In an enterprise context that is evolving towards a higher level of complexity in terms of the infrastructures and services they provide, Modex BCDB emerges as a zero-trust enabler that distances itself from the traditional reactive approach to data protection, taking instead a proactive stance towards answering the data security challenges posed by the rapidly expanding cybersecurity threat landscape.
As companies now operate on several internal networks, multiple satellite offices spread throughout the world with their own local infrastructures, accompanied by an increase in remote working as well as bring your own device (BYOD) practices has led to the expansion of the cybersecurity threat area as well as the number of potential vulnerabilities that malicious actors can exploit to gain entry to a company’s system to target their data.
Paired together with the trend ushered in by the advent of cloud computing and IaaS offerings in which control over data assets are handed over to cloud providers in exchange for hosting services, it becomes clear that traditional data security strategies aren’t compatible with the new data management reality. Through its technological layer, Modex BCDB helps the digital industry, tech companies, and governmental institutions, basically any type of organization that relies on a database to get back control over their most valuable asset, their data.
A brief history of zero-trust
The concept of zero-trust has circulated in the cybersecurity space long before the term zero-trust was coined. The Defense Information Agency (DISA) and the US Department of Defense were the first to publish a work that forwarded a more secure enterprise strategy “black core” which centered on moving from a perimeter-based security model to a strategy that focused on securing individual transactions, an approach which is similar to what we know today as zero-trust.
The work done by Jericho Forum in 2004 further consolidated the idea of deperimeterization in the public consciousness, highlighting the limitations and potential risks associated with the reliance on a single, static defense over a large network.
The initial concept of deperimeterization evolved in complexity over the years into what we know today as zero-trust, a term coined by John Kindervarg during his tenure as a vice president and principal analyst for Forrester Research. Over time, zero-trust established itself as a concept that describes an assortment of cybersecurity solutions that distances security from the implied trust based on network location, focusing instead on measuring trust on a per-transaction basis.
The concept of zero-trust
Zero-trust is a type of cybersecurity initiative designed to help prevent data breaches by removing the concept of trust from an organization’s network architecture. A core tenet of zero-trust is the principle of “never trust always verify” which stipulates that no device, user, or application that attempts to interact with a company’s architecture should be considered inherently secure. In fact, a zero-trust infrastructure operates under the assumption that everything is perceived as a potential threat that requires verification. To achieve this level of protection, zero-trust solutions need to leverage network segmentation, prevent lateral movement, and implement granular user-access control mechanisms.
Zero-trust comes in stark contrast to conventional security models that function on the outdated assumption that everything inside an organization’s network should be trusted. As such, the main flaw of traditional security models is their reliance on a broken trust model which assumes that users aren’t compromised and that every member of the network can act responsibly and in a trustworthy manner. Another major flaw of traditional security models is that they are designed to protect a well-defined perimeter, which most of the time leaves threats that penetrate the network undetected and free to access and exfiltrate sensitive corporate data.
Modex BCDB, a zero-trust enabler
By combining traditional database engines with a blockchain backend, Modex BCDB helps organizations build a zero-trust foundation for their applications. Before implementing Modex BCDB an organization needs to identify a “protect surface” that consists of an organization’s most valuable data and assets and secure them in its blockchain environment, rendering them immutable. Each company defines its unique protect surface that is shaped by the business logic that governs it. Because the protect surface is composed only of the most important data assets of a company, it is exponentially smaller than the overall attack surface that is visible to an outside attacker.
Once an organization has delimited its protect surface in the Modex BCDB environment, it is free to make use of highly granular access control mechanisms to identify how traffic moves in relation to the protect surface. Visibility over the entire network gives sysadmins a clear overview of who users are, their behavior patterns, what data they need to access to perform their duties which enables them to formulate and enforce data access control policies based on the principle of least privilege (user have only the bare minimum privileges necessary to perform their job).
The benefits of Modex enabled zero-trust environment
Lateral movement security
Modex BCDB leverages the “never trust, always verify” principle to combat the lateral movement of malicious actors. Lateral movement is a wide range of techniques employed by attackers to navigate a corporate network in the search for valuable data. In the realm of cybersecurity stopping lateral movement is ranked as a top priority. In most cases, the point of infiltration is not the location targeted by attackers. So attackers that compromise an endpoint need to move laterally through the system to reach their target.
By utilizing the inbuilt access control mechanisms of the BCDB solution, users can define movement and access policies to segment the network in multiple micro-perimeters, rendering lateral movement almost impossible. To illustrate our point, an organization that implements Modex BCDB can utilize network segmentation based on each department present in an organization.
This way users from the human resources department won’t be able to access financial data or marketing-related information. Users from the finance department will not be able to access assets or CRM systems from the marketing department. This is why it is imperative to segment the network through access privileges based on role. In a Modex BCDB environment, even if an attacker manages to reach the protect surface, they will find it impossible to tamper with the data records stored on the blockchain as the system is designed to render any unauthorized changes invalid and restore the records to its previous version, registering who, when, and what was subjected to unauthorized modifications.
Enhanced compliance, audit, and accountability
Modex BCDB facilitates the creation of a zero-trust architecture that offers a clear insight into the data flows of an organization. IT audits are designed to expose the technological vulnerabilities present in an organization’s architecture. As such, any data related issue and the system that manages it are subjected to harsh scrutiny. In a Modex BCDB zero-trust environment, transparency is increased which allows not only the auditors but also the members of the organization to analyze the internal data flow.
Modex BCDB also eliminates the need for trust between different organizations, regardless if we are talking about two governmental organizations, two enterprises, or a governmental organization and an enterprise. This is because the technology grants access to sensitive information based on complex access control policies that cannot be subverted by individual users. For example, if two employees from different governmental agencies need to exchange sensitive information, the system will register who granted permission, who accessed the data, what data was accessed, and when it was accessed. The obvious benefit of these unparalleled levels of transparency is that it generates increased accountability as unauthorized access can no longer be attributed to bureaucratic and administrative procedural errors.
Lower data breach potential
The new levels of transparency paired together with the enhanced monitoring facilitated by the granular access control mechanism and the segmentation of the network make it easier for security teams to identify and stop malicious data activity. The zero-trust architecture enabled by the Modex BCDB solution provides continuous system inspection which automatically detects and rejects unauthorized data and workload deviations. Any modifications are perceived as untrusted regardless if they are the result of lawful or unlawful activity until they are scrutinized by the policies and control mechanisms set in place. The inherent level of distrust concerning any changes brought to the data significantly reduces the breach potential and the costs and damages associated with a data breach.
Businesses and enterprises are slowly departing from the traditional modus operandi as sensitive data, applications and even devices are no longer sealed within a well-defined network perimeter. This new shift in the corporate and business mindset signals the need for a departure from the established cybersecurity dogma based on perimeter-based security. In this new context, trust becomes a vulnerability that can be exploited by malicious actors who seek to compromise valuable data.