The modern enterprise is fluid, dynamic and distributed. The old network perimeter is gone. And threat actors bypass corporate defenses with ease—often simply using stolen or cracked credentials. This is the world that Zero Trust was designed for. A cybersecurity approach with a history dating back over a decade, it’s now finding favor among global organizations thanks to US government mandates. At its heart, it’s about protecting critical systems, and the data flowing through, them from compromise.
Yet initiatives can be expensive, complex and time consuming. That’s why a new US government guide should be welcomed by cybersecurity leaders. It focuses on the “foundational” Zero Trust pillar of data security, with clear recommendations and best practices.
Zero Trust is not a standard. It’s more of a philosophy: a new approach to security which moves away from the old perimeter-based model (where everything ‘inside’ is trusted) to a new environment where no networks are trusted, and attackers are everywhere. In this context, there’s no default access to data or workloads. All users and devices must be continuously authenticated and verified, and risk is constantly monitored.
Although the concept has been around for years, it was 2021’s Executive Order 14028 and the subsequent memo (OMB M-22-09) Moving the U.S. Government Towards Zero Trust Cybersecurity Principles, which really began to drive take-up. The latest document, Federal Zero Trust Data Security Guide, is a part of these government-led efforts. They may have been designed primarily for federal agencies, but the best practices contained within are certainly relevant for all types of organization.
“The data domain of Zero Trust is hard. It is foundational. It is also the domain where Forrester sees organizations dedicating greater focus to as they progress to an intermediate level of Zero Trust maturity,” says Forrester Principal Analyst, Heidi Shey.
If the traditional idea of a network perimeter is no longer relevant in an era of remote working, mobility and cloud computing, then data should be thought of as the new perimeter, the report argues. Broadly speaking, it urges organizations to follow three steps when embarking on Zero Trust projects:
The report highlights multiple protection methods that could be used to protect sensitive information and prevent its inadvertent disclosure, including strong encryption and tokenization. Identity, credential and access management (ICAM), secure logging/audit and continuous monitoring are also cited as crucial.
Much of this advice chimes with the comforte approach to Zero Trust, which puts data-centric security at the heart of everything. In fact, we’d argue that data isn’t just a foundational pillar of Zero Trust, but is even more important than that. That’s because all of the other pillars (eg users, devices, apps) are used by threat actors as stepping stones to reach corporate data.
By building a perimeter around the data in the form of strong encryption or tokenization, we can ensure that, even if threat actors managed to reach it, they would find the information of no use to them. We also provide continuous, intelligent data discovery and classification to help with Step 1), ensuring no stone is left unturned.
When combined with other elements of Zero Trust—such as network segmentation, continuous threat monitoring, and strong, risk-based access controls along least privilege lines—such an approach can provide a useful place to start these efforts.