Zero Trust is the new bellwether for many security initiatives. As organizations evolve this strategy, they need to determine how to connect the dots to data security policies to ensure the highest levels of data protection. These days, with everyone working from home, it is more critical than ever to create and nurture a culture of security anchored by a foundation of trust in steps taken to safeguard data.
While the concept of Zero Trust is familiar to most organizations, successfully implementing an impactful strategy remains an aspirational goal. In reality, formulating and executing a Zero Trust strategy can be difficult, especially if initiatives lack sufficient top-down support and a well-coordinated plan for achieving measured, appropriate steps—and not a giant leap.
Gaining the necessary trust of all involved security stakeholders can take a long time, so focusing on small wins as you roll out the pieces of a Zero Trust strategy brings incremental value to the organization while adding up to big gains in data protection.
Here are five key considerations for developing a winning Zero Trust strategy.
The Time Value of Data
When starting out on putting in place a Zero trust framework, the best place to begin typically is where the biggest risk resides. For most organizations, regardless of size or type, that is data being created today. Typically, data-at-creation has more value—and risk—than information that is years old and/or archived. This data, however, represents a higher degree of difficulty than older data has the potential to disrupt users is much greater. It’s imperative to balance the value/risk equation with that of potentially agitating users.
Some of the biggest risks to unwanted data exposure in the current work-from-home environment could occur during the heightened use of applications such as Zoom, WebEx, Skype, or MS Teams. Nefarious tales of “Zoom bombings” have become commonplace. It’s no wonder because these popular enterprise conference tools don’t stop participants from sharing classified, confidential or restricted information on screen. Therefore, it’s necessary to install guardrails to ensure sensitive data is not being shared unnecessarily.
How Data Will be Handled in the Protection/Governance Lifecycle
What does the experience look like for users once there’s metadata? What needs to be triggered from a policy point of view? Policy informs people, process and technology. What are the top use cases? How should they be handled? Only after gaining an understanding of the data and where it’s located is it then possible to determine its worth. Then the proper controls can be applied at the right place and time.
Identify Where Your Highest Value Data Resides and Start There
What is the best place for the business to start? If it’s nearly impossible to get in front of users, analyzing data at rest is the reality. Inventorying the data will determine risk and help manage redundant, outdated and trivial (ROT) information. This also is a highly necessary step for any organizations that are readying their data for a move to the cloud. For highly regulated businesses that cannot risk their data, start by being distributed across the entire user community in order to create awareness. Then a series of plug-ins can be added with the rest of the ecosystem.
In the time of COVID-19, many companies’ biggest risk may be associated with data that is contained in email. As digital communications seem to be favored over phone conversations, all companies need to be sure they have a policy in place that ensures confidential data is being protected whether it’s shared from corporate laptops or personal devices that have been called into duty due to remote working conditions.
The Appropriate Data Taxonomy
The terms used for data classification, data categorization and data identification, along with various sub-categories, are changing very quickly these days. Therefore, be careful about pre-conceived notions when it comes to the right taxonomy for the organization. For example, what might have been right (and proven) for a government or military application probably is not a perfect fit in commercial scenarios. Enterprises typically require diving much deeper than labeling data as confidential or non-confidential.
Zero Trust Ecosystem Enablement
Once the data types have been defined along with the types of data being looked at and the lifecycle, what remains is the glue to enable the rest of the Zero Trust environment. This includes automation and orchestration, device and workload security, visualizing and analyzing threats as well as user authentication. Then as the data travels, the rest of the ecosystem will be enlightened.
During a time when everyone is working and exchanging data beyond the parameters of the traditional corporate perimeter, implementing a security framework based on Zero Trust is essential. Now more than ever, Zero Trust gives corporations much-needed control with visibility to survive these turbulent times while deploying a strategic security plan for the future.
About the Author: Mark Cassetta is SVP, Strategy for Titus, a leader in empowering organizations to discover, classify, protect, analyze and share information.
