What Does Zero Trust Architecture Mean for Internal Investigations?

While much of the current interest in zero trust architecture as a paradigm for organizational cybersecurity is a direct result of a January 2022 White House memo titled, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles, the fact of the matter is that many organizations, both in the public and private sectors, have been embracing the principles of zero trust for much longer.

The Rise of Zero Trust

The term “zero trust” is relatively new, and its rapid rise to buzzword status may obscure some of the key ideas involved. Zero trust architecture as a security paradigm has arisen as a response to today’s de-perimeterized networks. Historically, organizations secured their IT infrastructure and data by creating and hardening a perimeter. Organizational assets, including networks, software, and data storage resided inside the perimeter, in terms of both the physical and cyber-environments. Think of ID cards or keys to enter the office, servers stored inside secure rooms with limited access, and on-premises data and applications secured behind firewalls.

Zero Trust and Modern Network Architecture

If you think about corporate information architecture today, data is stored on servers, cloud data storage, on personal devices, and in SaaS software solutions. Applications too exist in multiple places: on network servers and smartphones, on laptops and in the cloud. Workers log in from offices, home, through mobile devices, and even from wi-fi networks in a local coffee shop. Threats to security arise from outside the organization—and within—in the form of bad actors, phishing attacks, and malware-infected devices. Securing the perimeter no longer protects an organization from cyberthreats.

Zero trust security, which exists in the form of policies as much as, if not more than, technology brings a mindset of continual vigilance, validation, and verification to organizations’ information infrastructure, helping them minimize the risk and impact of cybersecurity threats, wherever they may originate.

Conducting Investigations in Zero Trust Environments

In an environment where every user and program must constantly validate itself to comply with zero trust principles, it would seem to be difficult to effectively deploy digital forensic software for investigators to use. Their permissions, by definition, would run counter to the principles of zero trust. But fortunately, modern forensic technology like the Exterro FTK® Suite allows investigators to conduct their business without compromising zero trust principles.

To effectively conduct investigations, a forensic solution must be able to:

• Have admin access across the network
• Deploy agents to remote devices
• Maintain an inventory of all devices—and the ability to respond to incidents on these devices
• Operate across platforms including Mac, Windows, and Linux
• Image and collect data forensically across an encrypted connection
• Remediate incidents by deleting files, closing ports, or potentially deactivating users
• Preview endpoints to analyze files in use, programs running, and connected services in real time

The Power of FTK® Enterprise Public Site Server

FTK’s public site server facilitates IT departments’ ability to respond to security incidents on all devices, whether they are on the local network or remote. It resides in a secured environment on your network, and agents deployed on monitored devices can communicate with the public site server anytime they are connected to the internet.

Through instructions deployed on the public site server, remote agents can perform critical incident logging, analysis, and remediation tasks including (but not limited to):

• Scanning, analyzing, or deleting files
• Collecting from memory
• Collecting forensic images
• Closing ports
• Deactivating users

Even if devices are not connected to a virtual network or an internal network, the FTK public site server allows IT to communicate with devices, and in the event of a breach or an incident, perform the necessary actions to secure that device, secure the network, and abide by the zero trust mandate. If a device is not online, administrators can queue a job on the server, and as soon as it reconnects to the internet, the server will deploy the job to the agent and perform the necessary actions.

To learn more about how the Exterro FTK Suite offers digital forensic investigators the ability to perform key job functions in zero trust environments, download the Exterro whitepaper, Forensic Investigations in Zero Trust Environments.