As cyberattacks continue to escalate; companies grow their use of tech services outside of their network perimeters and the government and other organizations work with ever more sensitive personal, corporate, and government data, there is increasing adoption of zero trust data protection.
So, What Is Zero Trust Data Protection?
Zero trust data protection is a security methodology that includes a framework of technologies and best practices that an organization needs to define and adopt across their IT environments over time, explained Steve Malone, Egress Software vice president of product management.
“Zero trust is a lofty goal,” said Phil Tobia, Sumo Logic director of security product. “It’s the culmination of something that’s been happening in security over the last 20 years, which is the perimeter is not the point of enforcement anymore because of the way that technology works today.”
Interest in operating in a zero trust data protection environment has gained plenty of interest in the last few years, according to Michael Gorelik, Morphisec head of threat intelligence and CTO. “The pandemic and shift to hybrid work is inspiring cybercriminals to increasingly target vulnerable businesses, including state-sponsored actors who are progressively attacking our nation’s critical infrastructure. Unsurprisingly, OMB (the Office of Management and Budget) and CISA (Cybersecurity & Infrastructure Security Agency) made a move to accelerate the government’s shift to a zero trust architecture as a result.”
“Enforcing zero trust at the federal level signals the heightened need for more stringent policies — and it demonstrates the significance of creating a common framework for the country when it comes to data policies,” said Dana Simberkoff, AvePoint chief risk, privacy and information security officer. Today, we have a fragmented, industry and data-type specific approach, which often creates more risk.
With the average cost of a data breach at $3.94 million, according to the International Association of Privacy Professionals (IAPP), it is critical the U.S. government applies this framework, Simberkoff added.
“I’d go as far as to say it’s absolutely critical that every organization takes this step, given they’re operating within a colossal cybersecurity emergency where major companies have not only fallen victim once, but multiple times,” Gorelick added, “Reducing the amount of inherent trust in our systems and processes is one of the most efficient ways of avoiding a breach.”
Securing the perimeter is no longer enough because organizations routinely work with cloud-based and other technologies that originate from outside of their perimeters, Tobia explained. “You can’t have that idea of a moat and a wall and having a trusted environment behind you. Now you’re running applications on someone else’s software and someone else’s hardware, but it’s still your overall system.”
For example, Amazon Web Services (AWS) has very explicit documentation for the security elements the company is responsible for and those security elements that AWS users are responsible for.
To effectively operate in a zero trust data protection environment, an organization needs to understand at a deeper level the processes and what services or other elements of your system need to communicate with other services or systems, Tobia said. “Do you have an understanding about what is normal in your environment?”
One of the biggest challenges in cybersecurity for the last 30 years has been understanding what processes are normal, Tobia said. Then it comes down to allowing only approved components to interact with approved protocols and approved functions, even if they are operating in a remote environment.
Therefore, the first step in implementing a zero trust environment is to sweep the network, taking inventory of access and authorization, according to Ryan Davis, NS1 CISO. “Without insight into who is authorized to do what and where on your network, you’re just back-boarding zero trust on top of it to determine what pops up, which isn’t a viable or sustainable strategy. “
Zero Trust Challenges
Some organizations have a difficult time implementing a zero trust strategy, according to Malone. “The biggest mistake I see is security teams misunderstanding what a true ‘zero trust approach’ means. Some organizations believe that zero trust can be achieved using individual security solutions here and there to provide a ‘quick fix’ to the problem. However, zero trust is about more than deploying individual solutions.”
There is a piece of a zero trust architecture most organizations miss with the classic emphasis on the identity layer and the network, according to Gorelik. “It’s vital that every government agency and organization remembers to implement zero trust at the endpoint. This minimizes the attack surface in a way that’s achievable for organizations of all sizes. It ensures they’re secure from the damaging attacks that would have otherwise bypassed traditional security controls and enables them to harden their systems against zero-day attacks, preventing them without the need for prior knowledge.”
People, process, and technology are the three core pillars of a solid zero trust strategy, so it’s critical that organizations properly invest in making sure each one is considered, planned, implemented, and maintained, Malone said.
There is another risk management element of zero trust, Tobia pointed out. “The core of security is managing risk. You do not have infinite time, money and resources to manage everything. So, you need to understand the critical pieces of your environment that need to have [the zero trust] level of security.”
Similarly, organizations need to understand what elements don’t require zero trust protection, Tobia added. “You can spend way too much time going down a rabbit hole trying to secure something that doesn’t necessarily pose a lot of risks to your environment.”
“Although the benefits of zero trust outweigh the drawbacks, a pivot like this forces organizational and process changes, which can potentially slow adoption and implementation. At the same time, change drives action and positive momentum that brings long-awaited improvements,” Davis said. “Since zero trust is a newer approach, finding the right person or team to implement and manage the process can be challenging. Another consideration is that implementing a zero trust approach could require new technology solutions and a different culture and structure. In that case, an organization should be prepared for additional and perhaps, unexpected costs.”
“Zero trust is not just another buzzword,” Malone said. “It’s the most critical security initiative for security teams to consider this year.”
AWS is a sponsor of The New Stack.