The concept of zero trust (ZT) is one that has been widely touted recently in technology news and vendor communications, as more companies embrace remote work, sophisticated cloud architectures, and other conveniences which actually expand attack surfaces. No single universally acknowledged and codified technical standard currently exists, because ZT is a mindset and a collection of design and implementation principles that may differ from one organization to another. Indeed, its very nature may be construed as subjective and predicated on each unique IT environment, because at its core is the premise of denying implicit trust to any request for data or resources, and each business might define this differently. The fact that we cannot rely on a common technical standard for ZT should not deter security teams, because many organizational authorities such as the U.S. NIST and the U.S. Department of Defense have published special papers on the topic. In those resources, you can see that ZT as a methodology can provide significant returns on security for those who implement it accordingly.
While unfortunately, no silver bullet for cybersecurity exists when it comes to protecting sensitive data, ZT is an invaluable piece of the overall security architecture puzzle that can tie disparate pieces together. Each cybersecurity vendor ultimately defines what ZT means to them and their solution(s) depending on the industry vertical or niche that they occupy. Even though ZT can undoubtedly be a complex and complicated facet of cybersecurity, it is one that simply should not be overlooked when it comes to securing enterprise data.
When it comes to modern business, in which data is the “new gold” and fuels most decision making, the most important thing that you can protect is your enterprise data directly, not simply the IT environments that you operate in which data moves and rests. In the past several years, cybercriminals have increased their attempts to exfiltrate sensitive data to sell on the dark web. Keep in mind that many threat actors deploy initial payloads of malware simply as a steppingstone to targeting more valuable sensitive data, so malware is just the starting point, not the end game. We must remember that data is their end goal, and everything that threat actors and hackers do is geared toward getting to that data, which is the reason that effective data-focused security must be your end goal, even when it comes to ZT.
This process is known as data-centric security, which includes protection methods applied directly to your data instead of the surrounding borders and perimeters. You may have heard of diverse types of data-centric security methods, including data encryption and tokenization. Tokenization, for example, replaces sensitive data in plain text with a substitute ‘token’ meaning that the information can still be utilized for business purposes (due to data format preservation) but never reveals the actual sensitive data element, making it useless for the run-of-the-mill threat actor who gets ahold of it.
Data-centric security is the most logical starting point for a ZT initiative, given that data is threat actors’ ultimate target (not the networks or any other IT assets).
What is Stopping People From Assuming a Zero Trust Framework?
No innovative idea exists without pushback, and the concept that a ZT implementation should start with data-centric protection does generate resistance from some quarters. Here are some of the myths surrounding ZT:
Myth #1: Too expensive
The goal of a ZT initiative is to eliminate implicit trust across the IT infrastructure by using tools and processes to control, challenge, and authenticate data and resource requests. The more granular you wish to be, the more expensive this proposition becomes. For example, segmenting the network into smaller and smaller micro-zones so that a level of detailed control can be achieved means an enormous expenditure in network equipment and monitoring capabilities and a corresponding increase in operational complexity, too. For a sizeable enterprise infrastructure, this type of effort can cost many millions just in the initial investment, not to mention the operational cost increases which would equate to many millions more. By comparison, data-centric security solutions such as tokenization cost a fraction of that and provide a level of control down to the data element (obfuscating even small portions of sensitive data). Given the circumstances, starting with data-centric security achieves a lot of what ZT proposes applied directly to the thing that threat actors are after data.
Myth #2: Too difficult to implement
One of the earlier claims against data-centric security such as tokenization is that it can be exceedingly difficult to implement. Depending on the data security platform and how it folds into an IT ecosystem, this may or may not still be true. However, implementations of tokenization are usually completed in weeks, not months to years as can be the case with other data security platforms in large-scale enterprise environments. This time-saving factor could mean the difference between a threat actor breaching your sensitive data and being able to leverage it…or not.
Data-centric security as the foundation for a ZT approach brings several major differentiators to the table. Transparent integration means that data can be secured on the fly for file and batch processes, regardless of the format that the data manifests in. Additionally, it can integrate with business applications without the need to change the record format of the original data, which is especially helpful for running workloads and analytics on production data. Third, it supports modern micro-service architectures for applications running in modern cloud environments, container workload ecosystems, or private cloud/Kubernetes platforms. And finally, finding an easy-to-use API that integrates with any common language or script means that implementation does not have to give security teams a headache
Myth #3: Too difficult to operate and maintain
Enterprises typically deliver tokenization as a core service within the business with extremely high service levels internally to support aggressive service levels with the enterprises’ partners and third-party data processors. Downtime is simply not an option in these environments, nor is the inability to scale to emerging market requirements on a rapid, agile, and automation-driven basis. More modern architectures permit cost and performance scaling dynamically in real-time, with robotic and increasingly intelligent automation strategies. Look for a data security platform that follows a modern ‘Infrastructure as code’ model with a modern fault-tolerant, cloud-ready architecture enabling process automation, robotic management, and machine-readable input configuration and outputs.
Myth #4: Data-centric security is not comprehensive enough
Data protection methods such as tokenization are just part of the overall workflow. Other data security platforms may not help you upstream in the entire process to discover and understand data within your environment, which leads to protection that is not comprehensive across all your sensitive enterprise data. Therefore, seek a platform that provides data discovery and data classification capabilities so your organization can first find sensitive data, understand its lineage (who accesses it, who uses it), and then apply the right controls based on that increased knowledge. You can’t protect what you don’t know exists!
Most things worth doing cannot be accomplished all at once. This is the reason that software companies use the term journey to describe what their customers are experiencing as they engage in long-term technology initiatives.
In truth, the ZT process is really a journey, not just an initiative, and it is a journey that many organizations have yet to consider. Just know that it is not a journey you must travel alone without a clear map showing the way forward. You should establish an open and honest discussion about where you are in that journey—if you have even started it—and whether it makes sense to start with data-centric security. Only then will you be able to start benefitting from ZT and gain the edge against cybercriminals who are seeking to separate you from your hard-earned data.
