Contextualizing Zero Trust for Data Security

Zero Trust is often used to codify an approach to security.  What it means for each individual aspect of security depends on the function of that specific component or context. I had suggested, in my previous blog, vendors must identify the context in which they provide a zero trust solution. For us, a solution that claims to provide zero trust data security must have the following three critical components.

Three pieces of zero trust data security

  1. Provides context-based data and application access

    Effective data security starts with limiting data and application access to authenticated and authorized users. Granting broad network access has been replaced by granting access to specific applications and data within applications. This translates to the need for granular controls that determine who, with what devices, gets access to which data and what they can do with it.

    Applications serve as the gateway to data and applying least access privilege improves security posture. To achieve this goal, organizations need controls that are granular enough to determine infrastructure and applications access and control data access and operations. 

    These granular controls must also manage the operations that can be performed on data. They include viewing, manipulating, deleting, uploading, and downloading. It is noteworthy that context based access to applications provides an additional layer of control. And the application itself serves as context for access to data. 

    The granular controls, over the types and levels of access, are essential to deliver data security in organizations that share data across silos. Which pretty much describes every modern organization. The context based controls must be applied in real-time. They should also be flexible enough to be modified and applied immediately for real-time data access control.

    Put differently, principles of least privilege access must include robust authentication and context-based authorization. This requires robust authentication (like Multi Factor Authentication or MFA) or integration with existing solutions that provide strong authentication. Note that MFA is part of the context used to determine the type and level of data access permitted. 

  2. Delivers continuous monitoring, visibility and logging

    An effective data security solution must provide complete data visibility. That means it must continuously monitor data access and evaluate context associated with each access. The evaluation must be done in real-time to determine the level of permissible data access. Should any of the original contexts change, a new policy may need to be enforced. 

    The continuous monitoring is critical to the application of real-time controls to data access. The visibility must include context of data access - identifying who, what, when, where and how of every data access transaction. Logging the granular data is critical for compliance, incident analysis, analytics and incident resolution. 

    Providing uniform and granular information of data access across is a key element of data centric zero trust. Doing so consistently across cloud environments and services, SaaS applications, and the wide array of devices is essential. These sets of capabilities meet the “trust but verify” element of zero trust. 

  3. Implementation is agnostic to the specific application, infrastructure and devices

    Over 75% of employees use more than one device for work. According to McAfee, an average enterprise has over 450 applications and 57% of them were meant for internal use. The point is that organizations have applications deployed in data centers, in the cloud and SaaS based. While cloud-first organizations deploy new applications in the cloud, they do not normally retire legacy applications at the same rate.

    In addition to the proliferation of applications and devices, exponential growth in remote requires robust data security. The security controls must work whether the applications are accessed on premises, from a remote office or from an unmanaged network.

    The proliferation of devices, growth in applications and the increasing diversity of platforms and endpoints elevates the need for consistency. A key tenet of data-centric zero trust is the ability to apply access policy, have visibility into every interaction and ensure compliance. That can only be achieved if the zero trust solution works across your diverse infrastructure.

    If organizations choose solutions that vary by silo, they lose the visibility required to discover, secure and manage data. Siloed solutions also prevent organizations from creating a policy framework that can be applied uniformly to all data. A policy framework that is siloed, is not just suboptimal, it results in security gaps. That goes against the principles of zero trust.

Functionality Determines Applicability, Ease of Implementation Defines Success

The three elements discussed above determine whether a solution meets the definition of data centric zero trust. However, capabilities are only part of the puzzle. Delivering capabilities that are difficult to use just drives users to bypass security controls. We have stated many times before that security and user experience do not need to be at odds with each other. 

In order for a solution to be efficacious, it must not only have the core capabilities, but deployment should be easy. Ease of deployment includes the ability to deploy quickly without having to redesign or develop a trust architecture from scratch. It means providing a solution that can easily integrate with existing infrastructure - network infrastructure, security infrastructure and computing environments. A solution that is cost effective to procure, but cost prohibitive to deploy will be doomed to become shelfware. 

A zero trust solution that provides data security - must protect data. It must prevent data breaches, provide authorized access, prevent unauthorized access and also be easy and quick to implement. 

We would like to hear what you think about our approach and how you incorporate zero trust into your security apparatus. 

Share your thoughts! Reach out to us and let us know what you think - especially if you disagree, we want to hear from you! Send an email to info@appaegis.com or submit your comments by clicking here. You can also learn more about Appaegis' approach to data centric zero trust by clicking here

Back to Blog

Related Articles

Data Security in a Zero Trust World

General Electric, Facebook, Equifax, U.S. Marshals, Microsoft, MGM, GoDaddy, Amtrak…and the list...

How to Make Data Central to Zero Trust

I had talked about Zero Trust in our previous blog. One of the key elements I discussed was the...

VPNs for a Zero Trust Application Centric Enterprise

VPNs have been around for a long time and were created to allow remote workers secure access to the...