In a shocking data breach, the personal data of UK Special Forces soldiers slated for promotion was being shared in WhatsApp groups after being leaked from someone inside the Ministry of Defence. The spreadsheet contained personal details, including unique service numbers, of 1,182 British soldiers recently promoted from corporal to sergeant – including those in sensitive units such as the Special Air Service, Special Boat Service, and the Special Reconnaissance Regiment. It was available for download on WhatsApp with no password protection or security markings to identify it as “confidential” or “secret”.
According to reports, a former Army source said the practice of sharing promotions in a password protected spreadsheet on an intranet accessible by the entire 80,000 member British Army is routine.
This data breach highlights the dangers of insider threats caused by negligence and oversharing. According to the 2021 Verizon Data Breach Investigation report privilege abuse and data mishandling, such as mis-delivery (e.g., sending an email to the wrong distribution list), are the top sources of insider related data breaches. Personal data is the most common target / disclosed data type in both scenarios by a wide margin.
Zero Trust is Essential to Modern Security
Trusting users to do the right thing is no longer a viable option for protecting data. Zero Trust Network Access (ZTNA) is quickly gaining popularity to better support today’s distributed workforces and cloud-hosted applications. But what about the data that sits behind the applications as in the case of the UK Army data leak?
ZTNA is designed to address network and application access, not the data behind the applications. Whether the cause is simple negligence or malicious data theft, a proactive data-centric policy-based approach based on ‘Zero Trust’ is a far more effective methodology to ensure data remains secure. This modern approach to data security uses the same principle as ZTNA—do not automatically trust any user inside or outside your perimeters, instead you must verify anyone trying to connect to any systems, applications, or individual data files before granting access to them.
The Who, What, When, Where of Data Access & Handling
When it comes to protecting sensitive and classified information you need that same level of granular control at the data layer that you already require to authenticate users into your systems and applications.
To properly protect information, organizations must be able to control a variety of data access and handling factors including:
- Who should have access to the data?
- What a user can do with it once access is granted? For example, should they be able to edit, download, and/or copy it? Or should it be read only?
- When is access permissible? Business Hours, In the Office, Remote, from company or personal devices?
- Where can they share it? With whom?
- What if they try to circumvent security by snapping a photo of the information?
While this may sound complicated to do, attribute-based access control (ABAC) provides an elegant solution. ABAC is a data-centric Zero Trust security model that evaluates attributes (or characteristics of data and/or users), rather than roles, to determine access.
This data-centric security approach evaluates each file’s attributes including security classification and permissions, as well as user attributes such as nationality, security clearance, and environmental attributes such as time of day, location, and device to determine who is able access, edit/copy/download and share files.
This gives organisations granular control by adjusting security in real-time to determine whether the user should be given access to the requested information based on all of these parameters at that point in time, and what they can do with it if access is granted.
If the user scenario does not match, or appears suspicious, then access is denied, or a restricted view of the data is provided. For example, if an authenticated user is trying to access a sensitive file they own, but it is outside of business hours and they are using a BYOD device in another country, file access will be denied – effectively thwarting a hacker using stolen credentials.
Standing up a Data-centric Zero Trust Model
archTIS solves a range of secure collaboration problems from the compartmentalized classified information sharing needs for government and Defence applications, to securing sensitive information collaborated on, in Microsoft applications – all using secure attribute-based access controls (ABAC) that enforce zero trust at the data layer.
With Zero Trust Network Access (ZTNA) quickly becoming the gold standard for secure access, archTIS products extend the concept of zero trust down to the data layer to not only control who can access information, but what they can do with it and whom they can share it with, uniquely tackling threats from the inside out.
As organizations move to a more distributed workforce and collaborate with external organizations and individuals, archTIS technologies offers a security model that can adapt and meet threats from wherever they might come.