Lawful Intelligence in a Zero-Trust World

Until recently, most network security systems relied on robust perimeter defenses encircling an environment of trusted users and programs. Like a medieval walled city, this model focused on authenticating and verifying users, applications, and processes at their points of entry. Once inside the network, however, malicious actors or malware can move laterally with relative ease due to a lack of internal monitoring and defenses. The perimeter defense model has also been complicated by ongoing fundamental shifts in network topology. The placement of many computing workloads is shifting from centralized locations to the network edge. The workloads themselves are increasingly cloud-native, container-hosted, and designed to be transient and mobile. In this kind of distributed environment, protecting resources by building fences around them is no longer viable. Instead of measures such as hardware firewalls, software-based security is applied directly to the workload. “Zero trust” network security environments are taking the place of their perimeter-focused predecessors. In this new model, each interaction with data or other resources is individually authenticated. This shift in access authorization carries a number of implications for lawful intelligence operations.

Key Implications of Zero Trust for Lawful Intelligence

As network security engineers work to implement zero-trust architectures, encrypting all connections is a key goal. Therefore, an increasing proportion of communications content goes dark – beyond the reach of lawful interception. This reality contributes to the rising role of metadata in lawful intelligence operations. With the right platforms and expertise, metadata can be just as useful to investigators as the original message contents. At the same time, the zero-trust architecture itself creates new opportunities that lawful intelligence can often capitalize on. Such network topologies require frequent review of policy-enforcement points within the environment to determine if an individual is authorized to access a specific resource. Each such request creates a digital flag that indicates a unique data stream for a specific individual, which can be cross-referenced against active warrants in the system. Zero-trust architecture therefore provides law enforcement new ways of discerning and tracking distinct data paths relevant to an investigation. This visibility into the zero-trust access architecture depends on how robustly the network owners implement logging requirements. Given that log analytics offer insights into everything from network performance and efficiency to cybersecurity, organizations are increasingly capturing, normalizing, and utilizing this data in everyday operations. This naturally benefits lawful intelligence operations by improving the quality of data available.

Mediating Across Multiple Networks with Zero Trust

In addition to more rigorous resource access controls throughout network data flows, zero-trust security alters the flows themselves. Lawful intelligence must account for this, particularly when multiple public cloud or other third-party networks interact in a zero-trust environment, as in the case of an enterprise application on Amazon Web Services (AWS) that requires data residing on Microsoft Azure. In a legacy approach, the AWS application would simply have Azure credentials and pull data as it needed to, without directly involving the enterprise. In zero-trust architecture, the enterprise holds the Azure credentials, and the AWS application must make multiple individual data requests asking it to access the data from Azure. Additional parties to a transaction add complexity to such data flows, which has a similar impact on lawful intelligence as the transition of voice calls to VoIP, in which message data paths can travel anywhere.

Legal Authorization in a Zero Trust Framework

By focusing security on individual entities and resources rather than the network perimeter, zero-trust architecture creates a more nuanced set of considerations when brokering access for lawful intelligence purposes. As the path for conferring access to resources becomes more complex, so does the interaction between technical protocols and legal instruments such as warrants. Investigating an individual of interest in a zero-trust environment might involve serving separate warrants to a communication service provider (CSP) for personal phones, tablets, and/or other devices. If the individual’s company devices must also be analyzed, warrants might also have to be served on his or her employer – unless the investigation needs to be kept secret from it. SS8’s warrant management capabilities govern lawful access to these data streams, and our Intellego XT platform synthesizes them with other data streams to create a composite timeline of communications and online activity that advances the investigation.

Conclusion

In a zero-trust environment, a given communication or data flow requires multiple authorizations, meaning CSPs must implement robust and specialized controls over warrant management, mediation, and data handover. Moreover, law enforcement agencies (LEAs) need powerful, intuitive tools to help guide investigations across multiple information streams and synthesize them into composite insights efficiently and effectively. SS8 lawful intelligence platforms have been developed in lockstep with evolving network technologies for more than two decades, and we continue to deliver robust technical insights from both legacy and zero-trust network architectures within the lawful framework.

About Dr. Eric Burger

SS8 Advisory Council - Eric BurgerDr. Burger was previously the Assistant Director for the White House Office of Science and Technology Policy responsible for the United States policy for telecommunications and cybersecurity portfolios. In this role he reported to the US CTO in the Executive Office of the President. Before that, Dr. Burger was the CTO for the FCC, serving as an advisor to the Chairman and as the senior technology expert in the agency. Other positions include Chairman of the Board for atfCYBER, Advisory Board member for Dexrex LLC, Board Member for Ascension Technology Group and CTO at Neustar. He is currently a Research Professor of Computer Science at Georgetown University. You can learn more about Dr. Burger on his LinkedIn page here.

About SS8 Networks

SS8 provides Lawful Intelligence platforms. They work closely with leading intelligence agencies, communication providers, law enforcement agencies and standards bodies. Their technology incorporates the methodologies discussed in this blog and the  Xcipio®  and Intellego® XT  product portfolios are used worldwide for the capture, analysis, and delivery of data for the purposes of criminal investigations.

Tweet Us @SS8       Follow Us LinkedIn

SS8 Newsletter

LATEST WEBINAR

THE DATA SILO DILEMMA FOR LAW ENFORCEMENT

How to Ingest, Filter and Query 5G Volumes

Webinar Presented by Kevin McTiernan

CLICK HERE to watch!