Just like the identity of access, there is an identity of data. Zero Trust is a security concept centered on the principle that organizations must not implicitly trust any request, whether it originated inside or outside of their perimeter. What happens when data moves to the cloud or SaaS databases? Establishing if specific access is allowed or not on data today is more about dealing with the identity of the access. Still, perhaps there is a clear case for the identity of data.
Let's take the following example: A nurse or a doctor should be allowed to see a specific patient record in a hospital environment. It's certainly a case where specific patient records can be associated with a doctor or a nurse. The record has semantic information which identifies the patient, and it could be PHI or PII information. So the association is 2-way. Just like there is an identity of the nurse or the doctor associated with credentials, so is the identity for data identified by patient attributes. In a cloud or SaaS environment, this data can be copied or shared.
How should this 2-way identity or handshake control follow data-sharing or governance rules? It makes a case for data-centric cloud security, wherein security controls follow data identity.