Take a Data-Centric Approach to Zero Trust to Protect Your Most Critical Assets

April 13, 2020
| |
4 min read

For many of us, children are our most critical assets. In order to protect what is important to us, we work hard to know where they are and what they are doing at all times — particularly during those pesky teen years. We also take steps to protect the places where they spend their time. We install cameras, locks and alarm systems to monitor activity and secure the perimeter, helping to ensure our most precious “insiders” can’t exfiltrate themselves from the secure location. These concepts aren’t new; they are simply a product of the world we live in.

It’s no different for organizations trying to protect mission-critical data. Customer information, trade secrets and health records are some of the most sensitive information an organization holds, but too often they are not treated with the same diligence we practice with our families.

Enter Zero Trust

A rise in significant data breaches and an increase in global regulations have the potential to cost these organizations millions in lost business and/or fines. In response, enterprises are starting to implement frameworks that can help mitigate these potential risks with the clear goal of securing their sensitive data. One of these frameworks is Zero Trust.

Zero Trust is a flexible security framework based on the notion of not trusting anyone. Previous security models focused on the IT perimeter, but with the transition to hybrid multicloud environments, the increase in bring-your-own-device (BYOD) models, and the co-mingling of employees and contractors, the perimeter is no longer sufficient. Instead, organizations that use Zero Trust strategies can protect people who need the correct access, secure devices that need to be managed, and implement analytics and response mechanisms to ensure security analysts have full visibility into their environments.

Rethinking the Perimeter for Better Data Security

Data is the foundation for basically everything in an IT environment but is often overlooked for security in outward-facing areas such as endpoints, networks and applications. Using traditional security methods, organizations have built walls around the network and inspect everyone coming in and out, which is not a viable option in today’s enterprise.

Conversely, a Zero Trust framework and architectural approach is characterized by microperimeters (i.e., locking the door to your house then shutting the door to your child’s bedroom) and microsegmentation (i.e., only grandparents and trusted neighbors have keys to the house and the alarm code; the plumber can only enter when you are home). By implementing these two principles, an organization is able to control who has access to what data from what device and on what network.

By taking a Zero Trust approach, the starting point for security architecture needs to come from the bottom and work its way up the IT stack (i.e., applying microsegmentation and microperimeters at the data layer), and then use that information as context as you move to the outward areas of the framework. You can’t build a sturdy, beautiful house without a strong foundation.

4 Steps to Achieve Zero Trust Success

1. Define Trust

The first step in creating your strong framework is creating an inventory of what sensitive data your organization houses and where it resides. Once you know what you have, then you can put rules in place to secure it (i.e., I have two young kids, so I need safety gates by my stairs; I have a teenager, so I need to lock the liquor cabinet).

To further secure the data, an organization should adopt strong encryption to harden the environment. This is akin to having your child ride a bike with a helmet (always!), knee pads and elbow guards.

2. Enforce Trust

Next, to fully understand your data landscape, there needs to be activity monitoring to see who is trying to access all of that data (i.e., using parental controls to track who a child is texting or going on a bike ride with to ensure their safety). Having a clear view of users and behavior as it relates to your most sensitive data is of the utmost importance for any organization.

3. Rebuild Trust

No matter what rules you have in place, a changing business environment means that incidents will still occur that violate those policies. The same is true with parenting! When that happens, it’s important to quickly respond and take precise action to remedy the problem. In the enterprise world, this could mean adjusting the segmentation of the network or wiping a user device.

4. Improve Trust

Protecting your data is a constant process that stretches across all disciplines of security. Robust analytics and machine learning allow for deep visibility into the data environment and filter out the noise from false positives. These analytics should feed an automation engine so if an anomaly is detected, infected users are blocked from accessing sensitive data.

Knowing where your data is and applying identity and access management (IAM) allows the organization to understand who has access to that data and if they should. Layering in a unified endpoint management (UEM) solution gives organizations full visibility and context into the data, the user accessing the data and the device they’re using to create an end-to-end secure framework.

Face the Challenges of a Hybrid Multicloud World With Zero Trust

In today’s environments, where sensitive data is everywhere — flying instantly from an on-premises database to a cloud file share, being accessed via a virtual private network (VPN) on a tablet while out to sea on a yacht — organizations need strong, flexible frameworks to ensure business continuity, compliance and customer trust. Taking a data-centric approach to your Zero Trust initiatives will enable your organization to be ready for the challenges of the hybrid multicloud world we live in today.

So, when you tuck your kids in, set the alarm, hit the lights, and close and lock the door, remember that this is the same approach you should be taking to protect your organization’s sensitive data. Oh, and don’t forget to hide the liquor cabinet key!

Watch the Think Digital session to learn more about the importance of Zero Trust security for your business.

Visit Think Digital Now
Jesse Sedler
Data Security Offering Manager, IBM Security

Jesse Sedler is an Offering Manager on the IBM Security Data Security team. He joined IBM Security in 2018, starting his cyber security career in the mobile ...
read more