Zero Trust can improve your security posture

Download

How do you implement it?

Zero Trust is on a lot of peoples’ minds these days. You might be tempted to think it’s just a buzz phrase, but at the core is a really important concept that can help your defensive posture where data is concerned: assume that your IT environment is already compromised and apply a healthy level of mistrust to any user or device attempting to access data or services. Zero Trust isn’t really an industry standard, but it is the following:

  • The US Department of Defense (US DoD) points out that Zero Trust is a philosophical shift in the way that we secure our IT resources and data environment.
  • Zero Trust is not a codified industry standard but rather a framework that has been captured in reference architectures (such as the US DoD) and other explanatory documents (NIST, analyst papers).
  • Businesses are driven to consider and implement a Zero Trust approach to cybersecurity because of a number of factors, including increased user mobility, distributed remote work forces, cloud architectures, and legacy perimeter security tools that are easy for threat actors to attack and overcome.
case study

Cybersecurity is as much a business decision as it is a technical one.

Understanding these facts is the first part of your Zero Trust journey.

Border and perimeter security isn’t enough

Many enterprises still rely heavily on protecting the borders and perimeters around their IT environment. The thought is that keeping threat actors and hackers on the other side of your virtual wall ultimately keeps your environment and resources safe. That’s simply not true.

Assume you’re already sustaining a breach

This is one of the prime tenets of Zero Trust. It hits at the detrimental outcome of complacency and a false sense of security, which encourages lax protections and plenty of weaknesses for threat actors to exploit.

Zero Trust is comprehensive

Zero Trust is many things. Implementing it affects everything from your corporate culture to your network, the devices and resources connected to your network, and the users who depend on this entire infrastructure to get work done. No platform can provide you with total coverage of Zero Trust protection across all these different aspects of the IT infrastructure.

You can’t implement everything at once

Because Zero Trust affects so many different parts of the infrastructure, often referred to as “pillars” of Zero Trust, you have to decide where to start your Zero Trust journey. Different vendors suggest different stepping off points, which usually centers on their offers. Let’s walk through the reasons we feel that data security is an ideal starting point.

This isn’t wishful thinking—you can actually achieve these accomplishments very quickly, all while adopting a Zero Trust approach to cybersecurity:

  • Protect private and sensitive information even if it falls into the wrong hands.
  • Implement data security that greatly exceeds regulatory demands.
  • Work with sensitive data without having to de-protect or compromise that information.

 

Have you ever considered what these bad actors really want when they carry out attacks on your business? They’re actually targeting very specific things, but sometimes we confuse what they’re after with the stepping stones they use to get to their ultimate goal.

In testimony before a US Congressional subcommittee in 2018 about terrorism and illicit finance, participants explained very clearly what hackers really want. Their goals inevitably are to:

  • Breach defenses to get into a data environment, leveraging stepping stones such as the network and other IT resources along the way.
  • Steal highly valuable data, whether that data may be peoples’ sensitive PII or the company’s IP.
  • Leverage, monetize, and potentially even weaponize stolen information for financial gain and to assist in further compromising people and businesses.

As the US NIST agency explains in their special publication about Zero Trust (SP 800-207), a main focus of Zero Trust is the protection of data and the IT services that house that data.

Zero Trust forces you to rethink cybersecurity so that ultimately your data and resources are better protected. Data-centric security methods such as tokenization are the best way to protect data. It is highly granular (you can protect down to a specific data element), easier to implement (turning months of implementation time into days or weeks), and ultimately more cost effective.

We’ve helped customers cut their expenditures significantly while achieving a stronger and more granular level of data security simply by starting with data protection. Costs can go up precipitously when trying to achieve ZT with strategies like micro-segmentation of the network across very large enterprises. Costs for data-centric security don’t follow that exponential curve. The following illustration shows the cost-to-benefit reality of datacentric security.

zero trust

Data-centric security means protecting your data—applying the protection methods direction to the data itself—rather than the borders and environment around that data. If data is what threat actors are really after, then the logical starting place for any Zero Trust implementation would be your enterprise data, which could be compromised, monetized, and weaponized in a way that would negatively affect your organization. But what can you do with data that would thwart bad actors who get their hands on it?

Let’s look at an analogy to show the power of protecting the thing of value instead of the environment around it. Think of a castle. Medieval castles had multiple layers of security implemented around them.

Just as with your IT infrastructure, castles had borders and guarded perimeters to try to keep unwanted people out, from walls and moats to drawbridges and inner keeps and towers. If attackers could get through all the defenses and to the throne room to capture the king and queen, then it was game over, right? But what if the king and queen escaped through a secret passage? The attackers wouldn’t get the ultimate prize, and so the attack wasn’t a success. This is what data-centric security does to your data—turning the sensitive data elements into innocuous representational elements that make the data incomprehensible, so threat actors can’t leverage it for nefarious purposes. Yes, hackers get to the data, but that information is of no use to them.

The ultimate point of Zero Trust is to assume an attack is underway and to negate any detrimental effects of threat actors getting to your enterprise data. Like whisking the king and queen away, data-centric security helps you achieve Zero Trust by making any sensitive information incomprehensible (and uncompromised) unless a very specific, validated request for that information exists.

"Cybersecurity architecture will become data-centric"

– US department of Defense Reference Architecture