Zero Trust is often used to codify an approach to security. What it means for each individual aspect of security depends on the function of that specific component or context. I had suggested, in my previous blog, vendors must identify the context in which they provide a zero trust solution. For us, a solution that claims to provide zero trust data security must have the following three critical components.
Effective data security starts with limiting data and application access to authenticated and authorized users. Granting broad network access has been replaced by granting access to specific applications and data within applications. This translates to the need for granular controls that determine who, with what devices, gets access to which data and what they can do with it.
Applications serve as the gateway to data and applying least access privilege improves security posture. To achieve this goal, organizations need controls that are granular enough to determine infrastructure and applications access and control data access and operations.
These granular controls must also manage the operations that can be performed on data. They include viewing, manipulating, deleting, uploading, and downloading. It is noteworthy that context based access to applications provides an additional layer of control. And the application itself serves as context for access to data.
The granular controls, over the types and levels of access, are essential to deliver data security in organizations that share data across silos. Which pretty much describes every modern organization. The context based controls must be applied in real-time. They should also be flexible enough to be modified and applied immediately for real-time data access control.
Put differently, principles of least privilege access must include robust authentication and context-based authorization. This requires robust authentication (like Multi Factor Authentication or MFA) or integration with existing solutions that provide strong authentication. Note that MFA is part of the context used to determine the type and level of data access permitted.
An effective data security solution must provide complete data visibility. That means it must continuously monitor data access and evaluate context associated with each access. The evaluation must be done in real-time to determine the level of permissible data access. Should any of the original contexts change, a new policy may need to be enforced.
The continuous monitoring is critical to the application of real-time controls to data access. The visibility must include context of data access - identifying who, what, when, where and how of every data access transaction. Logging the granular data is critical for compliance, incident analysis, analytics and incident resolution.
Providing uniform and granular information of data access across is a key element of data centric zero trust. Doing so consistently across cloud environments and services, SaaS applications, and the wide array of devices is essential. These sets of capabilities meet the “trust but verify” element of zero trust.
Functionality Determines Applicability, Ease of Implementation Defines Success
The three elements discussed above determine whether a solution meets the definition of data centric zero trust. However, capabilities are only part of the puzzle. Delivering capabilities that are difficult to use just drives users to bypass security controls. We have stated many times before that security and user experience do not need to be at odds with each other.
In order for a solution to be efficacious, it must not only have the core capabilities, but deployment should be easy. Ease of deployment includes the ability to deploy quickly without having to redesign or develop a trust architecture from scratch. It means providing a solution that can easily integrate with existing infrastructure - network infrastructure, security infrastructure and computing environments. A solution that is cost effective to procure, but cost prohibitive to deploy will be doomed to become shelfware.
A zero trust solution that provides data security - must protect data. It must prevent data breaches, provide authorized access, prevent unauthorized access and also be easy and quick to implement.
We would like to hear what you think about our approach and how you incorporate zero trust into your security apparatus.
Share your thoughts! Reach out to us and let us know what you think - especially if you disagree, we want to hear from you! Send an email to firstname.lastname@example.org or submit your comments by clicking here. You can also learn more about Appaegis' approach to data centric zero trust by clicking here.