The modern enterprise is fluid, dynamic and distributed. The old network perimeter is gone. And threat actors bypass corporate defenses with ease—often simply using stolen or cracked credentials. This is the world that Zero Trust was designed for. A cybersecurity approach with a history dating back over a decade, it’s now finding favor among global organizations thanks to US government mandates. At its heart, it’s about protecting critical systems, and the data flowing through, them from compromise.
Yet initiatives can be expensive, complex and time consuming. That’s why a new US government guide should be welcomed by cybersecurity leaders. It focuses on the “foundational” Zero Trust pillar of data security, with clear recommendations and best practices.
A long time coming
Zero Trust is not a standard. It’s more of a philosophy: a new approach to security which moves away from the old perimeter-based model (where everything ‘inside’ is trusted) to a new environment where no networks are trusted, and attackers are everywhere. In this context, there’s no default access to data or workloads. All users and devices must be continuously authenticated and verified, and risk is constantly monitored.
Although the concept has been around for years, it was 2021’s Executive Order 14028 and the subsequent memo (OMB M-22-09) Moving the U.S. Government Towards Zero Trust Cybersecurity Principles, which really began to drive take-up. The latest document, Federal Zero Trust Data Security Guide, is a part of these government-led efforts. They may have been designed primarily for federal agencies, but the best practices contained within are certainly relevant for all types of organization.
“The data domain of Zero Trust is hard. It is foundational. It is also the domain where Forrester sees organizations dedicating greater focus to as they progress to an intermediate level of Zero Trust maturity,” says Forrester Principal Analyst, Heidi Shey.
Getting started
If the traditional idea of a network perimeter is no longer relevant in an era of remote working, mobility and cloud computing, then data should be thought of as the new perimeter, the report argues. Broadly speaking, it urges organizations to follow three steps when embarking on Zero Trust projects:
- Define the data: This means locating all data, wherever it resides, before accurately categorizing it, and defining its sensitivity and criticality. This is so that the appropriate security controls can then be applied.
- Secure the data: The next step is to manage common threats and/or vulnerabilities that could compromise the confidentiality, integrity and availability of an organization’s most sensitive data. Risks could include internal and external actors, trusted third parties, human/machine errors and even natural disasters. It also helps to bring security and data management teams together at this stage.
The report highlights multiple protection methods that could be used to protect sensitive information and prevent its inadvertent disclosure, including strong encryption and tokenization. Identity, credential and access management (ICAM), secure logging/audit and continuous monitoring are also cited as crucial.
- Manage the data: Finally, ensure data security practices are aligned with and embedded in data lifecycle management (DLM). This chapter of the guide is still incomplete, hinting at the complexity of the task ahead.
Where comforte comes in
Much of this advice chimes with the comforte approach to Zero Trust, which puts data-centric security at the heart of everything. In fact, we’d argue that data isn’t just a foundational pillar of Zero Trust, but is even more important than that. That’s because all of the other pillars (eg users, devices, apps) are used by threat actors as stepping stones to reach corporate data.
By building a perimeter around the data in the form of strong encryption or tokenization, we can ensure that, even if threat actors managed to reach it, they would find the information of no use to them. We also provide continuous, intelligent data discovery and classification to help with Step 1), ensuring no stone is left unturned.
When combined with other elements of Zero Trust—such as network segmentation, continuous threat monitoring, and strong, risk-based access controls along least privilege lines—such an approach can provide a useful place to start these efforts.
