Zero Trust: it’s about the data, not the network

Before the emergence of Zero Trust, a castle-and-moat ideology was the standard for securing data – secure the castle wall (the network) and the kingdom (the data) is safe.

The industry encountered a revolutionary idea in 2012, when John Kindervag initially proposed Zero Trust: a methodology of protecting data by inherently trusting no one in or out of the organisation. ‘Never trust, always verify,’ was the motto – and, with this framework, the castle wall could no longer be the sole protector of the kingdom.

Fast forward to the present day. In a world rocked by a pandemic, remote work surged around the world, and IT operations suddenly shifted from the ground into the cloud.

With the transformation of the modern workday comes another metamorphosis of Zero Trust. In an environment where the network perimeter has all but vanished, security leaders need to think differently about how they secure their most important asset, their data. As a result, they must turn their focus from securing the castle to securing the kingdom itself.

The current state of zero trust

Obtaining massive amounts of data doubtlessly ramps up a company’s value through its increased ability to compete, serve, and grow. With this collection of data comes a responsibility to keep it secure from hackers and adversaries.

This responsibility quickly becomes a burden, as current models for Zero Trust focus money and labour on securing the digital attack surface – making sure the bad guys can’t get in. It’s a necessary approach, but fails to secure data in deliberate terms, and does not allow the data to do what it really needs to do: move.

Ultimately, data is generated from people. And like people, data is a dynamic force that gains value through movement. With an increased need for international collaboration, whether business or political, it’s especially vital to integrate data sharing strategies that are compatible with Zero Trust. With this fact comes a sobering contradiction: you can’t lock data away, but you can’t risk losing control of it either.

Many security solutions for internal and external data sharing are strenuous. They introduce barriers to collaboration, with disparate passwords, coupled with network logins, multiple devices and endpoints for each user, and additional complexities when you factor in compliance regulations or other specific security needs.  This can disrupt workflows and muddy or prevent the use of industry-standard tools like Google Workspace, Salesforce, or Microsoft.

It’s about the data, not the network

Circling back to the original intent of the Zero Trust methodology: the first principle of Zero Trust security is to protect the data. Zero Trust wasn’t created to protect networks and verify identities – those are simply methods of executing a Zero Trust strategy. While networks, apps, endpoints, devices, and users need to be secure, the true intent of that security is to exist for the sole purpose of protecting the data.

There’s a real need for teams and leaders in cybersecurity to examine the way data is secured in a world that also demands it be shared. In protecting and advancing networks, applications, devices and endpoints with so much intensity, the data itself is being chronically underserved.This conundrum is in desperate need of an unconventional solution.

Data-centric Zero Trust with control and intention

Centering data in a Zero Trust strategy means zooming in and controlling data on a granular level. Instead of building the castle wall higher, we need to better equip and safeguard the valuables inside of the kingdom, so they can mobilise. Here are three emergent methods to centre data in Zero Trust:

Attribute-based access controls

Unlike Role-Based Attribute Controls (RBAC), Attribute-Based Access Controls (ABAC) allow the owner of data to grant access controls based on extremely specific identifiers that aren’t necessarily tied to internal company roles. Not every analyst, or software engineer, or sales director, needs access to the same datasets. ABAC allows you to grant and revoke access to data based on the user’s identity, specific responsibilities, temporary projects, specific access periods, and more.  This prevents the over-extension of access to sensitive information, ensuring that data can only be seen and utilised by those with a true need to know.

End-to-end encryption

Individualised uses of end-to-end data encryption are another way to centre data in Zero Trust. Take file-sharing or emails, for example. When you encrypt a single email or a single file, external sharing is made more secure. Instead of allowing access to an entire encrypted network, network folder, or cloud environment, wrapping a single piece of data with its own policy controls, and giving the recipient the keys for that single slice of data, will fortify your security.

The key to usable end-to-end encryption, however, is ensuring the intended recipient can easily and securely access the information that’s been shared with them. If that recipient has to use a clunky portal, or create a new set of credentials, it introduces hurdles to the secure data-sharing process, and employees will be more likely to find less-secure workarounds.

Trusted Data Format (TDF)

TDF is an open standard for data protection that leverages both encryption and ABAC to give the data owner complete control over their data at all times and everywhere it’s been shared – whether inside or outside of an organisation. By binding encryption with ABAC policies, the original data owner maintains complete control. Access can be revoked and granted at any time, without fear of oversharing internally to employees or to external parties.

The landscape for Zero Trust is constantly and rapidly evolving. We need to evolve with it. By shifting your Zero Trust strategy to focus on the data first, you can create a flexible security framework that will stand the test of time.

Related Articles

Top Stories