My previous post in this series ended with a pretty definite statement: if data is all-important to hackers and other threat actors and is the crowning piece of the entire pillared structure that is the IT infrastructure, then that’s where you need to start you Zero Trust initiative. That’s what needs to be protected early on—your data. Once people grasp and then embrace the concept of Zero Trust—which at its core encourages removing all implicit trust based on network location or a single challenge—they quickly move on to thinking about implementing it. Naturally, excitement in implementing a new security paradigm that could greatly reduce an organization’s risk and mitigate the serious consequences of a data incident is going to trigger the next obvious question: where should we start?
Let me be honest here. If you go to a car dealership to look at a new sports car and inquire where to start searching for the perfect sports car, the dealership representative will of course say, “let’s go out and look at what we have!” The same situation will occur with technology vendors and Zero Trust. Referring to the US DoD reference architecture (and other assets discussing ZT), you will find numerous pillars from which to choose, including the big three: network, devices, and users. So go to a network security vendor and ask where to start, and you’ll get the expected answer, which is to look at what their solutions are. Therefore, as a representative of a technology vendor myself, I am painfully aware of the hypocrisy in stating that the starting point should be to look into comforte’s own data protection platform. I won’t do that—yet. What I will do is pick back up on that notion that threat actors only want your data (meaning, they don’t want your enterprise Wi-Fi router, because it’s just a stepping stone to your data).
If threat actors are so intently focused on getting to your data, then the logical starting point should be data security with the security method applied directly to the data. OK, so how to do that? Again, various reference architectures might suggest data encryption, but even there you’re talking about a very broad solution area with lots of different flavors and variations. On top of that, I can note several problems, though, with data encryption as the ideal starting point for protecting the data itself:
- Weaker encryption algorithms can be cracked
- Encryption doesn’t preserve data format, which can cause headaches with your business applications
- Encryption depends on keys, and key management is a pretty onerous task
Remember, the ultimate objective is to protect the data itself by rendering it useless in the wrong hands. Another point to recall is that one of the basic premises of Zero Trust is to assume that a breach has already occurred, meaning that perimeter defenses have already failed and that a bad actor is actively working within your IT environment. When we protect the data itself, we assume that it will fall into the wrong hands eventually, but the outcome will not be severe because sensitive knowledge is in some way made incomprehensible.
This brings to mind an analogy to show the power of protecting the thing of value instead of the environment around it. Think of any castle structure you’ve ever seen either in person, in books, in movies, or just in your imagination. I will picture Dover Castle in the UK, as it perfectly exemplifies the multiple layers of security applied to the structure. Just as with your IT infrastructure, castles had borders and guarded perimeters to try to keep unwanted people out. Whether body of water, outer stone walls, or entrenchments, castles were ringed with ways to isolate what was important (the people and assets being protected, meaning royalty and nobility usually) from any attacker on the outside.
If an attacker could get through all of these outer perimeters, over a moat, across a drawbridge, and keep going all the way to the inner keep, then the prize was near, whether it was the Duke and Duchess or the King and Queen. Up winding stairs and into a throne room, and suddenly, nobody’s there! Maybe the castle you imagine has secret passageways allowing the Duke and Duchess or King and Queen to evacuate and get far from the castle before the invaders discovered the trick. Well, without the ultimate prize, the attack really wasn’t all that successful, was it? This is what data-centric security does to your data—turning the sensitive data elements into innocuous representational elements that make the data incomprehensible, so threat actors can’t leverage it for nefarious purposes.
What kind of data-centric security can do this while also avoiding some of the pitfalls that come with data encryption? Well, tokenization comes to mind. A strong data protection platform with robust tokenization can ensure that your data itself is guarded, all while preserving data format and avoiding any need for key management. A tokenization solution like comforte’s can help you address that first step in your Zero Trust journey, which is to start protecting your enterprise data from falling into the wrong hands. If it does, it will be the same outcome as the castle invaders hoping to catch the King and Queen up in the castle keep when they’ve escaped out the back way: complete inability to leverage the successful attack through the perimeter defenses because the sensitive target has already been whisked away.
More questions probably arise in your head, such as can we prove that starting with and investing into data protection first gets you a good way down the road toward Zero Trust? Come back for #4 as I talk about costs and benefits of different starting points, and the expected return on investment.