The JW Secure Informer logo

archive blog contact

Implement Data Protection with a Little Creativity

JWSecure informer imagery

The threat: credential theft allows unauthorized access to high-value assets.

Enterprise network security perimeters are dissolving. In many ways, this is a good thing: the business value gained in open collaboration among a geographically distributed workforce using a variety of computing devices is driving IT innovation. Nevertheless, the need for protecting the most valuable enterprise data is forcing IT professionals to get creative with security defense. Recent internet-based attacks remind us that every computer with access to sensitive data (whether accidental or by design) is a potential vector for compromise. JW Secure is finding that while strong authentication of user accounts remains important, strong authentication of computers is the current weak link in enterprise data security.

The weak link of High-Value Asset networks

Applied to datacenters, the High-Value Asset (HVA) concept refers to IT infrastructure that hosts business-critical data. There needs to be a mechanism to identify the computers that are allowed to access HVA and so must be known to be secure against attacks against those assets. The methods for collecting those computers into a Stronghold for protection include creating a directory bastion or a network enclave where those machines are maintained. But business interests may require that those machines be located anywhere in the world where they are needed. This paper addresses the problem of ensuring the security of those machines with access to HVA irrespective of the method used to identify them. This is done by releasing sensitive data only to those computers that are attested to be secure.

Penetration tests and incident response engagements frequently show that attacks against credentials held by users and services on a corporate network (corpnet) are successful. However, the further challenge is that the HVA network, by its nature, is providing some utility to the business, and hence is likely to be connected to corpnet in some way. That external network connectivity — while it can be designed to be reasonably secure — is the chink in the armor of the HVA. The employees that are authorized to connect to the HVA tend, sooner or later, to leave some breadcrumbs in the corpnet environment that allow a sophisticated remote attacker to piggyback from corpnet into the HVA. Those vulnerable breadcrumbs can come in many forms, ranging from shared passwords to drive-by download of targeted malware.

As usual, we find that there is a tradeoff between security and usability. The good news is that there are opportunities to meaningfully increase security without increasing the burden on end users.

Defending the HVA

To shore up HVA defense, we start by protecting the computers used by those with access to the HVA in a way that is seamless to the user. Provided that the host computer remains compliant with security policy, the additional host protections remain in the background — i.e., not a stumbling block for the user. These protections include the latest hardware-based capabilities of the platform, including Device Guard, Credential Guard, and TPM remote platform attestation. For example, the JW Secure StrongNet solution packages and enforces those policies for HVA-connected DevOps and datacenters.

image_informer38 (41K)
In other words, first, implement strict security settings on all host computing platforms (shown in the diagram above as the Access App in the HVA network and also the User device that requests those assets) in a way that is enforceable from the HVA. Enforceable is the key word here. Policies established in the HVA network need to be projected outward to authorization servers that can attest to the security of any device before HVA access is granted. There are two benefits to this approach.

The first benefit is that HVA authentication becomes the hard-core authorization pinch point that it should be: if you're not compliant with the latest security policy at the time of each access attempt, then the access request is denied by the HVA itself. Plus, the ability to automate enforcement means that there's minimal ongoing operational cost to the sysadmin. Without enforcement, policy drift is inevitable, and we find policy drift to be a significant tax on the IT organization.

The second benefit is credential theft mitigation. For defense in depth reasons, we assume that some combination of user multi-factor authentication is deployed. However, credential theft mitigations are relevant even with strong user authentication because host software has access to the credential every time it's presented, even if it's only for a brief period of time. Plus, every network security protocol creates session state, and state data is just as susceptible to Pass the Hash attacks as static passwords. In addition, if the attacker can get a rootkit or bogus driver on the host, not only is the HVA exposed, but the compromise is difficult to detect. Finally, offline attacks are a concern, too: if the attacker can steal an unencrypted hard drive from an airport or the back of a taxi, he gets access to the cached security protocol state, not to mention the enterprise data itself.

It is the area of local computer policy for user and datacenter hosts that we have helped our customers prevent credential misuse. Locking down the host and enforcing an attested boot log check at every chokepoint into the HVA ensures that (a) the HVA policy compliance prevents boot-level attacks from spreading and (b) HVA policy compliance prevents unencrypted drives from accumulating sensitive data. Looking at the diagram above we see that HVA policy needs to be the ultimate determinant of authorization criteria, although for usability and attack surface reduction reasons we recommend that security policy enforcement be as stringent as is practical throughout corpnet.

How can HVA policy enforcement work? Briefly, using either TPM or vTPM at the host level, security is measured using remote platform attestation and hardware root of trust. The authorization layer in the HVA can then determine cryptographically, in real time, whether a given host is compliant with policy. Whether the computer is for user access or for HVA storage, IT management can assert with confidence that best practice policies are applied and in force at all critical access points.

Keep in touch


Just for laughs

JW Secure Informer cartoon

Quote of the month

I will love the light for
it shows me the way,
yet I will endure the darkness because it shows me the stars.
- Og Mandino -

Thank you for reading the JW Secure Informer

The JWSecure Informer is a bimonthly newsletter that can be sent directly to your inbox. Please add to your safe sender list. To subscribe, or contact Customer Care, use the links below.
Update Your Preferences | Subscribe | Contact Us | Privacy Policy
This information has been organized and published by:
JW Secure, Inc.
1752 NW Market St. • Suite 227 • Seattle, WA 98107
© 2016 JW Secure, Inc. All Rights Reserved.