Tag: cyber-resilience

Implenting-Zero-Trust-Eliteparadigm

Implementing Zero Trust

Posted on

The recent Kaseya ransomware attack is yet another reminder of the voracity of the war cybercriminals are waging on the business world. In 2020, scan-and-exploit became the top initial attack vector for surveyed organizations, surpassing phishing, according to the 2021 IBM X-Force Threat Intelligence Index. The report noted manufacturing as the second-most attacked industry in 2020 for respondents. This is an increase from eighth place the year prior, and second only to financial services. 

What’s behind these attacks?

Companies have invested a great deal in building castle-and-moat protections against external threats, focusing on protecting the DMZ or perimeter zone. In a world of known threats and less sophisticated techniques, this protection model worked reasonably well. But times have changed. 

Cybercriminals can be well resourced and tenacious and even backed by nation-states. They can leverage evermore sophisticated tools, such as Ransomware-as-a-Service. These tools can be incentivized by cryptocurrencies with their strong liquidity and poor traceability. As a result, they are well positioned in the arms race against traditional perimeter defenses. Clearly, it is time to consider a zero trust approach to help protect your most valuable resource—your data.

Join us on August 25, to hear how organizations can create a zero trust security in their file transfer environment

The rise of zero trust 

The problem with the castle-and-moat model is the primary focus on external defenses. Once inside, cybercriminals can generally move freely around without much impediment and wreak havoc. This has led to a broadening of the security perspective to encompass internal security, with what is termed the zero trust model. 

The Biden administration in the United States, recently issued an Executive Order calling for advancement towards a zero trust model within the federal government and among federal contractors. Subsequently, in response to multiple high-profile ransomware attacks, the White House also issued a memo to business executives urging them to protect against the threat of the ransomware. Such a model is an “evolving set” of concepts that move beyond “defenses from static, network-based perimeters” according to the National Institute of Standard and Technology (NIST) 

What happens when a cybercriminal or organization has breached a perimeter and has access to your secure environment? Typically, they will start a stealth scan to build a map of your network. They enumerate the server they are on for all its credentials and then try those credentials on your other servers to travel laterally. Most breaches move from computer to computer over standard protocols such as SSH, FTP, SFTP, HTTP, and HTTPS. This means you need to have a strategy for restricting the spread or movement within your organization.  

Zero Trust Protects File Transfers 

At IBM, our Sterling Secure File Transfer (SFT) solution is designed to align with a zero trust approach and harden servers to help reduce the possibility for ransomware or malware to travel laterally. The aim is to protect the inside of the castle – or inside the DMZ. Ultimately safeguarding internal intellectual property and assets. A zero trust approach requires securing and regulating movement between internal computers and servers and we begin by removing untrusted protocols.  

Our SFT solution is designed to include IBM Sterling Connect:Direct which uses a security-hardened protocol. When malware reaches out internally, it will not know how to ‘talk’ to the protocol. It can also check the IP address from the server that has requested access. If that IP address is not on the internal list of trusted servers, which can be consistently updated, the receiving server automatically drops the session.  

Connect:Direct can have additional checkpoints to further help prevent the spread of malware to another server. The malware also needs the correct credentials, which can be increased for additional protection of high-value servers. Also, only files with a specified name may be transferred.  

Each server that uses Connect:Direct becomes a checkpoint – and choke point – for malware. This zero trust approach in Connect:Direct hardens infrastructure. It includes capabilities for zero trust practices for communications that can help mitigate risks of traditional protocols using FTP, SFTP and SSH. SFT can also encrypt data at rest. In transit, it provides multifactor authentication helping implement a zero trust strategy for your file transfers. 

Do you have a traditional castle-and-moat security model? I urge you to consider implementing or expanding your zero trust strategy. It will help protect what is most valuable inside of your organization. You can start small and add more protections over time. The key is to begin now because the war will continue to escalate.  

Watch IBM Secure File Transfer (SFT) in action in this demo

Why Zero Trust

Why Zero Trust?

Posted on

As a security architect within IBM Security Services, I often get asked the question, “What exactly is a Zero Trust architecture?” Well, there is no single or unique answer to that question for two reasons.

First, Zero Trust is not an architectural model but rather a set of guiding principles that should be applied to existing and new designs. With that said, these principles present a number of architectural patterns or use cases that can serve as a starting point for implementation.

Second, the implementation of Zero Trust principles results in very different technical solutions and approaches for different uses cases. For example, applying the same Zero Trust principles for an employee remote access use case would be addressed in a very different way than handling micro-services connectivity in a service mesh running on containers.

So, where does one even start and how would Zero Trust change the way security solutions are designed? To answer these questions, I propose starting at the right architectural entry point: enterprise security architecture (ESA). In this article, I’ll briefly describe how the principles of Zero Trust could be introduced at your organization through the different architectural governance levels and against ESA.

Looking at Zero Trust Architecture Through an ESA Lens

To establish an IT security governance model, most organizations define an ESA as part of a wider enterprise architecture program. In an ESA, all aspects of IT security are defined through the different stages of design. You’ll typically find the following stages: the contextual or business layer, the conceptual layer, the logical layer and the physical layer. Below I provide a summarized overview of the concepts.

Zero Trust Architecture Elite Paradigm LLC

Source: IBM Security

In addition, an ESA should address the governance of how the solutions and artifacts are maintained at the different layers like what is shown above. Security operations will need to manage the day-to-day operational risks while architecture review cycles ensure that the solution’s building blocks are identified and up to date. I’ll come back to this last topic later.

Also, the security controls of an ESA should be designed, implemented and managed at the enterprise level. A security control is typically a solution that combines your people, processes and technology. From a high-level perspective, both the actions required to mitigate identified IT risks and the actions required to ensure regulatory compliance are translated into a set of security policies that are then enforced and implemented through an extended collection of security controls. An ESA helps to define the approach of how to achieve that goal in line with business requirements.

Combining Security Architecture With a Zero Trust Governance Model

If we start applying the Zero Trust principles to security architecture, it is clear that the contextual level does not change. The regulations, risks and business drivers are not changing, but the way an organization would address these requirements might change. Therefore, implementing Zero Trust principles will start at the conceptual layer of your architecture. IBM Security’s four-tenet Zero Trust governance model could be leveraged to structure the approach (see figure below).

IBM Security Zero Trust Governance Model

Source: IBM Security

1. Define Context

Defining context is key for Zero Trust across all security domains. Here, the foundation for your Zero Trust implementation road map has to be defined. New security policies will have to be defined and existing policies might require adaptation. The use cases within the organization should be identified as soon as possible, including what kind of integrations should be established between the controls at the different layers. Integrations will be one of the major changes coming with Zero Trust implementations in the next couple of years.

The vanishing perimeter paradigm will have to result in more integration between the security controls installed at the different layers of defense. The result is consolidated insights that can be used to make the access decisions for your data dynamically (under the principle of “Always Verify”) and access is no longer solely based on static access-control lists (ACLs).

From the ESA point of view, this “Define Context” tenet is where the security policies are set. Moreover, security services are needed to support the organization’s requirements. The capabilities needed to provide the services should be compiled and the high-level solution patterns built on these capabilities will need to address the Zero Trust use cases. The new and adapted capabilities have to be defined at the technical level and then deployed. The ESA should also define how to move from architectural version N to version N+1 through a transformation road map. In the picture below, I map the IBM Zero Trust governance model to the ESA example.

Zero Trust implementation Elite Paradigm LLC

Source: IBM Security

2. Verify and Enforce

The “Verify and Enforce” tenet in the IBM governance model is where most security vendors position their Zero Trust solutions. In an ESA context, this is where the logical architectures define the required security building blocks (SBB).

Next, the logical architecture is worked out into technical designs based on the selected technologies. For example, the implementation of micro-segmentation for infrastructure in the data center will require a detailed technical design at the network layer. The role of ESA is to ensure the overall principles are followed during design and that the design goals like integration are achieved.

3. Resolve Incidents

Next comes everything related to security operations. This third tenet is called “Resolve Incidents” in IBM Security’s Zero Trust governance model. It is here where security operations are defined. This is also where security teams learn how to cope with security incidents impacting trusted connections and speed up both the detection and response for these incidents.

From my perspective, the operational architecture within ESA is the most important concept here. You could have the best security technologies available, but if they’re not properly managed by the security operations team, it won’t meet expectations and can result in failed outcomes. We all know that security maturity can’t be achieved in every layer at the same moment. To overcome this challenge, adequate security monitoring solutions and automated response measures are the best tools to overcome possible gaps in maturity.

4. Analyze and Improve

The tenet of “Analyze & Improve” is a key element of the Zero Trust governance model and it should also be a standard component of every ESA. In a rapidly evolving technology landscape, where there are accelerated product releases thanks to Agile approaches combined with automated CI/CD delivery models, an ESA should focus on the continuous improvement loop.

Implementing Zero Trust principles won’t be achieved overnight. The changes should be tested on a single use case that’s relevant to your business and the effectiveness of that implementation should be consistently measured with improvements applied in an Agile way. Once your initial use case is deemed ready, the same approach can be scaled out to other enterprisewide use cases, meaning that all activities related to “Analyze & Improve” will have to occur at an accelerated pace.

Interested in learning how you can begin your Zero Trust adoption? Learn about the steps you can take with an integrated, multi-disciplinary governance model that advances progress toward maturity.

Access Management | Enterprise Security | Governance | IBM Security | Identity | Identity and Access Management (IAM) | Incident Response (IR) | Security Controls | Security Framework | Security Operations and Response | Security Strategy | Threat Detection | Threat Management
Grounding Cyber Resilience Eliteparadigm LLC

Grounding Cyber-Resilience in the IBM Cloud

Posted on

01

Managing and securing data

The most valuable enterprise asset
is data

Data—the most valuable business asset for enterprises and their customers—must be protected from unauthorized access. Always available and secure data coupled with insightful data analytics drives business innovation, increases client satisfaction and loyalty and, more importantly, gives you a competitive edge in the marketplace.

Managing data throughout its lifecycle in compliance with business, privacy and security regulatory requirements must be the top priority in cloud environments. That is why a trusted business partner with deep expertise in security, privacy and cloud deployments is critical. IBM has successfully helped customers migrate to the cloud by using extensive industry-specific products and services backed by more than 2,500 cloud technology patents granted to IBM.

The nature of global cloud computing means that the physical location of data is very relevant and is becoming more significant every day. Business transactions occur across international borders every second. Big data created in one region gets stored, processed and accessed from other regions across international borders. End users, clients and business partners using your data may be accessing it from all over the globe.

The performance of cloud workloads is proportionate to the user’s distance from the data center where your data is housed.

The performance of cloud workloads is proportionate to the user’s distance from the data center your data is housed. This is also true for cloud providers whom are expected to ensure your data moves efficiently with minimal latency around the globe. Knowing this, IBM has invested heavily in building, maintaining and growing an agile global cloud network backbone that transports public and private traffic around the globe to help ensure an exceptional customer experience.

02

Data location matters

The location of data is often given little attention, but it matters

Organizations often migrate business workloads to the cloud so that data is always available and delivered quickly and reliably to customers around the world. The actual location of data is often given little attention due to lack of clarity about concepts such as universal accessibility, guaranteed uptime service level agreements (SLAs) and high-speed network connectivity. Overlooking your data’s physical location can lead to slow uploads and downloads, unsatisfactory delays in service, a reduction in productivity and loss of customers and business. More importantly, where data resides plays an instrumental role in protecting privacy and meeting the regulatory requirements for data protection.

While the cloud delivers infrastructure as a service (IaaS), data stored on the cloud resides on physical storage devices and data in transit traverses physical networks too. Even data used by your cloud applications—data in use—needs to be secured. IBM Cloud® provides built-in security solutions designed to protect data throughout its lifecycle.

When looking at the potential performance of global networks, it is customary to use the speed of light in fiber to estimate optimal potential response times as measured in return trip time (RTT).

Cloud workloads require an infrastructure that is agile, secure, responsive and has a local presence on a global scale. IBM understands these business cloud needs and as a response has invested in a global network that offers more than 60 data centers, six multizone regions and six continents. IBM’s cloud network keeps application workloads and data secure in data centers that are compliant with regulatory requirements. IBM’s data security addresses data at rest, in transit and in use. IBM Cloud offers IBM Key Protect offering benefits like bring your own keys (BYOK) and IBM Cloud Hyper Protect Crypto Services enabling you to keep your own keys (KYOK) for cloud data encryption.

IBM Key Protect (BYOK)

IBM Key Protect is a multi-tenant key management service (KMS) with key vaulting provided by IBM-controlled FIPS 140-2 Level 3 Hardware Security Modules. With Key Protect, customers bring their own keys (BYOK) to the cloud and manage the keys themselves. IBM values the security and privacy of our customers’ data, so we also provide operational assurance that IBM will not access the keys.

IBM Cloud Hyper Protect Crypto Services (KYOK)

IBM Cloud Hyper Protect Crypto Services offers two-in-one—KMS with built-in Hardware Security Module (HSM). The offer is a single-tenant Key Management Service with key vaulting provided by customer-controlled FIPS 140-2 Level 4 HSMs —the highest available certification. With Hyper Protect Crypto Services, customers KYOKs protected by the HSMs they control and manage. The implementation provides technical assurance that IBM cannot access the keys.

Customer scenario

The ideal situation for enterprises is to deploy cloud workloads in proximity to their customers for optimal response time. Today’s global digital economy means that most enterprises conduct business around the globe and need to ensure that customers, regardless of their location, have pleasant business experiences. For the best experience, the global presence of IBM Cloud affords the opportunity for organizations to deploy their workloads in several locations that are close to their worldwide customer base.

Let’s look at a global business that is based in San Jose, CA with customers in Paris, France and Singapore. The ideal situation for this business is to have workloads deployed as close to these locations—if not directly in these cities—as possible. Alternatively, the business could choose a less optimal solution by deploying workloads in San Jose only; thus giving customers in Paris similar, delayed response times as those in Singapore. With its expansive network, multizone region capabilities and high-speed infrastructure, IBM Cloud is designed to enable businesses to serve global customers in a secure, fast and timely manner.

03

IBM Cloud global data centers

Protect and deliver services to customers worldwide

IBM Cloud data centers and network points of presence (PoPs) are connected to a global network backbone, which carries public, private and management traffic to and from servers. This global network boasts more than 2,600 Gbps of connectivity between data centers and network PoPs with up to 20 TB of no-cost outbound bandwidth (egress traffic). Additionally, the network PoPs have more than 2,500 Gbps of transit and peering connectivity to the Internet. When accessing an IBM Cloud server, the network is designed to bring you onto the IBM global backbone quickly at one of the network PoPs. Clients and end users may experience fewer hops and a more direct route that IBM Cloud controls. When a user requests data from an IBM Cloud server, that data travels to the nearest network PoP where it is handed off to another provider to carry the data the remaining distance.

Global data center locations Elite Paradigm LLC

04

Move data securely and quickly

Move files and data sets of any type and size reliably and at maximum speed

Ensuring your data is secure and protected during a migration and throughout its lifecycle is a critical priority. IBM Cloud uses the same software technology and expertise from on-premises infrastructure making the move to cloud more streamlined and secure. Two examples of this technology are IBM Aspera® on Cloud and IBM Cloud VPC.

IBM Aspera on Cloud

When utilizing IBM Aspera on Cloud, enterprises can move files and data sets of any type and size reliably at maximum speed regardless of network conditions. Aspera on Cloud uses the patented network-optimized proprietary protocol Fast and Secure Protocol (FASP) to securely move data at speeds that often exceed one hundred times the speed delivered by Transmission Control Protocol (TCP). Data transfers using FASP are encrypted for securing your data at rest and in transit. This solution is designed for quick, reliable and secure movement of large files and data sets between clouds and on-premises resources.

IBM Cloud Virtual Private Cloud

Build cloud native 3-tier applications on IBM Cloud Virtual Private Cloud (VPC), which offers a protected space in IBM Cloud with the advanced security of a private cloud and the agility and ease of public cloud. This allows you to control virtual networks in logically isolated segments to quickly deploy and manage compute, storage and networking cloud resources. IBM Cloud VPC adds to the security capabilities of the IBM Cloud and creates more secure environments for application workloads and data through the use of security groups and access control lists.

To ensure enterprise workloads and cloud-native applications are continuously available, IBM Cloud has multi-zone regions (MZR) comprised of three availability zones per MZR with added fault tolerance that can be leveraged by building workloads using multiple subnets within a single VPC. In addition, IBM Cloud Virtual Server for VPC offers an excellent solution for network-intensive applications, simulations or in-memory caching with general purpose profiles that provide up to 80 Gpbs of network performance.

Multi-zone regions and availability zones

IBM Cloud offers a constantly expanding global footprint to help ensure you’re meeting your customers where they are. Our IBM Cloud multizone regions (MZRs) have three or more data centers within six miles of each other. These data centers are located in close proximity to ensure high availability and resiliency. They offer a full and consistent set of services to support your enterprise-class workload needs. MZRs include the full IBM Watson® and cloud stack (IaaS, CaaS, PaaS, cognitive and data) and are connected to two POPs to help provide maximum POP resiliency. High-speed metro-area interconnects allow applications to have less than 2 millisecond latency in cross-zone communications. IBM Cloud services, such as cloud object storage, containers, API and de-identify data under applicable permissions, are regionally aware and take advantage of this solution to ease the burden on the application provider.

Deploy workloads in over 46 data centers across 9 regions and 27 availability zones globally.

IBM Cloud multi-zone region (MZR)

Diagram of IBM Cloud multi-zone region showing connected availability zones and points of presence Elite Paradigm LLC

05

Our responsibility to you

Cloud providers must be committed to the security and privacy of their clients’ data

Data is the most valuable business asset of our time. It’s the world’s new natural resource, growing exponentially not only in quantity but more importantly, form and value. Every action and interaction, every decision and relationship, every event occurring in any of the world’s complex systems, is now expressed as data. This profound shift is compelling enterprises to adopt new technologies and business architectures based on cloud; and new business processes, skills and forms of engagement. In the rush to harness potential business value from data, cloud providers mustn’t lose sight of basic expectations that individuals, enterprises and communities rightly have regarding security, trust, privacy, jobs, skills–and, increasingly–the data they own or that is collected from them.

Data ownership and privacy

IBM believes that the unique insights derived from our clients’ data are their competitive advantage, and we do not share them without clients’ explicit agreement. We employ security practices to help safeguard data, including the use of encryption, access control methodologies and proprietary consent management modules, which allow us to restrict access to authorized users.

We advocate for strong and innovative means to enhance privacy and data protection, and we will continue to invest in privacy enhancing technologies. We were an early adopter to the European Union (EU) Data Protection Code of Conduct for Cloud Service Providers for several IBM Cloud services and offerings—securing certification under the US-EU Privacy Offerings and the APEC Cross-Border Privacy Rules. IBM was the first cloud provider to deliver hyper data protection and commit to the EU’s General Data Protection Regulation (GDPR) compliance. IBM Cloud is GDPR compliant.

Data flows and access

Protecting the privacy of your data, which is fundamental in our data-driven society, is something that IBM appreciates and is fully committed to. We’ve made significant investments in our cloud data centers around the globe to give clients the flexibility to decide where to store and process their data. We believe these decisions generally should be driven by client choice rather than government mandate.

Data security and trust

IBM Cloud employs security practices and technologies to help safeguard workloads and data. On the IBM Cloud, data is protected while at rest, in transit and in use. We’re poised at the forefront of applying artificial intelligence capabilities to stay steps ahead of emerging digital threats. We do not put “backdoors” in our products for any government agency, nor do we provide source code or encryption keys to any government agency. You are the only party that would own your encryption keys and not even IBM would have access to those keys. IBM Cloud security builds on IBM’s heritage of providing proven in-the-field tested security solutions used by thousands of enterprises worldwide.