your control? What about the Microsoft ops people?
If any of these questions remain unanswered, you absolutely need to talk to the Worldr team!
