Abstract

This whitepaper presents the guiding principles for how Active Cypher implements a Zero Trust security model with Active Cypher File Security (ACFS). It is our intention with this document to provide sufficient understanding of ACFS that you can imagine your own implementation journey. While every company is different and each journey will be unique, we hope the ACFS product and the Active Cypher (AC) Zero Trust Security Model will expedite your progress.

Introduction

Cloud applications and the mobile workforce have redefined the security perimeter. Employees are bringing their own devices and increasingly working remotely. Data is being accessed outside the corporate network and shared with external collaborators such as partners, consultants, and vendors. Corporate applications and data are moving from on-premises to hybrid and cloud environments. The new perimeter isn’t defined by the physical location(s) of the company—it now extends to every access-point that hosts, stores, or links to corporate resources and services. Interactions with corporate resources and services now often bypass on-premises perimeter-based security models that rely on network firewalls and VPNs.

Presently, companies need a new security model that more effectively adapts to the complexity of the modern environment. Companies which rely solely on on-premises firewalls and VPNs, lack the visibility, solution integration, and agility to deliver timely, end-to-end security coverage. The new model also needs to embrace the mobile workforce, and protect people, devices, applications, and data wherever they are located. This is the core of Zero-Trust.

Today, most companies are unable to retain suitable control over files to prevent them from being improperly emailed, uploaded, synced, stolen, or lost. There was a time when control over files just meant building a strong enough perimeter to keep the bad actors out, while letting the good actors keep working unimpeded or affected by those outside the walls. While this defensive posture to the threat seemed logical for the time, we have witnessed how poorly this method of building an ever more defensive primary perimeter plays out over time. The fortress you have been building has become more expensive, complicated, and power hungry than imagined just a few years ago; and the unfortunate results have  included bad actors sitting in network systems every day, exfiltrating files and wreaking havoc with data security. It’s time that we solve this problem offensively and proactively.

There needs to be a new way to view your computer systems and data. We must assume there is no network. There is no firewall. Your company’s files are all on the internet. Your files essentially need to protect themselves. How can you build a fortress around every one of your firm’s files, when there are so many and they can be anywhere in the world?

Active Cypher believes your company’s files should be able to protect themselves against any threat, no matter where the file resides. By first obfuscating the contents of the file, then building a perimeter of defensive controls around each file this defensive perimeter becomes part of the file. It travels with the file when stored in Cloud providers like Google Drive, OneDrive, Dropbox, Box, and on any laptop, smartphone, USB drive, or other device, anywhere.

 

What does Active Cypher Zero-Trust Security Model mean?

Data is only useful to us when its life cycle includes authorized people accessing and working with it. Instead of believing everything behind the corporate firewall is safe, the AC Zero Trust security model acknowledges that people will make unintentional, intentional, and sometimes even malicious errors. The AC Zero Trust model therefore verifies each request as though it originates from an uncontrolled network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify”.

In Active Cypher’s Zero-Trust Security Model, every access request is strongly authenticated, authorized within policy constraints, and inspected for anomalies before granting access. Everything from the user’s identity to the device’s location and trustworthiness is used to prevent breach. We apply file segmentation and shuttering principles to minimize lateral movement. Finally, rich intelligence and analytics helps us identify what happened, what was compromised, and how to prevent it from happening again.

 

The Four Tenets of Active Cypher’s Cybersecurity Philosophy

  1. Networks are porous. Data must be protected at the file level.
  2. A holistic and integrated security model is pivotal. Vulnerabilities arise when security options are “bolted” on.
  3. Effective cybersecurity must be seamless, simple to deploy properly, and as close to the network operating system as is practical.
  4. Zero-trust means to assume (default) that each interaction with a person or an endpoint must be authenticated for that interaction.

 

Zero Trust across the digital estate

In an optimal Zero Trust implementation, your digital estate is connected and able to provide the signal needed to make informed access decisions using automated policy enforcement. Let’s explore how the major components of the Active Cypher (AC) Zero Trust Model and Active Cypher File Security (ACFS) all work together to deliver end-to end coverage.

Once the file’s defensive perimeter has been created, the variable whereabouts of the file is no longer a risk for your company. It would no longer matter which clouds, datacenters, or devices your files end up on. The defensive perimeter will keep the bad actors out.

Of course, you also need a trustworthy method of allowing or disallowing a person to interact with the deciphered contents of the file. The files protected by ACFS effectively take a Zero Trust position, relying on certified proof of authority from the Microsoft Azure Identity & Access Management Services to determine if the request to enter the perimeter of the file should be granted or denied.

 

The Solution

Managing a user’s access to sensitive files and data is just as important as managing their access to enterprise applications, yet these two tasks are traditionally separated and handled by different processes. ACFS recognizes that, just as a user’s identity information is the baseline for accessing enterprise applications, that same identity information can be used to extend access control to the file level to ensure that sensitive data is protected.

While the protected files themselves have no direct ability to authenticate or authorize access their contents, with ACFS present, you gain the functionality necessary to perform the authorization check on behalf of the file. ACFS checks Microsoft Azure Active Directory policies for specific security and access control information before granting the user access beyond the file perimeter. Only then are the file contents automatically deciphered and displayed to the user.

ACFS creates an identity-centric file encryption solution that prevents unauthorized access to files no matter where they are stored or taken, ensuring that only users with the proper access privileges can open and view sensitive data. The ACFS solution thereby renders leaked, stolen, or misplaced files useless to the wrong persons. This is essential for the enterprise, as users continue to store sensitive corporate files in many different locations, such as their personal devices, OneDrive, Dropbox, or Google Drive to name a few. ACFS protects a company’s most important digital assets by ensuring that critical files are not accidentally or purposely compromised.

The integration between ACFS and the Windows Server operating system centers on the Active Directory Security Groups & Users organizational structure, which is already the accepted standard for protecting corporate assets stored in the file system.

Working in tandem with Active Directory’s access control and auditing features to encrypt every file shared to users, ACFS operates seamlessly and transparently to both the IT Director and end users. ACFS requires no additional management or programs, nor the knowledge and exchange of keys, certificates, passwords, or secrets. Those limitations imposed by other solutions have always been a roadblock to acceptance by both IT departments and end users alike.

From an end user’s perspective, ACFS is even more transparent and easier to use than it is for the IT Department. The person continues using the corporate assets as they do today, with no additional requirement or burden on them in the encryption and decryption process. When a user attempts to access a protected file, ACFS confirms their identity, membership, and access status via Active Directory Security Groups, and then either allows or denies their ability to access the encrypted corporate files, all without the user’s awareness or effort.

 

The implementation of Active Cypher File Security (ACFS)

Secure Private Cloud – ACFS creates a secure private cloud for the client. All the resources are located in the client’s Azure tenant.  As a result of the secure private cloud, no 3rd party (including Active Cypher) has access to your data.

Key Management – As part of ACFS, we created a multi-layered implementation of AES-256 that is tied to a multi-factored authorization which is based on device, user identity, and thousands of bits of intelligence gathered in Azure Log Analytics and Microsoft Graph Security data. Together, the ACFS API and user validation challenges result in a state-of-the-art secrets information exchange process. This ensures that keys cannot be stolen or compromised and data cannot be accessed by any unauthorized persons or systems.

Microsoft Active Directory – ACFS is deeply integrated with your Active Directory – Security Groups & Users organizational structure which already protects your corporate assets stored in the file system. Working in tandem with Active Directory’s access control and auditing features to encrypt each file as it is stored in the Shared Folders which are shared out to users, ACFS allows IT to govern the protection directly and unambiguously through Active Directory Security Groups. The ACFS rules engine connects via an API to assess risk threats whenever a file decryption request is presented.

Compliance and Governance – AC creates a Secure Private Cloud inside the Azure ecosystem utilizing the governance and compliance certification and verification of Azure Security Center, Azure Sentinel and the Azure Security Graph API. Compliance standards and certifications for vertical industries such as legal, finance and healthcare, but also for standards such as:

  • NIST 800-173
    • Set of computer security policies, procedures and guidelines created by the National Institute of Standards and Technology (NIST). The publications cover all NIST-recommended procedures and criteria for assessing and documenting threats and vulnerabilities and for implementing security measures to minimize the risk of adverse events.
  • ISO 27001
    • First published in 2013 as part of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) 27000 family of standards.
  • Azure CIS 1.1.0
    • Recommended technical control rules/values for hardening operating systems, middleware and software applications, and network devices.

Coexistence with Windows Virtual Desktop – The design and integration of AC with Microsoft Azure enable the software to deliver a file protection solution within the Windows Virtual Desktop environment.

Windows Virtual Desktop is changing the way virtual desktops are provided by delivering multi-session Windows 10 directly from Azure. Additionally, Windows Virtual Desktop enables IT to provide Windows 7 virtual desktop for users as well as the option to bring existing Remote Desktop Services and Windows Server desktops and applications, all managed from a unified experience on Azure. ​

When used with Windows Virtual Desktop, AC provides additional capabilities to enable accessibility and mobility of user data while preventing inadvertent data loss. With AC, existing group security policies and permissions in Azure Information Protection can be leveraged to encrypt user files while using Windows Virtual Desktop. ​AC works inside of Azure Information Protection to encrypt the files within established security groups in Active Directory.

Integration with Microsoft Teams – AC surfaces only the files and folders that each user has AD Security Group permission to access. By segmenting the view so that each user only sees what is appropriate for their Security Group membership, retaining their Read\Only or Read\Write permission for each file.

 

Installation & Deployment

All too often, encryption as a solution is avoided due to complex installation, deployment and administration. Our goal was to create an encryption solution so easy to deploy that files can be encrypted in minutes. Our solution is the easiest way to protect your data from ending up in the wrong hands.

Software Requirements

  • Microsoft Domain Server 2008 R2 or newer
  • Windows 7 or newer client (Windows 10 preferred)
  • A Microsoft Azure or Office 365 subscription

Active Cypher’s only requirement of IT is that they continue to perform their regular duties of managing Users, Groups, File Shares, and Permissions within Active Directory as they have always done. ACFS works silently in the background, shadowing and applying those administrative changes instantly limiting the decryption of files to only users that Active Directory has been configured to allow.

 

To the Cloud and the Zero Trust Security Model

At Active Cypher, we have integrated deeply with the Microsoft technology stack because Microsoft serves individuals, companies, enterprises, organizations, and governments of all sizes.

Referencing the paper mentioned earlier, Microsoft recognizes that a so-called “lift-and-shift” approach is not always proper or even necessary; however, they do endorse the timely implementation of Zero Trust security: ”The majority of companies will benefit greatly from utilizing hybrid infrastructure that helps you use your existing investments and begin to realize the value of Zero Trust initiatives more quickly.” [1]

With Active Cypher File Security, the benefits of the Zero Trust security model are not an all-or-nothing proposition; it can begin to be realized immediately and in phases.

Like the sides of a cube, Microsoft recommends that a Zero Trust initiative should address six factors: Adaptive intelligence, Authentication, Automation, Data protection, Policy support, and Segmentation. You’ll find Active Cypher File Security to be critical in closing important capability and resources gaps in several of those:

  • Adaptive intelligence: ACFS … with optional risk assessed intelligence
  • Authentication: ACFS relies on Active Directory to enforce strong multi-factor authentication.
  • Automation: Event driven, rules-based, and AI enhance risk based automated alerting and remediation to reduce your mean time to respond (MTTR) to attacks.
  • Data protection: File content obfuscation and a perimeter of defensive controls around each file. This defensive perimeter is part of the file, and it travels with the file while protecting sensitive data to eliminate exposure from malicious or accidental exfiltration.
  • Policy support:

Segmentation: Move beyond simple, centralized network-based perimeter to comprehensive and distributed segmentation using Active Directory Security Groups to maintain software-defined micro-perimeters across digital estate.

[1] Microsoft Zero Trust Maturity Model – https://aka.ms/Zero-Trust-Vision