The Zero Trust Approach to Data Management

Results of a September 2021 Forrester Consulting survey commissioned by Tenable highlight the impact of personal devices, remote access tools, and cloud services on cybersecurity risk. The Forester survey results indicated that:

• 80% of 1300 business and security leaders believe that their organizations have become more exposed to risk.
• 92% of surveyed executives indicated that their organizations had experienced a cyberattack or compromise within a 12-month period.
• 67% of the respondents reported that the attacks targeted remote workers
• 62% of surveyed business and security executives indicated that attacks involved cloud assets.

Factors contributing to increased risk include employees using personal devices to access sensitive intellectual property and data outside of the traditional network perimeter, the lack of visibility into employee home networks, supply chain vulnerabilities, and the transfer of business-critical functions to the cloud. The cyberattacks caused a loss of data, interruption of operations, financial loss, theft of intellectual property, and ransomware payouts.

The statistics illustrate how global disruptions have emboldened state-sponsored adversaries, e-Crime syndicates, hacktivist fronts, and individual hackers-for-hire. Ransomware-related data breaches increased by 82% from 2020 to 2021 while big game hunting (BGH) ransomware attacks became more common. As attackers have become more sophisticated and more adaptable, they have abandoned malware in favor of using legitimate credentials and built-in tools for intrusion and exploitation.

‘Never Trust, Always Verify’ Aligns with Business Strategy

The increases in risk — and the variations in attacks — have prompted security executives to rethink the alignment between cybersecurity, business, and workforce strategies. Security leaders recognize that transferring business-critical functions to the cloud increases collaboration and productivity. This recognition dovetails with the realization that the “new” remote/hybrid work environment has become an established part of workforce strategies.

The process of reimaging the cybersecurity landscape has prompted a movement towards zero trust environments that follow the guiding principle of “never trust, always verify”. Role-based, attribute-based controls combine with policy-based access controls for authentication and authorization. Access occurs at the minimum level needed to perform a task or action.

Rather than assume that Trusted Internet Connections and perimeter firewalls have ensured safety, zero trust expects risk to accompany every network request, that an attacker exists in the environment, and that every request requires verification. Regardless of an enterprise-owned network or a non-enterprise-owned network, zero trust requires continual analysis and constant evaluation of risks. Zero trust decreases access to data, information technology resources, applications, and services.

Attaining the goals of preventing unauthorized access to data and services requires a balancing act between security and business requirements and objectives. Satisfying security requirements depends on authentication, authorization, and minimal implicit trust zones. Business objectives revolve around ease of use, mobility, access to information resources, productivity, agility, and speed.

Zero trust promotes ease of use through access control enforcement granularity. Rather than signing into multiple applications, employees need only use the existing active directory to sign in to applications and resources. Eliminating duplicative authentication technologies lessens the opportunities for data overload and delayed detection. Along with allowing a Security Operation Center (SOC) team to acquire knowledge about devices and user roles, the active directory also shows how the devices and user roles fit within organizational policy. The active directory shows known devices and users, permission levels for access to data and computing services, group memberships, and policy adherence.

Because employees can easily access applications that enable their success, network performance improves through less traffic on subnets. Businesses gain agility, productivity, and speed through the ability to safely employ workers in any global location. The protections obtained through zero trust allow employees to collaborate while accessing high-value information. Dynamic — yet passive — risk evaluation that occurs without interrupting employees’ workflow maintains productivity.

Zero Trust Data Management Strengthens the Alignment Between Security and Business Requirements 

Traditional methods for achieving secure data management involve static security policies and often work through sometimes inflexible policy enforcement designed to protect the perimeter. Attribute configurations and assignments, responses to incidents, and determining the appropriate mitigation strategy occur manually. The security surrounding data management may lack consistency and the capability to detect and respond quickly to an intrusion.

In contrast, zero trust data management focuses on a foundational, data-centric approach to cybersecurity rooted in the tenets of zero trust. No matter where the data resides, zero trust provides protection. While this approach encompasses all data sources and computing services, access to individual enterprise resources only occurs on a per-session basis. Dynamic policies protect business processes by controlling access to all data sources. Automated processes and systems combine with dynamic policy enforcement to prevent unauthorized access to data.

Zero trust data management emphasizes enhanced business capabilities for inventory management, visibility, and analytics. The work to attain these capabilities depends on the level of understanding that a business has about its data and the critical nature of the data. A fully implemented zero trust architecture uses tagging and tracking to continuously inventory structured and unstructured data as well as classify the data according to location and value. Metadata contained within tags can enforce policies and establish permissions for access.

Visibility exists through constantly accounting for data and establishing trust zones and access controls matched with location, privileges, application requirements, and behaviors. Predictive analytics constructed around anomalous detection and machine learning within the zero trust architecture log all access attempts and analyze those attempts for any unusual behaviors or suspicious access attempts. Because the system recognizes any inconsistency, automatically denies an access request, and issues an alert, a business can proactively protect against attacks.

Rather than using manual or static analysis for data categorization, zero trust utilizes machine learning to maintain categorization. Enabling automatic categorization allows the system to enforce strict access controls for any high-value data. Regardless of the storage location, the system automatically backs up high-value data and encrypts all data at rest, in use, or in motion.

The combination of dynamic policies and policy enforcement allows a business to determine the level of access given to the network. Along with limiting access, zero trust also maintains continual risk-based evaluations of the need for access. Policies built around zero trust automatically enforce data protections and categorize data and data access. With policies in place, automated processes and systems strictly enforce access controls for high-value data. Zero trust data management supports just-in-time and just-enough access to data and information resources. The Just-in-time and just-enough methods eliminate open-ended access to data and allow requests and data access to expire when unneeded.

Implementing a Zero Trust Environment Requires Engagement

Because implementing a zero trust environment provokes organizational and individual change, the careful alignment between business and security objectives requires an incremental approach. Planning for zero trust requires that cybersecurity teams understand that business functions depend on information and application access.  In turn, business units work with security teams to identify the level and type of access needed by employees. While sponsorship, training, and reinforcement support the change, the desire for zero trust begins with each employee and grows through awareness about long-term value and participation in planning and decision-making processes.