Putting data at the heart of zero trust
By Patrick Assheton-Smith, Founder and CEO of Symbiosys IT, and Stephen Cavey, Co-Founder and Chief Evangelist of Ground Labs
Organisations today manage increasingly fragmented environments, distributed across on-premises, third-party hosted and cloud-based environments and services. These diverse networks mean organisations can no longer depend on a hardened perimeter to protect them from cyber attack.
Zero trust architectures provide an alternative approach to cyber security by focusing on identifying and protecting critical resources – data, applications, assets and services (DAAS) – through situationally dynamic authentication and verification controls.
Data is the heart of zero trust since, without a clear understanding of its data, organisations cannot identify these critical resources.
Businesses looking to implement zero trust must start by identifying their data, then evaluating and classifying it based on its sensitivity and criticality. From there, they can identify the supporting resources that store, process and transmit critical and sensitive data assets.
“If you know what data you need to protect, and where that data is, you’re going to be that much more successful in implementing a zero trust environment,” explains Patrick Assheton-Smith, founder and CEO of Symbiosys IT.
This process defines the scope of the zero trust architecture and identifies the resources to which authentication and verification mechanisms will be applied, controlling and monitoring who has access to what, when and how.
As organisations develop maturity in their zero trust environments, they’ll need to continuously identify and classify data assets within a resource inventory using automated discovery and tracking. CISA’s Zero Trust Maturity Model explains that this inventory needs to include all structured and unstructured files and data fragments across all system types and locations, as well as its associated metadata.
Organisations that successfully deliver zero trust are those that invest in accurate, evidence-based discovery to identify and classify their data assets, and do so repeatedly to inform and maintain their resource inventory effectively.
“It should be about putting data at the centre of zero trust. And, in order to do that, it’s about understanding what data you have, where it is and who has access to it,” concludes Assheton-Smith.