Zero Trust Beyond IAM

As the speed of doing business increases and industries undergo digital transformations, data has become an undeniable asset — yet one that can leave businesses open to hidden threats. Securing data in an organization is just as important as protecting access to it. This is especially true for unstructured data, which is data that does not conform to a specific data model or schema, but travels across and between organizations freely, such as documents and multimedia files.

A classic example of this is a malicious email attachment sent via a trusted but hijacked vendor email account. The 2023 Verizon Data Breach Investigation Report identifies that 74% of all breaches include the human element, including social engineering. Business Email Compromise attacks are on the rise, representing more than 50% of all social engineering attack incidents. Even without the sophistication of a BEC, the Report states that 4% of malicious attachments sent via email will be opened. This is despite awareness campaigns and existing controls.

Unstructured data that contains hidden threats usually comes from a trusted source: a partner email, a Slack channel, a client, or an image file sourced from Google Images. Because unstructured data transcends trust boundaries just as often as – if not more than – identities do, we can approach it through the lens of “Zero Trust".

In this article, I make the case for extending zero trust beyond identities and access – to data – by comparing it to everyone’s favorite thing in the world: airline travel.

Zero Trust overview

Zero Trust is a security concept emphasizing the importance of not trusting anyone or anything by default, whether inside or outside an organization’s network perimeter. It assumes that all users, devices, applications, and network traffic are potentially malicious and must be verified and authorized before access is granted. The concept is based on the principle of “never trust, always verify.” Every access request is treated as if it comes from an untrusted source and is subject to continuous authentication, authorization, and encryption.

Witness Zero Trust in Air Travel

If you think about it, the structure of air travel is the perfect analogy for Zero Trust security principles. Airports have limited access areas that require checking credentials for everyone who wants access. Even when access is granted, it is only given on a limited basis, requiring a re-check of credentials for those wishing to leave and return later.

For those who want to depart on a plane, there is an additional check to ensure the persons entering the gate onto the aircraft have the right to be on that flight It typically goes something like this:

1. Around the perimeter of an airport, access is strictly controlled. Security won’t allow you to linger too long at the curb when dropping off or picking up passengers.
2. When dropping off your checked luggage, an airline agent will first ask for your boarding pass – and your ID, validating your identity.
3. Before you enter the security line, there may be another process to check your ticket, making sure you get into the correct line.
4. In the security line, the TSA (Transportation Security Administration) agent checks your government-issued ID again. As TSA agents verify travelers’ airport credentials, Zero Trust access ensures all users’ credentials are validated.
5. After successfully passing through the TSA baggage checkpoint, travelers are granted temporary, low-level (least privilege) access to the airport. Instead of being given free rein to go everywhere, travelers are restricted to a particular area: the terminal. This micro-segmentation approach aligns with the principles of Zero Trust, where initial access is granted but limited to specific areas or actions.
6. During the boarding process, your ticket is scanned to ensure that you are gaining access to the correct plane.

For a person, this process is analogous to Zero Trust as applied to access and identities. However, airlines also take the approach of not trusting the items that people bring with them: luggage, carry-ons, and personal items. Apply that to information security and a parallel can be made to digital luggage: aka files and the content within them.

Zero Trust Content Security scrutinizes the attachments and items accompanying those credentials, much like checking luggage at the airport.

Checking Items (aka Content)

The baggage check goes beyond simply validating credentials. It is the last line of defense in ensuring no hidden threats are coming onto the plane. While checking each bag individually would be inefficient, x-ray scanners expedite the process, helping TSA agents view what might be hidden deep within bags or other objects. Just as an explosive device could be hidden within another object, files that appear safe, such as documents, may be harboring malicious code deep within the layers of the file structure. This is why additional layers of security are necessary, even beyond the baggage check.

By checking everyone and everything they bring with them, regardless of their status or position, the TSA can ensure that no dangerous items or individuals make it past this point. Without this step, a threat could make it into more secure areas, creating more significant damage should an attack occur.

The thorough examination of items and belongings in airport security mirrors the Zero Trust content security approach, which emphasizes the need to scrutinize attachments and files accompanying users’ credentials or delivered via machine, process, or application.

Trusted Identities, Untrusted Content

Taking this analogy one step further, let’s consider situations where a traveler brings seemingly benign items that are not allowed, such as a full water bottle in their backpack or carry-on. While the water bottle may not be inherently harmful, it poses a security risk due to airport regulations and the inability to guarantee that the contents are safe. Similarly, a user unknowingly brings questionable or unsafe files into an organization’s network. Just as the water bottle needs to be detected and removed before proceeding, potentially dangerous content must be identified and addressed to maintain the organization’s security.

This highlights the importance of verifying and authorizing not only the users and devices but also the data they bring with them.

Zero Trust for Unstructured Data

The Zero Trust approach to security isn't just for network architecture and airports. It’s an essential part of robust data security. Zero Trust Content Security protects your business operations from the unstructured data (and the useful content it contains) that travels freely between trust boundaries: in the emails of vendors and partners, on the endpoints of employees downloading files from the web, and before files are uploaded to applications and cloud storage.

Organizations can apply Zero Trust principles to their data and content, protecting the broader organization from hidden threats through a technology that Gartner calls Content Disarm & Reconstruction (CDR). With CDR in place, inbound files and content are disarmed, regardless of origin, and even “safe” file types are sanitized, eliminating hidden threats in documents, images, videos, and more. This provides an added layer of protection for individuals and organizations, maintaining a high level of file integrity, and boosting data security as well as your overall cybersecurity posture.

If air travel requires you to check identity and data, shouldn't you do the same with your digital IAM?