The attacker in your network right now may not have broken in.
They may have logged in. With a valid username and password. Through the proverbial front door. Looking exactly like every other authorized user in your system. And they may have been there for months.
This is the credentialed attacker problem. It has two forms. The first is the malicious insider: an employee, contractor, or administrator with legitimate access who decides to use it for unauthorized purposes. The second is the external attacker who obtained valid credentials through phishing, credential stuffing, or a supply chain breach and is now operating inside your environment as an authenticated user. Insider threat encryption is the architectural control that addresses both scenarios; not by detecting intent, but by ensuring that authenticated access yields nothing usable regardless of who holds the credentials.
Both scenarios clear every identity control you have in place. Both look identical to your security systems. Both have time on their side.
The Credentialed Attacker: Two Scenarios, One Problem
Identity and access management tells you who authenticated. It does not tell you what they intend to do once they are in. Multi-factor authentication confirms that the person logging in controls a registered device or phone number. It does not confirm that the person is who they claim to be, or that their intentions are legitimate.
An administrator with database access can query records, export results, and exfiltrate data using the same tools they use every day for legitimate work. The activity looks normal because it is normal activity. The intention is the only difference, and intention is not something identity controls can read.
An external attacker operating on stolen credentials faces the same landscape. They have cleared authentication. They move through the network the way legitimate users move. They query the data they need using legitimate application interfaces. Their traffic does not look anomalous because it is not anomalous. It is exactly what an authorized user with those credentials would do.
How Long They Stay
Salt Typhoon entered U.S. telecommunications networks in 2023 and remained undetected for up to two years. The attackers did not use brute force or exploit vulnerabilities continuously. They authenticated with valid credentials, moved carefully through systems, and surveilled communications infrastructure over an extended period. They were patient because the data they found was readable and the access was stable.
The 2024 Verizon Data Breach Investigations Report found that the median time to detection for insider threat incidents was 197 days. Nearly seven months of undetected access. In a standard encrypted environment, seven months of authenticated access to a production database means seven months of access to readable data.
This is what makes the credentialed attacker so dangerous. The dwell time is not a bug in their approach. It is the feature. Long-term access to readable data allows reconnaissance, selective exfiltration, and timing of the final attack for maximum impact. The longer they stay, the more they know. The more they know, the more valuable the access becomes.
What Zero Trust Requires at the Data Layer
Zero Trust is not a perimeter security model. It is a comprehensive security framework that explicitly addresses the data layer. The DoD Zero Trust Strategy identifies seven pillars; one of which is Data. That pillar requires encryption across all three states: at rest, in transit, and during active use. CISA’s Zero Trust Maturity Model similarly addresses data protection during processing as a requirement for maturity.
The framework is correct. The implementation gap is real. Most organizations have made significant progress on the identity and network pillars of Zero Trust. They have deployed MFA, privileged access management, network segmentation, and device compliance controls. Those controls matter. They address the question of who gets access. They do not address what that access yields.
The Data Layer Gap That Makes Surveillance Valuable
An attacker who has cleared identity controls in a standard encrypted environment finds readable data at every processing event. Every query returns readable results. Every analytics run produces readable outputs. Every report generates readable records. The data is encrypted at rest. It decrypts the moment the system moves into active use.
Insider threat encryption changes that calculus entirely. For a credentialed attacker operating over months, that means continuous access to readable intelligence. Patient surveillance becomes enormously valuable because the data reward for staying undetected keeps paying out. Every day of undetected access is another day of readable data. The attack economics favor the attacker as long as the data is readable.
When data stays continuously encrypted, an authenticated session returns ciphertext. A credentialed attacker operating inside a continuously encrypted environment finds nothing usable. Queries return encrypted outputs. Analytics run on encrypted data. Reports generate encrypted results. The surveillance yields nothing. The dwell time produces no intelligence value.
The infiltration is not prevented. The attacker may still be in the network. What changes is the value of staying there. When the data is not readable, the economics of long-term lurking collapse. There is nothing to learn. There is nothing to steal. There is nothing to ransom.
What Zero Trust Looks Like When the Data Layer Is Complete
A mature Zero Trust implementation addresses every pillar including the data layer.
- Identity controls determine who gets authenticated access.
- Network controls limit lateral movement.
- Device controls ensure endpoint compliance.
- Continuous encryption ensures that authenticated access yields nothing usable to an attacker, regardless of legitimate their credentials appear.
This is not a replacement for the other Zero Trust pillars. It is the completion of them. The identity pillar asks who are you. The data pillar asks what do you find when you get there. Both questions need answers for Zero Trust to function as designed.
As we covered in Perimeter Security Is Not Enough, the access layer was never designed to be the last line of defense. The data layer is where Zero Trust achieves its ultimate purpose: ensuring that a successful breach of any other control produces no usable outcome.
Insider Threat Encryption: What Donoma Seshat Delivers
The credentialed attacker problem has one architectural answer: data that stays encrypted during active processing regardless of the legitimacy of the session requesting it. That is what the Zero Trust Data pillar requires. That is what Donoma’s Seshat encryption platform delivers.
Seshat deploys at the application layer without replacing existing infrastructure. It runs on standard CPUs with no specialized hardware requirement. It operates at native speed so authorized workflows run without performance degradation. And it is post-quantum ready; which matters for organizations protecting data against threats that evolve over the same long timeframes that credentialed attackers exploit.
An authenticated session in a Seshat-protected environment returns ciphertext to any user whose intent is to extract and misuse data. The malicious insider gets ciphertext. The external attacker operating on stolen credentials gets ciphertext. The long-term lurker surveilling the network for months gets ciphertext. There is nothing to take. The dwell time has no value.
The Zero Trust data layer is not a future requirement. It is a current one. The technology that delivers it exists today.
If you want to understand what the Zero Trust data layer looks like for your environment and how Donoma Seshat completes it, book a solution briefing with the Donoma team.
Frequently Asked Questions
What is the difference between an insider threat and a credentialed external attacker?
An insider threat is a malicious actor with legitimate organizational credentials: an employee, contractor, or administrator who uses authorized access for unauthorized purposes. A credentialed external attacker is an outside actor who has obtained valid credentials through phishing, credential stuffing, or a supply chain breach and now operates inside the network as an authenticated user. Both scenarios clear identity controls. Both appear to security systems as authorized users. Both have access to the same readable data during active processing. Continuous encryption addresses both, because it does not depend on distinguishing intent; it ensures that all authenticated sessions return encrypted outputs.
Why is dwell time so dangerous in a standard encrypted environment?
Dwell time is the period between an attacker entering a network and being detected. In a standard encrypted environment, every day of undetected authenticated access is another day of access to readable data. Attackers use dwell time to conduct reconnaissance, map the environment, identify high-value targets, and selectively exfiltrate the most valuable data before triggering any visible attack. Salt Typhoon maintained access to U.S. telecommunications networks for up to two years, surveilling communications infrastructure throughout. The longer the dwell time, the more intelligence the attacker accumulates and the more targeted the final attack becomes.
How does continuous encryption address the credentialed attacker problem?
Continuous encryption ensures that authenticated sessions return ciphertext rather than readable data. A credentialed attacker, whether a malicious insider or an external actor operating on stolen credentials, queries the same applications authorized users access but receives encrypted outputs with no operational value. There is nothing to surveil. There is nothing to exfiltrate that has usable intelligence value. The dwell time produces no return. The economics of long-term lurking collapse because the data reward for staying undetected disappears.
What does the Zero Trust Data pillar require for insider threat protection?
The DoD Zero Trust Strategy Data pillar requires encryption across all three data states: at rest, in transit, and during active use. Most Zero Trust implementations address the first two. The third, encryption during active processing, requires continuous encryption capability. Without it, any authenticated session, including one conducted by an insider threat or a credentialed external attacker, returns readable data. The Data pillar is where Zero Trust addresses the credentialed attacker problem directly. Seshat delivers the continuous encryption that pillar requires.
Can Zero Trust identity controls detect a malicious insider?
Identity controls confirm who authenticated. They do not detect malicious intent. An administrator using authorized tools to query and export data for legitimate purposes and the same administrator doing the same thing for unauthorized purposes are indistinguishable to identity controls. Behavioral analytics can flag anomalous patterns over time, but they are not reliable enough to stop a patient, careful attacker who understands the monitoring environment. Continuous encryption addresses this by ensuring that even undetected malicious access yields nothing usable, regardless of how long it continues.
Does Seshat prevent data exfiltration by insiders?
Seshat prevents usable data exfiltration by insiders. An insider who attempts to export data from a Seshat-protected environment extracts ciphertext with no operational value. The extraction attempt may still occur. What changes is what the attacker holds afterward: encrypted data that cannot be read, sold, or used for ransom leverage. Seshat does not prevent all insider activity; it eliminates the data value that makes insider threats economically viable and legally damaging.
Additional Reading:
Perimeter Security Is Not Enough: 5 Steps to Mitigate Risk in a Zero Trust Environment
The Zero Trust Data Layer: What Most CISOs Are Missing
The Encryption At Rest Myth: Why Your Encryption Strategy Fails to Protect Data