Download Zero Trust File Access Control Demo Zip File
The zero-trust file access security solution is a cybersecurity approach that denies the file access by default and grants authenticated users and the applications, data, services and systems they need to do their jobs. Zero Trust is a proactive, integrated approach to security across all layers of the digital estate that explicitly and continuously verifies every transaction, asserts least privilege, and relies on intelligence, advanced detection, and real-time response to threats.
Why Zero Trust
Instead of assuming everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an open network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify.” Every access request is fully authenticated, authorized, and encrypted before granting access. Zero trust adoption can offer organizations the following benefits:
- protection of sensitive data.
- securing digital transformation.
- lower breach risk and detection time.
- close security gaps and minimize risk of lateral movement.
- better control in cloud environments.
Zero Trust Architecture
Instead of assuming everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an open network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify.” Every access request is fully authenticated, authorized, and encrypted before granting access.
Zero Trust File Access Principles
- Verify explicitly
Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.
- Use least privileged access
Limit user access with just-in-time and just-enough-access (JIT/JEA), risk-based adaptive polices, and data protection to help secure both data and productivity.
- Assume breach
Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.
Implement Zero trust file access control with EaseFilter
EaseFilter File Control Filter Driver allows you to control the file I/O operations with the filter rule configuration by setting the whitelist and blacklist processes or users, you can allow or block the specific file I/O operation to the specific process or user, you can control who can read your file, allow or block the file modification, prevent your important file from being deleted, renamed.
To implement the Zero Trust file access control , you can setup the filter rule with the default least privilege access rights, by default all the processes or users don’t have privilege to access the files inside this filter rule, it is zero trust to all processes and users. You can setup the whitelist for the filter rule, to add the specific access rights to specific processes or users, so the processes or users who are in the whitelist can have the specific access rights to the files.
Authenticate a trusted user
With the EaseFilter SDK, you can authenticate the authorized users to access the files in the zero trust filter rule, the EaseFilter will verify the user's identity to allow or block the file access.
//authorize the user with the full access right.
zeroTrustFilter.userAccessRightList.Add("domainname or computer\username", FilterAPI.ALLOW_MAX_RIGHT_ACCESS);Authenticate a trusted process
Authenticate a process by the process name or process Id is not easy, since a malicious application can hack your binary file, or replace the executable file with the same file name of the malicious binary file. How to assure a process is a trusted process?
Using Microsoft Authenticode to sign the executable binary file can solve this problem. Code signing accomplishes both with a digital signature and a hash function. The digital signature authenticates the developer, the hash serves as a checksum to ensure the integrity of the software hasn’t been compromised. Quickly, from a technical standpoint, the code signing certificate and the code itself are both hashed together and then the resulting hash value is digitally signed with the certificate’s private key.
//you can authorize the processes which were signed with your digital certicate with full access right.
zeroTrustFilter.SignedProcessAccessRightList.Add("Certificate name", FilterAPI.ALLOW_MAX_RIGHT_ACCESS);You also can authenticate the process with the sha256 hash of your executable process file with below code.
//you also can authorize the process which has the same sha256 hash with full access right.
byte[] processSha256Hash = new byte[32];
uint hashBytesLength = 0;
bool ret = FilterAPI.Sha256HashFile("your process name file path", processSha256Hash, ref hashBytesLength);
zeroTrustFilter.Sha256ProcessAccessRightList.Add(processSha256Hash, FilterAPI.ALLOW_MAX_RIGHT_ACCESS);
Zero Trust With Encryption
EaseFilter Encryption Filter Driver(EEFD) allows you to encrypt file automatically and transparently, combine with the File Control Filter Driver and Process Filter Driver, you can implement the Zero Trust File Access Control with encryption enabled, it can enhance the file security. By default all files will be encrypted automatically, all processes or users can't read the encrypted files, they will get the raw encrypted data. You can authorize the processes or users to access these encrypted files.
using System;
using EaseFilter.FilterControl;
namespace FileProtectorConsole
{
class Program
{
static FilterControl filterControl = new FilterControl();
static void PrintUsage()
{
Console.WriteLine("Usage: ZeroTrustDemo folderNameMask processName e");
Console.WriteLine("options:");
Console.WriteLine("folderNameMask --setup the zero trust folder, i.e. c:\zerotrust\*");
Console.WriteLine("processName --authorized the process name to access the files, i.e. notepad.exe");
Console.WriteLine("e or null --if it is e, it will enable the encryption for zero trust folder.");
}
static void Main(string[] args)
{
string lastError = string.Empty;
FilterAPI.FilterType filterType = FilterAPI.FilterType.CONTROL_FILTER | FilterAPI.FilterType.PROCESS_FILTER | FilterAPI.FilterType.ENCRYPTION_FILTER;
int serviceThreads = 5;
int connectionTimeOut = 10; //seconds
try
{
//setup the zero trust folder, no one can access the files in this folder by default.
string zeroTrustFolder = "c:\ZeroTrust\*";
//setup the authorized process to access the files in zero trust folder.
string authorizedProcess = "notepad.exe";
//enable the encryption for the zero trust folder, if it is true, all files will be encrypted in the folder.
bool enableEncryption = false;
if (args.Length < 2)
{
PrintUsage();
return;
}
zeroTrustFolder = args[0];
authorizedProcess = args[1];
if (args.Length > 2)
{
if (args[2].Equals("e"))
{
enableEncryption = true;
}
}
//Purchase a license key with the link: http://www.easefilter.com/Order.htm
//Email us to request a trial key: [email protected] //free email is not accepted.
string licenseKey = "******************************";
if (!filterControl.StartFilter(filterType, serviceThreads, connectionTimeOut, licenseKey, ref lastError))
{
Console.WriteLine("rnStart Filter Service failed with error:" + lastError);
return;
}
//create the zero trust filter rule, every filter rule must have the unique watch path.
FileFilter zeroTrustFilter = new FileFilter(zeroTrustFolder);
//setup the zero trust access flag of the filter rule
zeroTrustFilter.AccessFlags = FilterAPI.AccessFlag.LEAST_ACCESS_FLAG;
if (enableEncryption)
{
zeroTrustFilter.AccessFlags = (FilterAPI.AccessFlag)FilterAPI.ALLOW_MAX_RIGHT_ACCESS;
//enable encryption for this filter rule.
zeroTrustFilter.EnableEncryption = true;
//no one can read the encrypted file data by default.
zeroTrustFilter.EnableReadEncryptedFileData = false;
//set up a 32bytes test encryption key for the filter rule.
byte[] key = { 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe, 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81, 0x1f, 0x35, 0x2c
, 0x07, 0x3b, 0x61, 0x08, 0xd7, 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4 };
zeroTrustFilter.EncryptionKey = key;
}
//authorize process notepad.exe with the full access right
zeroTrustFilter.ProcessNameAccessRightList.Add(authorizedProcess, FilterAPI.ALLOW_MAX_RIGHT_ACCESS);
//you can authorize the processes which were signed with your digital certicate with full access right.
//zeroTrustFilter.SignedProcessAccessRightList.Add("Certificate name", FilterAPI.ALLOW_MAX_RIGHT_ACCESS);
//you also can authorize the process which has the same sha256 hash with full access right.
//byte[] processSha256Hash = new byte[32];
//uint hashBytesLength = 0;
//bool ret = FilterAPI.Sha256HashFile("your process name file path", processSha256Hash, ref hashBytesLength);
//zeroTrustFilter.Sha256ProcessAccessRightList.Add(processSha256Hash, FilterAPI.ALLOW_MAX_RIGHT_ACCESS);
//authorize the user with the full access right.
//zeroTrustFilter.userAccessRightList.Add("domainname or computer\username", FilterAPI.ALLOW_MAX_RIGHT_ACCESS);
filterControl.AddFilter(zeroTrustFilter);
if (!filterControl.SendConfigSettingsToFilter(ref lastError))
{
Console.WriteLine("SendConfigSettingsToFilter failed." + lastError);
return;
}
Console.WriteLine("Start Zero trust demo succeeded, zero trust folder:" + zeroTrustFolder
+ ",authorized process:" + authorizedProcess + ",eanbleEncryption:" + enableEncryption.ToString() + "rn");
// Wait for the user to quit the program.
Console.WriteLine("Press 'q' to quit the sample.");
while (Console.Read() != 'q') ;
filterControl.StopFilter();
}
catch (Exception ex)
{
Console.WriteLine("Start filter service failed with error:" + ex.Message);
}
}
}
}