If an adversary has the credentials of a user on the network, then they can access data even if it's encrypted, just as the users on the network have to access data, and that did occur in this case. So encryption in this instance would not have protected this data.
In the next 30 days we know there is a set of things we can do that will fairly dramatically improve our security profile... like two-factor authentication, patching, minimizing the number of system administrators that you have and so on. Tony Scott’s 30-day Cyber Sprint
(2014) 800-207: Zero Trust Architecture (2019) Zero Trust Architecture (2019) Connecting from a particular network must not determine which services you can access All communication is secure regardless of network location Don’t trust the network, including the local network Access to services is granted based on what we know about you and your device Access to resources is determined by policy, including the observable state of user identity and the requesting system, and may include other behavioral attributes Create a single strong user identity Create a strong device identity Know the health of your devices and services Set policies according to value of the service or data All access to services must be authenticated, authorized, and encrypted All data sources and computing services are considered resources Know your architecture including users, devices, and services Access to individual enterprise resources is granted on a per-connection basis Control access to your services and data Choose services designed for zero trust User authentication is dynamic and strictly enforced before access is allowed Authenticate everywhere The enterprise ensures all owned and associated systems are in the most secure state possible and monitors systems to ensure that they remain in the most secure state possible Focus your monitoring on devices and services
the enterprise User and device access Application and workload access Network access Workforce Workload Workplace SaaS & Public cloud Access happens everywhere – how do you get visibility and ensure secure, trusted access?
and device access Zero Trust for the Workforce What to do: How to do it: Verify users’ identities Multifactor Authentication Enforce access policies for every app Adaptive & role-based access control Gain device visibility and establish trust Endpoint health & security posture
and workload access Zero Trust for the Workload What to do: How to do it: Gain visibility into what’s running and what’s critical Identify workload dependencies Contain breaches and minimize lateral movement Application segmentation Alert or block communication if policy is violated Continuous monitoring & response
Trust for the Workplace Network access What to do: How to do it: Discover and classify users, devices and apps on your network Network authentication, profiling authorization Grant the right level of network access based on user and device context Network segmentation Contain infected endpoints and restrict network access Continuous monitoring and responding to threats
is a leader in Zero Trust The Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019 Tools And Technology: The Zero Trust Security Playbook October 29, 2019 The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave are trademarks of Forrester Research, Inc. The Forrester Wave is a graphical representation of Forrester's call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.
as a by-product of Zero Trust Compliance CJIS FFIEC GBLA GDPR HIPAA NIST 800-53 NIST 800-171 NERC PCI DSS Details Criminal Justice Information Services v5.6 Federal Financial Institutions Examination Council Version Sept 2016 Gramm-Leach -Bliley Act FIL-22-2001 EU General Data Protection Regulation Regulation (EU) 2016/679 Health Insurance Portability and Accountability Act CFR 45 revised Oct 1, 2007 National Institute of Standards and Technology 800-53 r4 National Institute of Standards and Technology 800-171 June 2015 includes updates as of 01-14-2016 North American Electric Reliability Corporation v5 Critical Infrastructure Protection Reliability Stds Payment Card Industry Data Security Standard v3.2 Where Duo Can Help Section: 5.5.2.3 5.5.6.1 5.5.6.2 5.6.2.1 5.6.2.1.3 5.6.2.2 5.6.3.2 5.10.4.1 5.10.4.4 5.13.7.1 5.13.7.2 Title: II.C.5 II.C. II.C.7(a) II.C.7(e) II.C.10(d) II.C.13(e) II.C.15(b) II.C.15(c) II.C.15(d) II.D III.C Title: V Subtitle A Section 501(3) Article 5 Section 1(f), 2 Article 24 Section 1 Article 32 Section 1(b), 2 Standard: 164.308(a)(1) 164.308.(a)(4)1 64.312(d) Control: IA-2 IA-3 IA-5 IA-6 SC-7 SC-11 Control: 3.1.1, 3.1.1, 3.1.3, 3.1.7, 3.1.11, 3.1.12, 3.1.14, 3.1.15, 3.1.18, 3.1.20, 3.3.1, 3.3.2, 3.3.8, 3.4.1, 3.4.2, 3.5.2, 3.5.3, 3.7.5 CIP-005 Table R2 Part 2.3 CIP-007-6 Table R5 5.1 CIP-010-2 Table R2 2.1 Requirements: 6.2 7.1-7.2 8.3.1 8.3.2