On 3 June 2021, the US Supreme Court ruled in case of Van Buren v. United States
that interpretation of the United States Computer Frauds and Abuses Act of 1986 (CFAA)
related to anyone who "intentionally accesses a computer without authorization or exceeds authorized access," was too broad and overreaching. Thus, anyone who has authorized access to computers and data cannot be held criminally liable for misuse of those resources or data.
In the case ruled on, police sergeant Nathan Van Buren was convicted of fraud and accepting a bribe for using a work computer to run a license plate search. He was sentenced to 18 months in prison. Van Buren’s lawyers argued during the hearing last November that the Computer Fraud and Abuse Act did not apply because he was authorized to access the database. They warned if the court ruled against him, it could have sweeping consequences making it a federal crime when using a computer for virtually any unauthorized purpose, from “checking sports scores at work to inflating one’s height on a dating website.” The justices agreed and ruled prosecutors had interpreted the federal CFAA too broadly when charging him and overturned the law officer’s conviction.
United States Computer Frauds and Abuses Act of 1986 (CFAA)
The CFAA was passed in 1986 by the US Congress to combat then burgeoning cybercrime in the United States. The CFAA prohibited intentionally accessing a computer without authorization or in excess of authorization but fails to define what “without authorization” and “exceed authorized access” mean. In the 25 years since its passage, the CFAA has been greatly criticized by civil rights organizations for potentially criminalizing legitimate cybersecurity research and general user behavior. Before the ruling, security researchers could be prosecuted for testing software and systems looking for vulnerabilities or a user accessed Facebook at work during a lunchbreak. This decision greatly narrows the scope of the law.
The majority ruling, written by Justice Amy Coney Barrett, was based on direct reading of the law, and clearly recognized how dangerous the interpretation by the US Justice Department was.
"The Government’s interpretation of the statute would attach criminal penalties to a breathtaking amount of commonplace computer activity," Barrett wrote. "If the 'exceeds authorized access' clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals."
Barrett agreed the broader interpretation would "criminalize everything from embellishing an online-dating profile to using a pseudonym on Facebook."
Driving the need for Zero Trust Network Access (ZTNA)
How does this ruling relate to ZTNA? The Supreme Court ruling makes clear that, based on the vagueness of the CFAA as written, if a user has authorized access to computers and data, they cannot be prosecuted for the misuse of those resources or data. This means, organizations need to be very strict and accurate in defining and granting “authorized access”. This is where ZTNA comes in.
The Zero Trust model says that organizations should grant users the minimal amount of access needed to do their jobs and no more. Most organizations are very lax granting access because it is just easier to give everyone the same access. If a finance group employee has access to R&D development servers and steals the data to give to a competitor, they cannot be charged under CFAA because they were granted access as part of their job (they can still be charged with industrial espionage but that is a different crime). Implementing ZTNA, the finance user would not have been granted access to the R&D server, so any access or data access is clearly “unauthorized” and criminal.
Implementing ZTNA can be done if organizations use the tools they have on hand. Instead of giving privileges to all users, assign users to specific groups and define the minimal privileges of the group. Assigning and tracking group privileges can be as simple as creating a spreadsheet with assets and resources along the top and user groups down the side, then filling in the matrix with which groups can access which resources. Most organizations using Windows have an Active Directory (AD) controller for user authentication. Users can be assigned to multiple groups in AD and these groups can then be used to enforce authorization by authenticating resources to groups.
Some assets and resources may not be able to authenticate or control access based on groups. Internet Access Gateways (IAG) and Secure Web Gateways (SWG) can use groups to enforce access to on-premise and cloud-based resources ensuring users can only access resources they are authorized to and nothing more. Thus, the finance group will not have access to R&D servers. You can even limit and control VPN user access ensuring that remote attacks are mitigated. More importantly, IAGs, SWGs, and AD log both authentications and access making it easier to look for suspicious behavior that later become threats.
Zero Trust and Sangfor
Sangfor is the choice of many organizations needing to implement ZTNA quickly. Smaller organizations use Sangfor Access as a SASE solution to implement ZTNA with minimal infrastructure, management, and cost. Larger organizations wanting greater control use Sangfor IAG internally to control access to local resources or as a SWG to control access to cloud resources. Sangfor has customers using hybrid ZTNA solutions that are undergoing digital transformation from on-premise to the cloud. IAG easily integrates with AD and other 3rd-party authentication/authorization solutions to quickly deploy ZTNA in any organization big or small. Click on the links to learn about ZTNA solutions using Sangfor Access and IAG.