Is Zero Trust Data Security Possible?
December 10, 2020
Read Original Forbes Article : Is Zero Trust Data Security Possible?
Some enterprises I've worked with that have deployed a zero trust (trust no one) model have still experienced data breaches. With zero trust implemented correctly, data breaches can be eliminated or minimized to small datasets. I believe breaches still occur because organizations do not rely on zero trust data security solutions. After all, most options I've seen are not zero trust compliant.
Data loss prevention (DLP) requires discovery and classification. DLP doesn't secure by default. Endpoint DLP typically allows data on the device to remain unsecured while locking down the egress of data off the device.
Solutions like information rights management (IRM) and file encryption aren't zero trust. Those solutions only secure the initial transfer of data. An employee can encrypt a file and send the data to an external partner. But once the partner has decrypted the file to consume the content, the partner — not the employee or company — has control of the data.
I believe the use of these data security tools has contributed to data breach after data breach and headline after headline. What enterprises need to do is implement zero trust data security principles.
Here are four core principles of zero trust to implement when deploying a zero trust data security solution.
It is challenging to implement zero trust without granular controls. Instead of a carte blanch "allow or deny" permission, permission should be extremely granular. Identity providers can authenticate on more than username, name and password. They can also use device, device posture, location, time and others as additional authentication factors.
Data security should have similar granular controls. Besides basic authorization for users and devices, your security team should use controls over endpoint applications, networks, SaaS or cloud applications, and data usage such as copy and paste. Make sure they don't allow unauthorized or unknown processes to access data. New or unauthorized applications that access data can cause ransomware attacks. Whether it's in the cloud or the corporate data center, you should also secure data from centralized sources.
Enforce Policies Everywhere
Data security has previously focused largely on data access. But once data is accessed, the user typically has broad rights to use and transfer the data without additional security controls.
Some solutions claim to be data-centric solutions. That often turns out to be a file-centric approach. With zero trust, the goal is to be as granular as possible.
Security needs to be persistent. You should secure your data at all times: at rest, in transit and in use. Security needs to apply to any file type and any application. Identify solutions that are not zero trust, such as any tools that publish a list of supported applications. A supported application list implies that there are unsupported applications whose data the tool will not secure.
A widespread use case for zero trust security today is downloading sensitive data from a SaaS or cloud service. Make sure you're securing data exported from SaaS services and that it remains secured throughout its entire life cycle.
The most granular data security approaches apply security to the data itself, not the file. As users create new content, compare that content to previously secured content. If the content is similar, automatically secure the new content with the same permissions as the previously secured data. Make sure to monitor small data segments as they move from file to file and apply permission accordingly.
Provide Identity Beyond Identity And Access Management (IAM)
Authorization based on basic credentials such as username and password is not enough. Enable access policies for applications, networks and system tools such as clipboards.
By enforcing application policies, IT can allow only authorized applications to access secured data — no more Word-to-PDF converters downloaded from unknown sources. Enforce application-level network rules, such as only allowing file transfer protocol (FTP) applications to send data to corporate IP addresses. Enforce clipboard policies to block or allow secured data to move between secured and unsecured applications.
Introduce Visibility And Automation
Visibility and automation are two of the cross-functional principles of zero trust. Granular logging and reporting should enable orchestration tools to look for anomalies and suspicious behavior. Log all data access attempts, regardless of whether you allow or deny the action. Your log should include user, application, device, location, time and other metadata. Proper logging will allow orchestration tools to detect potential malware and suspicious user behavior while also creating audit and compliance reports.
By following these zero trust principles when deploying data security solutions, enterprises can finally start to eliminate data breaches.
Prevent Data Breaches
Let’s discuss your unique cybersecurity challenges and needs.
If you want to notified when we post the newest content about mitigating insider threats, data breaches, protecting source code, and DASB, please subscribe to our SecureCircle newsletter.