Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

12/23/2019
08:00 PM
Curtis Franklin Jr.
Curtis Franklin Jr.
Edge Features
100%
0%

Santa and the Zero-Trust Model: A Christmas Story

How would the world's most generous elf operate in a world of zero-trust security? A group of cybersecurity experts lets us know.

A Segmented Home

Given the importance of the pre-entry authentication, Tripwire's Reguly says processes must be in place to prevent unauthorized intruders from tailgating Santa down the chimney. And once the big man is inside, the security issues are not laid to rest.

"You have to watch internal lateral movements, so it's privileged access to a specific area. It's not really easy access to the entire house," Vectra's Sheu says. "You know, the key is keeping Santa Claus within a specified radius of the designated gift reception area."  

The goal then being is to corral Santa to the tree, the stocking-hanging center, and wherever the cookie-and-milk bribe has been left. And to ensure compliance, Reguly suggests a comprehensive logging regimen taking into account every internal stop Santa makes, along with the activity at each.

Virsec's Leichter takes a comprehensive view of a solution, with better real-time monitoring and forensics of what Santa actually does.

"While some believe he comes and goes too quickly to track — realistically, delivering to billions of households only leaves micro-seconds per visit — more advanced security technology can deliver this kind of split-second detection, threat analysis, and, if required,  automatic protection actions — closing the chimney flue before to prevent him from escaping after misdeeds," Leichter says. "This may sound harsh, but mythical figures who have nothing to hide should not object to visibility and accountability.

"If we don’t enforce zero-trust consistently, good luck cleaning up after the Easter Bunny," he adds.

About Those Gifts
Kiersten Todt, managing director of the Cyber Readiness Institute, points out that the gifts themselves carry risk, especially if they're wrapped — a physical form of encryption that hides the true contents of the package. Sheu says some would suggest an authorized man-in-the-middle attack — unwrapping, verifying, and rewrapping each gift — but he says that technology has provided us with a better approach.

"If you give Santa a public key and you have a private key, he can insert the public key at the time of wrapping, and you can validate it," he says. And keeping track of all the certificates for all the gifts delivered around the world on Christmas Eve? The perfect application, Sheu says, for the distributed ledger of a blockchain.

Naughty and Nice
Once experts began looking at Santa from a zero-trust perspective, every aspect of his "operation" came under scrutiny. One of those aspects is the naughty and nice list (checked twice!) that forms the basis of the delivery schedule.

"Who created that naughty or nice list? Did the parents create it or did some 4-year-old create it and hand it off to Santa Claus?" Sheu asks. In order to make sure that the critical list has been created and stored properly, he says, "you would you need to verify the validity with a blockchain."

Further, if this naughty-and-nice list were to be exposed in a data breach, the impacts would be far-reaching. 

Todt imagines that an up-to-date list might be stored on Santa's smartphone, which leads to a whole new level of security concern. "There is technology that exists that encrypts not just messaging but video, phone, etc., and that's where we have to go," Todt says. "It's also about mobile security."

She continues, "You can no longer absolve yourself of responsibility in the tech space if you're using a phone to do anything. If Santa isn't taking the appropriate precautions, then yes, that would be an issue."

The Risk Profile
Ultimately, experts agreed that Santa's visit could be conducted under a zero-trust model, but said that a risk assessment would be appropriate before investing in the process.

As with any new security scheme, moving to zero trust for Santa should start with a risk assessment. NormShield's Maley says that despite the myriad attack possibilities, existing data shows that the probability of Santa committing theft is virtually nonexistent. So is the risk truly high enough to merit the investment?

If zero trust is enacted, says Maley, we may also need to "tell our kids that, well, Santa is not coming to our house. That's an example of, well, I think we have gone overboard with zero trust, perhaps."

Maley defines "overboard" in stark terms. "And the pain is real because if we tell our kids Santa is not coming ... I wouldn't want to be in that house," he says.

Related Content:

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio
 

Recommended Reading:

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2019 | 1:04:02 PM
Re: Risk
Agreed, I think I would follow that up with even with Santa having diminished access, it still requires scrutiny to a degree. A lot of the time we completely neglect this aspect in lieu of review for more privileged/authoritative access but there is a point where lower level accounts will need to be reviewed.

An escalation vulnerability could turn Santa from the kind hearted low level access into a full blown Krampus and tht is the last thing as Security Practioners we would want.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2019 | 1:01:27 PM
Re: Authentication
Definitely agree here. I think one platform that can very much help in these instances are Privileged Access Management (PAM) platforms. Not a silver bullet of course but a step in the right direction.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2019 | 1:00:06 PM
Re: zero-trust security
The opposite sentiment of the old KGB addage, "Trust but Verify". As a security professional, I much prefer Zero-Trust and Verify to its Russian counterpart.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2019 | 12:58:30 PM
Re: Supply chain
Contractors tend to be the weakest link because their access isn't as heavily regulated typically as full time employees. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2019 | 12:57:43 PM
Re: Basics
Background checks are pivotal. It seems now that background checks are very much singling in on financial background checks in lieu of other categories which is somewhat of a paradigm shift for how they use to be performed.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2019 | 12:56:01 PM
Re: zero-trust security
Most definitely, I also find it entertaining that many of the articles being written currently are holiday centric. Adds to the enjoyment of these insightful reads.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/29/2019 | 2:14:09 PM
Risk
the risk of Santa-inflicted damage is low. Still, that doesn't mean Santa should necessarily be given free rein within the household. Another good point. We can accept some risks but we need to do risk analysis to identify that.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/29/2019 | 2:11:46 PM
Authentication
it's about the one-time decision and then long-term follow-up to make sure that the authorization is still appropriate. Agree. Authentication should not be a point in time, it should be as needed process. Authenticate as services being asked.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/29/2019 | 2:09:41 PM
Re: zero-trust security
Yes, I like it very much too. Zero-trust and verify is a good approach in security.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/29/2019 | 2:08:22 PM
Supply chain
Santa seems to have an extensive supply chain, and that the supply chain and support staff should come under scrutiny, as well. This is another good point. Contractors are tend to be the weakest link.
Page 1 / 2   >   >>
Name That Toon: The Lights Are On ...
Flash Poll