Until recently, most network security systems relied on robust perimeter defenses encircling an environment of trusted users and programs. Like a medieval walled city, this model focused on authenticating and verifying users, applications, and processes at their points of entry. Once inside the network, however, malicious actors or malware can move laterally with relative ease due to a lack of internal monitoring and defenses.
The perimeter defense model has also been complicated by ongoing fundamental shifts in network topology. The placement of many computing workloads is shifting from centralised locations to the network edge. The workloads themselves are increasingly cloud-native, container-hosted, and designed to be transient and mobile. In this kind of distributed environment, protecting resources by building fences around them is no longer viable.
Instead of measures such as hardware firewalls, software-based security is applied directly to the workload. “Zero trust” network security environments are taking the place of their perimeter-focused predecessors. In this new model, each interaction with data or other resources is individually authenticated. This shift in access authorisation carries a number of implications for lawful intelligence operations.
Key implications of zero trust for lawful intelligence
As network security engineers work to implement zero-trust architectures, encrypting all connections is a key goal. Therefore, an increasing proportion of communications content goes dark – beyond the reach of lawful interception. This reality contributes to the rising role of metadata in lawful intelligence operations. With the right platforms and expertise, metadata can be just as useful to investigators as the original message contents.
At the same time, the zero-trust architecture itself creates new opportunities that lawful intelligence can often capitalise on. Such network topologies require frequent review of policy-enforcement points within the environment to determine if an individual is authorized to access a specific resource. Each such request creates a digital flag that indicates a unique data stream for a specific individual, which can be cross-referenced against active warrants in the system. Zero-trust architecture therefore provides law enforcement new ways of discerning and tracking distinct data paths relevant to an investigation.
This visibility into the zero-trust access architecture depends on how robustly the network owners implement logging requirements. Given that log analytics offer insights into everything from network performance and efficiency to cybersecurity, organisations are increasingly capturing, normalising, and utilising this data in everyday operations. This naturally benefits lawful intelligence operations by improving the quality of data available.
Mediating across multiple networks with zero trust
In addition to more rigorous resource access controls throughout network data flows, zero-trust security alters the flows themselves. Lawful intelligence must account for this, particularly when multiple public cloud or other third-party networks interact in a zero-trust environment, as in the case of an enterprise application on Amazon Web Services (AWS) that requires data residing on Microsoft Azure.
In a legacy approach, the AWS application would simply have Azure credentials and pull data as it needed to, without directly involving the enterprise. In zero-trust architecture, the enterprise holds the Azure credentials, and the AWS application must make multiple individual data requests asking it to access the data from Azure. Additional parties to a transaction add complexity to such data flows, which has a similar impact on lawful intelligence as the transition of voice calls to VoIP, in which message data paths can travel anywhere.
Legal authorisation in a zero-trust framework
By focusing security on individual entities and resources rather than the network perimeter, zero-trust architecture creates a more nuanced set of considerations when brokering access for lawful intelligence purposes. As the path for conferring access to resources becomes more complex, so does the interaction between technical protocols and legal instruments such as warrants.
Investigating an individual of interest in a zero-trust environment might involve serving separate warrants to a communication service provider (CSP) for personal phones, tablets, and/or other devices. If the individual’s company devices must also be analysed, warrants might also have to be served on his or her employer – unless the investigation needs to be kept secret from it. SS8’s warrant management capabilities govern lawful access to these data streams, and our Intellego XT platform synthesises them with others to create a composite timeline that advances the investigation.
In a zero-trust environment, a given communication or data flow requires multiple authorizations, meaning CSPs must implement robust and specialised controls over warrant management, mediation, and data handover. Moreover, law enforcement agencies (LEAs) need powerful, intuitive tools to help guide investigations across multiple information streams and synthesise them into composite insights efficiently and effectively.
SS8 lawful intelligence platforms have been developed in lockstep with evolving network technologies for more than two decades, and we continue to deliver robust technical insights from both legacy and zero-trust network architectures within the lawful framework.
Dr Eric Burger, Georgetown Professor and Advisor to Industry and Government
