Enterprises small and large that we have been partnering with have experienced data security issues in the past, despite deploying multiple “Zero Trust” solutions in the past. This post briefly explores why that is the case. From the first principles, the most important asset the enterprise has is its data in the cloud. Zero Trust must deliver on data security, and to provide that protection, one has to start from data. We will detail three principles that will drive an effective Zero Trust data security solution.
Zero Trust is a security concept centered on the principle that organizations must not implicitly trust any request, whether it originated inside or outside their perimeter. Instead, they must authenticate and authorize the identity of the accessor with respect to the service. Zero trust has thus been architected into access management, such as ZTNA (Zero trust network access), SASE (Secure access service edge), and micro-segmentation solutions. However, all these offerings do not protect the data in the context of access. If one were to interpret Zero Trust with a data security lens, it becomes apparent that you have to start with an assumption that all data can be breached and work backward to protect data. Data has an identity and lots of contexts.
Enterprises continue to grapple with questions like,
If one steps back and rethinks, “we do have Zero trust solutions in our enterprise, but how come the questions above seem to go unanswered,” it may lead up as a basis to what we term as Zero Trust Data Security. Apply Zero trust security principles with an accessor + data-centric approach.
Securing data means having all the attack surfaces leading up to data need to be protected. Assume any access, machine, or human, is a potential attack surface. Look at the possible attack surfaces that can spring up for any data that's out there. Data is inherently fluidic and exposes various attack surfaces and threats to data. Knowing what data exists and how critical it is for your business becomes a key ingredient in prioritizing which attack surface or vulnerability to focus on.
Knowing the data context with all the details gives any organization the correct view of data, a first step to securing it.
Cloud data breaches are on the rise. How can you assess your data stores' posture against a data breach? How can you know that your data does not threaten exfiltration using the same TTP (Techniques, Tactics, Procedure) disclosed in a data breach? To address these questions, having an automated way to identify and remediate against new data breaches, vulnerabilities, or ransomware. Building this know-how internally and keeping the knowledge up-to-date needs automation, tooling, and threat research.
All security teams are busy, over-stretched, and juggle multiple tools to secure the enterprise. If they can prioritize the issues or next set of fixes based on what is essential to the business, it can bring in lots of efficiencies to security operations. Finding the priority in an automated way that factors the financial liabilities associated with any enterprise data asset can help security teams focus on the right next step to secure data.
We see some early signs of these principles at work. Customers of ours, following these three principles, have identified data security issues that create a multi-million dollar liability when this data gets leaked or abused. They have thwarted abnormal query accesses before they leak data and have avoided ransomware causing cloud data breaches. Being aware of the financial liability that data breaches cause has helped customers prioritize fixes and remediations and control the data security posture.
Zero trust is a process, a set of principles that needs to be followed not just in identity and application micro-segmentation but certainly in data security. The above post outlines how enterprises benefit by automating and applying the principles of Zero Trust to data security.