Products
By Use Cases By Roles
Data Command Center
View
Learn more

Asset and Data Discovery

Discover dark and native data assets

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Prevent sensitive data sprawl through real-time streaming platforms

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Security Posture Management

Secure sensitive data in hybrid multicloud and SaaS environments

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Data Catalog

Automatically catalog datasets and enable users to find, understand, trust and access data

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle
Data Controls Orchestrator
View
Data Command Center
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

Data Access Intelligence & Governance

View

Data Risk Management

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Databricks

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

CPRA
California Privacy Rights Act

View

European Union GDPR

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA Compliance Solution

View

Brazil's LGPD

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

Blog » Data Access & Intelligence Governance

Understanding Zero Trust Data Security in the Spotlight of The National Cybersecurity Strategy

Published March 16, 2023 / Updated November 8, 2023

On March 2, 2023, the Biden-Harris administration announced its National Cybersecurity Strategy¹ to secure the full benefits of a safe and secure digital ecosystem for all Americans. While the focus of this strategy is US-centric, the need, application, and benefits of such a comprehensive plan are felt globally. It’s no surprise that Zero Trust (ZT), specifically Zero Trust Data Security, is a critical component of this strategy, as data is the most critical digital asset that must be secured with full force.

Despite the increasing popularity of Zero Trust security in cybersecurity circles, it's still a confusing concept for most security professionals. A 2022 survey of IT and cybersecurity decision-makers reveals that only one-third (35%) are confident in their understanding of the Zero Trust framework and controls². By understanding the history of Zero Trust security, what it means, and how it applies to data security, organizations can learn how to apply these foundational elements to protect its most sensitive assets.

What is Zero Trust Security? Brief History and Basics

The key goal of Zero Trust security is to prevent data breaches and limit the lateral movement of users across the network. The term “Zero Trust” was first coined by John Kindervag while at Forrester and gained popularity as organizations recognized the inadequacy of traditional perimeter-based security approach in protecting their digital infrastructure.

Historically, organizations have focused security efforts on the network-perimeter boundary, using firewalls to block malicious traffic and authenticating users before giving them access to resources within the network. This approach has limitations as it gives attackers unhindered access to resources once they break into the network. Moreover, with modern enterprises hosting applications and data in multiple clouds and employees working remotely, defining a network boundary becomes increasingly challenging, which makes perimeter security ineffective.

Zero Trust: Core Principles And The Airport Security Analogy

Zero Trust security has three fundamental principles -

Never trust, always verify: An entity requesting access to a resource should never be trusted based on its location on the network. Every request should be authenticated and verified, including those coming from within the corporate network. Also, trust should be granted per transaction and never considered permanent.
Grant Least-privileges: Access to resources should be minimized by limiting permissions to what is needed to perform a transaction. Subsequent requests should be re-verified and re-authenticated and treated as new transactions.
Assume attack: Organizations should presume that an attacker is always on the network. Multiple layers of defense should be implemented to catch an attacker that manages to breach one of those layers.

Consider an airport security analogy. All the passengers, irrespective of their citizenship and visa status, undergo the same security checks, including identity verification and baggage scan, to gain access to boarding gates. If a passenger accidentally exits the security checkpoint, it goes through the entire security process again. This is equivalent to “never trust, always verify”. A passenger who is allowed beyond the checkpoint can only access the shops at that terminal and board the plane for the ticket purchased. This is equivalent to granting least-privileged access. Once inside the security checkpoint, the movements of all passengers are continuously monitored for suspicious activity through CCTV cameras, and the boarding pass is verified again before a passenger is allowed to board. This is equivalent to assuming an attack.

Zero Trust security is not a single technique or a product but a set of guiding principles to help an organization protect its assets. Even if an organization has not formally kicked off a Zero Trust implementation, it may already have basic elements of Zero Trust embedded in its current security architecture. Transitioning to Zero Trust is an incremental journey in which organizations should start with small projects and gradually add new layers of defense over time to strengthen Zero Trust security and block attackers without disrupting business.

Applying Zero Trust Security To Data Assets and Elements

Usually organizations anchor their Zero Trust security architecture on an Identity or a network segmentation approach, starting with their Identity and Access Management (IAM) and network security solutions of choice to set up a mechanism for authenticating and verifying incoming access requests. Common to all approaches is a policy decision and enforcement engine that uses various signals as inputs to a trust algorithm to grant, deny, or revoke access to a resource.

Source: NIST SP 800-207, Zero Trust Architecture³

When securing access to data, the trust algorithm needs data context such as sensitivity, applicable security and privacy laws, consent, behavior, and location in addition to knowing who is requesting access as inputs to decide how the request should be processed.

Think about the airport analogy again. Airports do a great job of implementing least-privilege security to ensure access to sensitive airport infrastructure is limited to people who absolutely need it to perform critical operations. For instance, access to the following airport resources is restricted in many ways -

Cockpit: Pilots, cabin crew, and technical staff
Airplane seats: Passengers based on ticket class
Baggage: Logistics and customs staff
Food: Hospitality teams and cabin crew
Inflight communication: Pilots and cabin crew

Note that access to the aircraft is not a simple yes or no decision. All subjects including pilots, cabin crew, and passengers need aircraft access. However, the airline has to ensure that passengers do not enter the cockpit. This is an example of managing partial access. Similarly, in the digital world, granting data access is not always a black-and-white decision. Sometimes, an analyst needs access to a data set or a file containing sensitive information such as customer PII or financial records to perform a critical analysis. Rather than block access and hurt business, intelligent controls should be applied to allow access while masking sensitive data elements based on security or privacy context.

“Implementing Zero Trust security to protect data requires organizations to complement IAM and network security tools with solutions that can provide intelligent data context and orchestrate partial access across structured and unstructured data objects at scale.”

Operationalizing Zero Trust Data Security With Least Privilege Access

Implementing Zero Trust security to protect data requires organizations to complement IAM and network security tools with solutions that provide intelligent data context and orchestrate partial access across structured and unstructured data objects at scale. Let’s examine the steps an organization needs to follow to improve Zero Trust data security.

Discover All Data Systems: An organization needs to automate the discovery of different structured and unstructured data objects across public clouds, private clouds, SaaS applications, and data streams. The discovery process should ensure visibility into non-cloud-native, dark data assets unknown to IT teams.
Gain Sensitive Data Intelligence: The next step is to accurately classify, label, and tag sensitive data elements in each data store. It's important to identify personal data belonging to individuals, as protecting such data is required by regulation and is the foundation of trust between an organization and its customers.
Identify Sensitive Data Obligations: Data, especially sensitive data, has many obligations as an organization must comply with various data security and privacy laws and internal governance controls. Proactively identifying these obligations is critical to ensure that organizations deny access requests that violate these data obligations.
Segment Identities by Roles and Permissions: An organization needs to identify identities that need data access and segment them by roles. This mapping can be informed based on current access activity and should limit permissions to what is needed to perform critical business functions.
Govern Data Access With Granular Controls: The next step is to orchestrate data access controls, blocking unauthorized requests and granting authorized access while masking sensitive data elements based on tags at scale.
Remediate Data Security Posture Risks: Organizations must assess the data security posture to identify vulnerable systems, especially misconfigured assets containing sensitive data. Access to such systems should be denied and carefully monitored until vulnerabilities have been addressed.

By governing data access dynamically per request and granularly at a data element level, organizations can add a layer of defense to improve Zero Trust data security.

Why Zero Trust Data Security Matters

Data-driven technologies and decision making offers incredible economic opportunities to businesses and conveniences to consumers. However, absence of intelligent Zero Trust data access controls can leave an organization holding the data in a difficult position. Overly strict controls impede innovation by locking down data access whereas loose controls increase the risk of data breaches and consumer privacy violations. Finding the right balance is essential.

The National Cybersecurity Strategy supports increasing legislation around data protection, especially PII data. When implemented effectively, Zero Trust data security enables organizations to harness data by sharing it with internal and external teams while maintaining strictest security controls and honoring the privacy rights of consumers. Zero Trust security can help an organization innovate using data while strengthening consumer trust and competitive differentiation in a digital world.

Managing Response When Zero Trust Fails

No Zero Trust implementation can completely eliminate risk. In Zero Trust, not only should an organization assume an attack but also prepare to handle one. The key step when a breach is suspected is to validate and contain the incident by identifying the affected data assets, the root cause, and remediation measures. Once the breach is confirmed, it's essential to identify the impacted data elements, consumers, and regulatory laws to assess the damage caused.

Accurate and automated impact assessment is critical as it enables the organization to better coordinate with investigating and regulatory authorities, share threat intelligence, and accelerate victim notification. All of these aspects of breach management get significant importance in the National Cybersecurity strategy.

When all eyes are on one company, breach response is more than a regulatory obligation. How an organization mitigates risk and communicates with stakeholders sets the tone for incident recovery and has a long-term impact on its brand reputation.

How Securiti Strengthens Zero Trust Data Security

Securiti can be a critical cog in your Zero Trust security architecture, complementing IAM and network security security solutions with intelligent sensitive data context and automated controls. Security helps organizations to unleash the power of its data and implement a non-disruptive approach to Zero Trust with frictionless data security, privacy, and governance controls.

With Securiti's Data Controls Cloud, an organization can -

Discover structured & unstructured data across clouds, SaaS, and streaming platforms
Accurately identify predefined and business-specific sensitive data elements
Monitor data access activity and eliminate over-privileged roles
Dynamically mask sensitive data at-rest and in-motion
Prioritize and remediate risky misconfigurations of sensitive data objects
Securely share data in compliance with global security and privacy regulations
Proactively plan and automate data breach lifecycle management

Access our Data Access Intelligence & Governance Guide to learn how your organization can operationalize Zero Trust Data Security with granular access controls.

References:

FACT SHEET: Biden-⁠Harris Administration Announces National Cybersecurity Strategy, The White House
Zero Trust Slow to Build Momentum, 2022 CyberRisk Alliance Research Study
NIST Special Publication 800-207, Zero Trust Architecture

Authored by Nikhil Girdhar

Nikhil Girdhar is a Senior Director for Data Security products at Securiti. With over 15 years of experience in the industry, Nikhil is an expert in helping customers tackle their most pressing multi-cloud security and management challenges. In the past, he has held product and technical leadership roles at companies such as VMware, CloudHealth, and Samsung, where he has transformed innovative ideas into profitable, high-growth business ventures.

Understanding Zero Trust Data Security in the Spotlight of The National Cybersecurity Strategy

What is Zero Trust Security? Brief History and Basics

Zero Trust: Core Principles And The Airport Security Analogy

Applying Zero Trust Security To Data Assets and Elements

Operationalizing Zero Trust Data Security With Least Privilege Access

Why Zero Trust Data Security Matters

Managing Response When Zero Trust Fails

How Securiti Strengthens Zero Trust Data Security

Authored by Nikhil Girdhar

More Stories that May Interest You

Newsletter

Company

Resources

Terms

Get in touch

Understanding Zero Trust Data Security in the Spotlight of The National Cybersecurity Strategy

What is Zero Trust Security? Brief History and Basics

Zero Trust: Core Principles And The Airport Security Analogy

Applying Zero Trust Security To Data Assets and Elements

Operationalizing Zero Trust Data Security With Least Privilege Access

Why Zero Trust Data Security Matters

Managing Response When Zero Trust Fails

How Securiti Strengthens Zero Trust Data Security

Authored by Nikhil Girdhar

Join Our Newsletter

Share

More Stories that May Interest You

Securing Your Crown Jewels With Data Security Posture Management (DSPM)

Data Governance Vs. Data Security: What To Know

ITAR Compliance in the Cloud: 6 Data Security Measures

Newsletter

Company

Resources

Terms

Get in touch