IDC Names Securiti a Worldwide Leader in Data PrivacyView
On March 2, 2023, the Biden-Harris administration announced its National Cybersecurity Strategy1 to secure the full benefits of a safe and secure digital ecosystem for all Americans. While the focus of this strategy is US-centric, the need, application, and benefits of such a comprehensive plan are felt globally. It’s no surprise that Zero Trust (ZT), specifically Zero Trust Data Security, is a critical component of this strategy, as data is the most critical digital asset that must be secured with full force.
Despite the increasing popularity of Zero Trust security in cybersecurity circles, it's still a confusing concept for most security professionals. A 2022 survey of IT and cybersecurity decision-makers reveals that only one-third (35%) are confident in their understanding of the Zero Trust framework and controls2. By understanding the history of Zero Trust security, what it means, and how it applies to data security, organizations can learn how to apply these foundational elements to protect its most sensitive assets.
The key goal of Zero Trust security is to prevent data breaches and limit the lateral movement of users across the network. The term “Zero Trust” was first coined by John Kindervag while at Forrester and gained popularity as organizations recognized the inadequacy of traditional perimeter-based security approach in protecting their digital infrastructure.
Historically, organizations have focused security efforts on the network-perimeter boundary, using firewalls to block malicious traffic and authenticating users before giving them access to resources within the network. This approach has limitations as it gives attackers unhindered access to resources once they break into the network. Moreover, with modern enterprises hosting applications and data in multiple clouds and employees working remotely, defining a network boundary becomes increasingly challenging, which makes perimeter security ineffective.
Zero Trust security has three fundamental principles -
Consider an airport security analogy. All the passengers, irrespective of their citizenship and visa status, undergo the same security checks, including identity verification and baggage scan, to gain access to boarding gates. If a passenger accidentally exits the security checkpoint, it goes through the entire security process again. This is equivalent to “never trust, always verify”. A passenger who is allowed beyond the checkpoint can only access the shops at that terminal and board the plane for the ticket purchased. This is equivalent to granting least-privileged access. Once inside the security checkpoint, the movements of all passengers are continuously monitored for suspicious activity through CCTV cameras, and the boarding pass is verified again before a passenger is allowed to board. This is equivalent to assuming an attack.
Zero Trust security is not a single technique or a product but a set of guiding principles to help an organization protect its assets. Even if an organization has not formally kicked off a Zero Trust implementation, it may already have basic elements of Zero Trust embedded in its current security architecture. Transitioning to Zero Trust is an incremental journey in which organizations should start with small projects and gradually add new layers of defense over time to strengthen Zero Trust security and block attackers without disrupting business.
Usually organizations anchor their Zero Trust security architecture on an Identity or a network segmentation approach, starting with their Identity and Access Management (IAM) and network security solutions of choice to set up a mechanism for authenticating and verifying incoming access requests. Common to all approaches is a policy decision and enforcement engine that uses various signals as inputs to a trust algorithm to grant, deny, or revoke access to a resource.
Source: NIST SP 800-207, Zero Trust Architecture3
When securing access to data, the trust algorithm needs data context such as sensitivity, applicable security and privacy laws, consent, behavior, and location in addition to knowing who is requesting access as inputs to decide how the request should be processed.
Think about the airport analogy again. Airports do a great job of implementing least-privilege security to ensure access to sensitive airport infrastructure is limited to people who absolutely need it to perform critical operations. For instance, access to the following airport resources is restricted in many ways -
Note that access to the aircraft is not a simple yes or no decision. All subjects including pilots, cabin crew, and passengers need aircraft access. However, the airline has to ensure that passengers do not enter the cockpit. This is an example of managing partial access. Similarly, in the digital world, granting data access is not always a black-and-white decision. Sometimes, an analyst needs access to a data set or a file containing sensitive information such as customer PII or financial records to perform a critical analysis. Rather than block access and hurt business, intelligent controls should be applied to allow access while masking sensitive data elements based on security or privacy context.
“Implementing Zero Trust security to protect data requires organizations to complement IAM and network security tools with solutions that can provide intelligent data context and orchestrate partial access across structured and unstructured data objects at scale.”
Implementing Zero Trust security to protect data requires organizations to complement IAM and network security tools with solutions that provide intelligent data context and orchestrate partial access across structured and unstructured data objects at scale. Let’s examine the steps an organization needs to follow to improve Zero Trust data security.
By governing data access dynamically per request and granularly at a data element level, organizations can add a layer of defense to improve Zero Trust data security.
Data-driven technologies and decision making offers incredible economic opportunities to businesses and conveniences to consumers. However, absence of intelligent Zero Trust data access controls can leave an organization holding the data in a difficult position. Overly strict controls impede innovation by locking down data access whereas loose controls increase the risk of data breaches and consumer privacy violations. Finding the right balance is essential.
The National Cybersecurity Strategy supports increasing legislation around data protection, especially PII data. When implemented effectively, Zero Trust data security enables organizations to harness data by sharing it with internal and external teams while maintaining strictest security controls and honoring the privacy rights of consumers. Zero Trust security can help an organization innovate using data while strengthening consumer trust and competitive differentiation in a digital world.
No Zero Trust implementation can completely eliminate risk. In Zero Trust, not only should an organization assume an attack but also prepare to handle one. The key step when a breach is suspected is to validate and contain the incident by identifying the affected data assets, the root cause, and remediation measures. Once the breach is confirmed, it's essential to identify the impacted data elements, consumers, and regulatory laws to assess the damage caused.
Accurate and automated impact assessment is critical as it enables the organization to better coordinate with investigating and regulatory authorities, share threat intelligence, and accelerate victim notification. All of these aspects of breach management get significant importance in the National Cybersecurity strategy.
When all eyes are on one company, breach response is more than a regulatory obligation. How an organization mitigates risk and communicates with stakeholders sets the tone for incident recovery and has a long-term impact on its brand reputation.
Securiti can be a critical cog in your Zero Trust security architecture, complementing IAM and network security security solutions with intelligent sensitive data context and automated controls. Security helps organizations to unleash the power of its data and implement a non-disruptive approach to Zero Trust with frictionless data security, privacy, and governance controls.
With Securiti's Data Controls Cloud, an organization can -
Access our Data Access Intelligence & Governance Guide to learn how your organization can operationalize Zero Trust Data Security with granular access controls.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
300 Santana Row
San Jose, CA 95128