What is Zero Trust Data Security?
Limitations of the traditional perimeter-based IT security defenses have exposed organizations to new forms of cyber threats. Proliferation of endpoints – including desktop and laptop PCs, smartphones and tablets, and internet of Things (IoT) devices – and the rapid adoption of remote work from home (WFH) and work from anywhere (WFA) models in the wake of the covid-19 pandemic. This has resulted in threat actors bypassing endpoint protection and breaching network security controls.
The recent threat landscape is driving many organizations to adopt a Zero Trust approach to cybersecurity. Zero trust security model is based on the concept of “never trust, always verify” meaning no device, user, or resource (including users, applications, services, databases and so on) is trusted simply because it is “on the network”. Instead, the identity of every user, device and resource must be positively verified every time it connects to the network and granted only the minimum level of permission necessary to perform an authorized function for a limited period.
Numerous organizations are beginning to adopt Zero trust because of its effectiveness against modern threats although it is not a new concept. Vendors have also been able to adopt their offering in response to the Zero Trust trend to fit their existing product portfolio.
As defined by the U.S. National Institute of Standards and Technology (NIST) in special publication (SP) 800-207, Zero Trust Architecture, Zero trust comprises “an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeter to focus on users, assets and resource” In the NIST view, a Zero Trust architecture uses Zero Trust principles in the creation of enterprise infrastructure and workflows and the focus is on protecting users, devices and resources rather than an arbitrary network perimeter. According to NIST, a Zero Trust architecture adheres to the following seven tenets of Zero Trust:
All devices and services that connect to the network and send, receive, or process data should be treated as resources to be verified and protected.
Regardless of the location and ownership (that is, “on” or “off” the network and enterprise, personally, or third party owned) of a resource, all communication is protected using the most secure manner available.
Least-privilege access to individual enterprise resources is granted on a per-session basis after trust is verified and is not transferable to other enterprise resources.
Dynamic policies are used to determine whether access to a resource is granted, based on behavioral and environment attributes such as software version, network location, date and time of request and others.
All resources that connect to the enterprise network are continuously monitored and evaluated to ensure the enterprise network security posture is not compromised.
Resource authentication and authorization (including re-authorization and re-authentication) is dynamic and strictly enforced – using technologies such as multi-factor authentication (MFA) and continuous monitoring – before access is granted.
As much data as possible is collected about the current state of resources, network infrastructure and communications to improve the enterprise network security posture.
The logical components that make up an enterprise Zero Trust architecture
The diagram above represents the logical component of a zero-trust architecture. (Source: NIST SP 800-207, Zero Trust Architecture)
Control plane
Policy decision point consisting of a policy engine responsible for granting access to a resource and a policy administrator responsible for generating any session-specific authentication and authorization token (or credentials) used by the policy enforcement point to allow communication between users/devices and enterprise resources.
Data plane
Policy enforcement point responsible for enabling, monitoring, and terminating connections between users/devices and enterprise resources.
Supporting components
Continuous diagnostic and mitigation (CDM) system responsible for collecting information about the current state of an enterprise resource and updating configuration and software components.
Industry compliance engine responsible for customer enterprise policy rules that help ensure any applicable regulatory compliance.
Threat intelligence consisting of live feeds from internal and/or external sources.
Activity logs including network and system logs to provide real-time or near real time feedback on security posture.
Data access policy including attributes, rules and policies used by the policy engine to manage access.
Public key infrastructure (PKI) responsible for managing resources, subject, service, and application certificates issued by the enterprise.
Identity management system that provides identity and access management services for the enterprise.
Security Information and event management (SIEM) system that collects and aggregates security events from numerous enterprise data sources and generates alerts.
Benefits of Zero Trust Data Security
The benefits of a Zero Trust Data Security architecture include the following:
IT teams can protect critical data from ransomware attacks, giving their organizations the ability to recover data and applications quickly – without paying a ransom.
Security teams can confidently leverage secured backup data to perform attack forensics and initiate recovery operations directly from their security operations center (SOC).
Application owners can rest easy knowing that business data is protected and that if a ransomware attack were to occur, applications can be restored quickly to maintain business continuity.
Chief Information Officer (CIOs) and Chief Financial Officers (CFOs) can be assured that ransomware recovery plans are supported by a Zero Trust architecture that enables the organization to minimize cyber insurance costs and avoid reputation damage resulting from ransomware attacks.
We wish to acknowledge an amazing book called Zero Trust Data Security for Dummies (A Wiley Brand) by Lawrence Miller ( Rubrik Special Edition) without which this article would not be written.