How can you create data-centric zero trust?
Security researchers recently discovered the information of up to a billion Chinese citizens for sale on the dark web. The sheer number is staggering, but it's more shocking that these records may have been available for at least a year! Not only did someone lose a billion people's details, they failed even to notice the theft.
Some data incidents are spotted sooner, yet still after data has bolted from the barn. Most famously, a Meta whistleblower downloaded thousands of sensitive documents, and vehicle manufacturer Tesla has suffered numerous cases of employees stealing data, some as whistleblowers and others for industrial espionage.
We can blame cyber crime for some of these problems. But the issue relates directly to poor data-centric security, says Irena Mroz, Chief Marketing Officer at Archtis: "No employee should be able to download 26 000 files without setting off alarm bells. But they do, and then companies react after the fact with new controls. The damage is done, though. What companies need to do is turn that around. That's why they should take it back to zero trust. You need to validate and verify every time any user tries to access a document."
Dialling in on zero trust
Zero trust security states you should treat every activity on your systems with suspicion. Never trust, always verify. Zero trust typically focuses on context and behaviour, integrating numerous security, identity and monitoring services that reference contextual policies. The goal is to spot aberrations and unusual behaviour, eg, the COO's account downloading financial records at 3am using an IP address from the Maldives – and block the activity before it causes damage.
Many organisations implement the concept at some level. But they often neglect doing so at the data layer, Mroz notes: "Everybody thinks about zero trust, but people forget about the data. They assume: 'Hey, I've authenticated the person into my network. I've authenticated them into my application. We're good.' But as we saw with Francis Hagen at Meta, she was an authorised user and she was able to have access to the systems – and all the data. But she had too much access. You can't just stop at who is a trusted person. You also have to ask what is this trusted person allowed to access on a need-to-know basis? What do they need to know to do their job?"
Several principles can define a zero trust environment. Microsoft narrows it to three: verify explicitly, use least-privileged access and assume a breach will occur. These principles then apply to the six major areas of company technology, namely identities, devices, applications, networks, infrastructure and data.
Zero trust data security
Of the six, data frequently ends up as the least secured because we often assume that securing all the other elements will naturally secure data. But that is risky. Companies must contend with large volumes of data, dark data, data moving beyond the company parameter and data management for privacy and other legislative reasons. They must account for where certain types of data sit and care about the value of different data to the business.
Mroz explains: "There's so much data that really needs to be restricted. Most companies don't even know where it is, or how valuable it is – that is a huge problem. It's not just knowing where it exists. How sensitive is it? Is it properly classified and tagged? Are you properly limiting access to only those who need to access the data for their job?"
To create data-centric zero trust security, Mroz proposes four principles:
- Data-centric security (DCS): DCS is when you place controls on the data. Many organisations will focus on security elsewhere and assume their data is also covered. DCS emphasises appropriate data access, monitoring for abnormal behaviour around data, and controls user actions at the data layer.
- Context drives relevance: Knowing where, how and why data can be accessed is essential. A person or application may have rights to access data, yet do they have the right to access that data while in a public location, in transit across borders, or at 3am? This context also covers where data is stored – a vital consideration for cloud storage, supply chain integration, mergers and acquisitions and data sovereignty.
- Access through attributes: Attributes help define the how and why of data (for example, 'personal information'). A set of policies determine the appropriate use of data and can block any roles accessing the data outside of that context (a methodology called attribute-based access control, or ABAC).
- Dynamic policy enforcement: Dynamic policy enforcement adapts to constantly-changing access and security conditions. Data is the most stable element for dynamic enforcement: users might change locations and devices, but the data they access is more consistent. Policy that follows data based on context and behaviour is often the most effective.
Following these principles is not just good for security. They create a healthy way to manage your data and extract long-term value with minimum overheads, says Mroz: "Even if you are never hacked, you still have a lot of data moving all over the place. If you use zero trust correctly, you can enforce wide-ranging behaviour from a small set of policies. One of our clients, a major defence institution, only uses around a dozen policies. Because the policies use context and attributes, the system dynamically determines if someone can access the data and how they can use it accordingly. Data-centric zero trust is a very effective and efficient way to control and manage data. It should be fundamental to data environments."