4 best practices for a data-centric approach to zero trust
In a fairly short time, we’ve gone from the old standard “trust, but verify” to “never trust, always verify.” That’s the hallmark of zero trust, a best-practice security framework that many organizations are implementing today — and for good reason.
The importance of zero trust was underscored by the Biden Administration’s executive order mandating federal agencies implement a zero-trust security architecture, as well as the 28-page strategy memo from the Office of Management and Budget (OMB) providing guidance for implementing zero-trust cybersecurity.
As outlined in the OMB document, data control is a key yet often overlooked pillar of zero-trust security. Implementing security at the data level is far more effective at protecting information than, for example, a traditional firewall, and gives you complete control of your data at all times. By protecting the data itself, you can gain confidence that even if your network is breached, your most important assets will remain secure.
Here are four best practices for implementing zero-trust data control for better data protection wherever your data resides.
Learn how to build, scale, and govern low-code programs in a straightforward way that creates success for all this November 9. Register for your free pass today.
Apply policy control directly to data projects
We live in a perimeter-less environment, and data isn’t static. It’s constantly flowing in and out of your organization at high velocity.
That’s why it’s critically important to apply policy control directly to data objects themselves. Essentially, this means putting a protective wrapper around each data object. This approach allows you to continue to control your data wherever it resides, inside or outside your organization, and ensure it’s protected even as it passes beyond your virtual walls. It also allows you to assign role-based access controls directly to individual data objects, ensuring that information shared externally is accessed only by intended parties, and no one else.
Use TDF to support your zero-trust initiatives
An ideal way to apply policy control to data objects is through the Trusted Data Format (TDF) standard. Those data objects could be files, videos or other forms of information. TDF protects them all by encrypting the objects and then verifying whether the recipient has the authorization to access the data.
TDF is a well-established open standard for protecting sensitive data. It’s been used by the United States government since 2012 and is currently an open specification hosted by the Office of the Director of National Intelligence (ODNI). Now, its time has come to help organizations of all types secure information at a very granular level and support their zero-trust initiatives.
TDF applies military-grade encryption to wrap each data object in a layer of security and privacy that stays with the data. With TDF, you can:
- Easily implement data-centric policy controls without creating friction for your administrators. TDF allows you to create simple and intuitive controls that can be easily used by a variety of users, regardless of their skill levels. The lack of friction means that organizations can achieve greater security postures without security getting in the way of mission or business objectives.
- Attach attribute-based access controls (ABAC) to data. Traditional role-based access controls can result in over-granting of data access, resulting in the wrong people being able to get their hands on information. TDF allows you to assign granular ABAC tags to data so that only users who genuinely need access, get access.
- Revoke access when circumstances change. People work on short-term projects, get reassigned, change jobs and so on. TDF provides the ability to easily revoke data access at any time instantly so that users do not have rights to data in perpetuity.
- Secure data across multicloud environments. On average, organizations use about five cloud providers, including AWS, Microsoft Azure and Google Cloud. In these multicloud environments, it’s essential to use cloud-agnostic data protection technology. TDF protects data regardless of which cloud service it resides on, as well as whenever it passes between clouds.
Focus less on ‘attack surface’ and more on ‘protect surface’
We’re so used to focusing on the attack surface, but that’s quickly becoming an outdated way of thinking. Yes, you need to do the basics to protect your attack surface with policy controls aimed at identities, endpoints and networks. But the attack surface of every organization is constantly expanding; if you’re not careful, attempting to govern it can consume all of your time and attention.
A better and more efficient approach is to focus on the protect surface. The protect surface houses the data that’s most valuable to your organization. Focusing on the protect surface allows you to direct your security efforts toward the things that matter most without investing all of your energy trying to defend an ever-broadening attack surface.
Zero-trust: Shift to ‘micro policy’ control to protect data itself
Of course, you should implement multi-factor authentication and contextually authorize who is permitted access to data that you possess internally. And, yes, you must do your level best to protect endpoints, networks and such. But it’s also wise to tighten your scope of security control down to the data itself. By shifting just a small portion of your overall security investment toward data-centric controls, you’ll be able to enforce granular policies that protect data flowing in and out of your business via emails, files, applications and more, regardless of where the data resides.
When it comes to implementation, start small and work your way up. For example, consider first protecting your email and files, and then move on to Software as a Service (SaaS) applications and the cloud. Build your security program from the ground up, beginning at the base level with granular policy controls applied to unstructured data in email and files, and expand from there without losing focus on protecting what’s truly important: your data.
Mike Morper is senior vice president of product market at Virtru.
Welcome to the VentureBeat community!
DataDecisionMakers is where experts, including the technical people doing data work, can share data-related insights and innovation.
If you want to read about cutting-edge ideas and up-to-date information, best practices, and the future of data and data tech, join us at DataDecisionMakers.
You might even consider contributing an article of your own!