The Data-Centric Approach to Zero Trust
With the growth of remote access (particularly during the COVID-19 pandemic), the proliferation of SaaS applications, Shadow IT, migration towards cloud-based infrastructure, and adoption of bring your own device (BYOD), there is no longer a clearly-defined network boundary to defend and our company users expect to access their information from any location, on any device. With Sophisticated cyberattacks, it is now virtually impossible to protect the network, and hence the data with this approach. A completely new approach is needed to solve the problem that is Zero Trust (Do not Trust, Always Verify).
Discussion Points
- Different Journey options for Zero-Trust
- How does Technology helps for Zero- Trust Transition and migration
- How to continue on the Journey to achieve Zero-Trust target state
There are many journeys to Zero-Trust and many different ways to approach it
There are a few competing approaches to implementing a zero trust architecture but the 3 most widely approach to accomplish a Zero Trust Security Model is,
- User identities are checked, and credibility is established for all of the following access types:
- Applications Operating Systems
- Compute Infrastructure
- Networking Infrastructure
- Device identities are challenged and verified through Identity Proxy
- Applications and APIs requesting access are substantiated through Micro segmentation
Zero trust alone says much less about how organizations should think about data that’s inside their segmented, access-controlled environments.
- Hence there emerges a new 4th approach now a days which I am getting use to hearing (and promoting) is "Data is the new perimeter" and "Data-centric security is the foundation." It makes perfect sense to me, since data is at the core of business value creation.
- Without data-centric security in place, its extremely difficult or impossible to keep data segmented properly within a zero-trust environment.
How does your technology help people migrate to a Zero-Trust system?
To gain full control over its sensitive data and get maximum value from its investment in zero-trust architecture, my organization has adopted a data-centric security approach to technology intervention during the implementation
- Forrester recommends classifying data and building perimeters around data types with similar sensitivity levels. Those are good first steps, but classification on its own will not protect data from misuse when someone gets inside one of those network segments.
- Data should be protected by (i) authenticating and authorizing access to the data, and (ii) encrypting the data, both at rest and in transit. This requires technology intervention to enforce the data centric zero trust policies in an automated manner using the Data Access Governance & Encryption solutions
- The zero-trust model provides a clear framework for redesigning networks so that intruders can’t move around freely once they make it inside. By segmenting networks into smaller perimeters, using strong identity validation technology, and controlling access to network resources, organizations can limit the amount of sensitive data that’s available to unauthorized parties who get inside.
How do you intend to continue your journey to a Zero-Trust system?
The Data-Centric Approach
- Data-centric security will give us complete control over sensitive data, from the point of creation through the entire data lifecycle. Files containing sensitive information are detected as soon as they appear, and their access permission are managed through the Data Access Governance so that they’re always in compliance with the organization’s security policies.
- Cryptography lies at the core of modern cybersecurity and is critical to the implementation of a zero trust architecture. Cryptographic algorithms enable data to be encrypted (for confidentiality) and signed (for integrity and authenticity). In particular, public key cryptography enables the identification and authentication of users and endpoints using digital certificates to access the data
- Tokenization for data at rest is another useful cryptographic technique in the zero trust arsenal. Tokenization uses format-preserving encryption to replace the original data with an encrypted version of the data in the same format (i.e. same length, character set, and format).
Deepak Mishra is Wipro’s Global Head for Data Security Governance with 19+ years of varied experience in cybersecurity