Five Steps to Data-Centric Zero Trust Architecture That Works
By Terry Ray, SVP Data Security GTM, Field CTO and Imperva Fellow, Imperva
A bank wouldn’t implicitly trust any individual who strolls through the front door with the codes to their vault – so why would a company do the same with their data? The explosion of data brought about by companies’ cloud-first digital transformation initiatives has awakened a new era of cybersecurity. And in this new era, Zero Trust is considered the gold standard, with 76% of surveyed security decision makers saying they are in the process of implementing Zero Trust architecture as a guiding cybersecurity strategy.
Data security is a key pillar of Zero Trust that segments the need for data security controls whereby all users, both inside and outside a company’s digital perimeter, are rigorously authenticated; their access to data is continuously monitored; data usage activity is tracked; and unusual behavior is immediately detected and blocked.
But without adopting the right foundation for these type of controls in today’s cloud-first world, Zero Trust is just another buzzword. It’s not too late to shift focus from perimeter security to implementing frictionless data security within a modern hybrid environment in accordance with Zero Trust principles.
With the right approach, company leaders can quickly deliver visibility and control of data no matter where it resides with standards-based functionality that fosters Zero Trust success.
- Implement a data security fabric to reduce risk of breach & data loss
Still an emerging technology, data fabrics are rapidly becoming the engine behind Zero Trust. These data-centric solutions allow organizations’ security and compliance teams to monitor and protect data wherever it may reside – internal, external, or at the edge – through a proactive, flexible, and integrated approach.
Leveraging predictive analytics and a broad ecosystem of solutions, data fabric can act as the last line of defense in a Zero Trust strategy, providing the visibility and response needed to deliver comprehensive protection against breaches. Data fabrics’ analytic capabilities can also analyze user behavior around the clock to determine an activity baseline, allowing the solutions to rapidly identify suspicious and anomalous behavior while eliminating false negatives. Data security fabrics give security teams the automated insights they need to recognize and respond to unwanted behavior wherever it occurs.
- Identify and classify sensitive and private data
No two scraps of data are the same, meaning how they are protected should differ as well. Understanding which datasets should be prioritized due to their level of sensitivity and vulnerability is critical to enacting an organized and thorough zero trust approach. By taking the time to identify and then classify data into risk categories like regulated, unregulated, sensitive, and others, organizations can align their Zero Trust architecture with these rankings accordingly. As a result, data security efforts are streamlined to save valuable time and resources.
- Perform vulnerability and risk assessments
Routine vulnerability testing and risk assessments empower compliance teams to minimize their organization’s threat surface by identifying configuration errors before they open the door to both external and internal attacks. These testing processes systematically analyze digital infrastructure for potential vulnerabilities, classify them by severity, and – when solutions employ prescriptive analytic capabilities – can even recommend steps to mitigation.
While organization-wide data hygiene education programs can make a world of difference in Zero Trust architecture, they cannot replace routine penetration testing. Automatic assessments are more likely to catch poor insider security practices, such as weak or questionable login passwords, than human-led efforts, making them indispensable.
- Minimize data access privileges and user rights
Deploying multi-factor authentication (MFA) processes are a vital component of any Zero Trust architecture, enabling organizations to automatically double- or even triple-verify the identity of users over a secure channel. Any suspicious behavior is immediately reported for investigation, and user access can be monitored on the back end. But MFA is only the beginning.
When it comes to user access in a Zero Trust architecture, the phrase “too many cooks spoil the broth” rings true. Often too many individuals are needlessly granted user privileges, broadening threat surfaces to provide additional opportunities for cyber criminals to attack. Compliance teams should use data fabrics to automate the analysis of employee responsibilities to understand who in the organization actually requires the use of certain digital tools or platforms and minimize privileges wherever possible. The stricter the access policies, the fewer attack vectors available to hackers.
- De-identify/mask non-production data for testing and development
There are some scenarios where a more lenient use of data is necessary, but organizations must still take steps to protect classified data when necessary, especially under a Zero Trust policy. De-identifying data, also known as masking, involves duplicating a set of data while removing any private information. This provides a functional and realistic alternative to data that can be deployed in scenarios like sales training, product demos, or software testing. The format and structure of the data remains the same, but any sensitive values are removed. These processes allow organizations to maintain their Zero Trust policies while granting employees, customers, or partners access to necessary data.
Zero Trust architecture begins with data-centric security
As the modern workplace moves to the edge and the cloud, the need for comprehensive data security grows exponentially. Organizations cannot afford to take shortcuts; before any architecture can be considered Zero Trust, it must have a rock-solid foundation. With the right competencies in place, a data-centric approach to Zero Trust can be set up for scalable success.
About the Author
Terry Ray is the SVP and Imperva Fellow for Imperva Inc. As a technology fellow, Terry supports all of Imperva’s business functions with his years of industry experience and expertise. Previously he served as Chief Technology Officer where he was responsible for developing and articulating the company’s technical vision and strategy, as well as, maintaining a deep knowledge of the Application and Data Security Solution and Threats Landscape. Earlier in his tenure at Imperva, he held the role of Chief Product Strategist where he consulted directly with Imperva’s strategic global customers on industry best practices, threat landscape, application and data security implementation and industry regulations. Terry can be reached online at (https://www.linkedin.com/in/terry-ray/) and at our company website https://www.imperva.com/