Zero Trust File Access Security

The zero-trust file access security solution is a cybersecurity approach that denies the file access by default and grants authenticated users and the applications, data, services and systems they need to do their jobs. Zero Trust is a proactive, integrated approach to security across all layers of the digital estate that explicitly and continuously verifies every transaction, asserts least privilege, and relies on intelligence, advanced detection, and real-time response to threats.

Why Zero Trust

Instead of assuming everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an open network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify.” Every access request is fully authenticated, authorized, and encrypted before granting access. Zero trust adoption can offer organizations the following benefits:

  • protection of sensitive data.
  • securing digital transformation.
  • lower breach risk and detection time.
  • close security gaps and minimize risk of lateral movement.
  • better control in cloud environments.

Zero Trust Architecture

Instead of assuming everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an open network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify.” Every access request is fully authenticated, authorized, and encrypted before granting access.

Zero Trust

Zero Trust Architecture

Zero Trust File Access Principles

  • Verify explicitly

Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.

  • Use least privileged access

Limit user access with just-in-time and just-enough-access (JIT/JEA), risk-based adaptive polices, and data protection to help secure both data and productivity.

  • Assume breach

Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.

Implement Zero trust file access security with EaseFilter

EaseFilter File Control Filter Driver allows you to control the file I/O operations with the filter rule configuration by setting the whitelist and blacklist processes or users, you can allow or block the specific file I/O operation to the specific process or user, you can control who can read your file, allow or block the file modification, prevent your important file from being deleted, renamed.

To implement the Zero Trust file access security, you can setup the filter rule with the default least privilege access rights, by default all the processes or users don’t have privilege to access the files inside the filter rule, it is zero trust to all processes and users. You can setup the whitelist for the filter rule, to add the specific access rights to specific processes or users, so the processes or users who are in the whitelist can have the specific access rights to the files.

Here is the code snippet how to setup zero trust file access filter rules:

1. Setup the filter rule without the encryption enabled, setup the least privilege access rights as the default access rights for the filter rule, it meant by default all files can’t be accessed, only the processes who are from the whitelist can access the files.

2. Setup the filter rule with the encryption enabled, setup the maximum privilege access rights except the decryption as the default access rights for the filter rule, it meant by default all files can be accessed but can’t be decrypted, only the processes who are from the whitelist can decrypt the encrypted files.

int _tmain(int argc, _TCHAR* argv[])
{
  DWORD threadCount = 5;
  DWORD connectionTimeout = 20; //SECONDS
  ULONG filterType = FILE_SYSTEM_CONTROL|FILE_SYSTEM_ENCRYPTION;
  
  //create a filter control instance
	FilterControl* filterControl = FilterControl::GetSingleInstance();

	//setup the filter rule for folder 'c:\\secureSandbox1'
	fileFilterMask = L"c:\\secureSandbox1\\*";
	//create this filter rule with the file filter mask.
	FileFilterRule fileFilterRule1(fileFilterMask);
	//setup the least access rights for the filter rule as default access right.
	fileFilterRule.AccessFlag = LEAST_ACCESS_FLAG;
	
	//setup whitelist processes, add the maximum access rights to the process from Windows system folder. 
	fileFilterRule1.AddAccessRightsToProcessName(L"c:\\windows\\*.exe", ALLOW_MAX_RIGHT_ACCESS);

  //setup whitelist processes, add the maximum access rights to the your custom trusted process.
	fileFilterRule1.AddAccessRightsToProcessName(L"c:\\mytrustedfolder\\myfile.exe", ALLOW_MAX_RIGHT_ACCESS & (~(ALLOW_FILE_RENAME|ALLOW_FILE_DELETE)));
	//add the filter rules to the filter control.
	filterControl->AddFileFilter(fileFilterRule1);

  //setup whitelist example for encryption filter rule2.
	//setup the filter rule for folder 'c:\\secureSandbox2'
	fileFilterMask = L"c:\\secureSandbox2\\*";
	//create this filter rule with the file filter mask.
	FileFilterRule fileFilterRule2(fileFilterMask);
	//Enable the encryption for this filter rule, by default no process or user can decrypt the file,
  //all processes or users will get the raw encrypted data.
	fileFilterRule.AccessFlag = (ALLOW_MAX_RIGHT_ACCESS|ENABLE_FILE_ENCRYPTION_RULE) & (~ALLOW_READ_ENCRYPTED_FILES);
	//if you have a master key, you can set it here, or if you want to get the encryption key from the callback function then don't set the key here.
	//256 bit,32bytes encrytpion key
	unsigned char key[] = {0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81,0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4};
	if(!fileFilterRule2.set_EncryptionKey(key,sizeof(key)))
	{
		 goto Exit;
	}

	//setup whitelist processes, allows the trusted processes to read the encrypted files, or other processes can't read the decrypted data.
	fileFilterRule2.AddAccessRightsToProcessName(L"c:\\trustedFolder\\whitelistprocess.exe", ALLOW_MAX_RIGHT_ACCESS);
	fileFilterRule2.AddAccessRightsToProcessName(L"notepad.exe", ALLOW_MAX_RIGHT_ACCESS);
	//add the filter rules to the filter control.
	filterControl->AddFileFilter(fileFilterRule2);
	//start the filter driver service.
	filterControl->StartFilter(filterType,threadCount,connectionTimeout,registerKey);

  getchar();	

Exit:

	filterControl->StopFilter();
	delete filterControl;

	return 0;
}