4 best practices for a data-centric approach to zero trust

In a relatively short time, we have moved from the old “trust, but verify” standard to “trust, always verify”. That’s the hallmark of zero trust, a best-practice security framework that many organizations are implementing today — and for good reason.

The importance of zero trust was underlined by the Biden administration executive order mandatory federal agencies implement a zero-trust security architecture, as well as the 28-page strategy memo from the Office of Management and Budget (OMB) with guidelines for implementing zero-trust cybersecurity.

As outlined in the OMB document, data governance is an important but often overlooked pillar of zero-trust security. Implementing data-level security is much more effective at protecting information than, say, a traditional firewall, and gives you complete control over your data at all times. By protecting the data itself, you can rest assured that even if your network is compromised, your most important assets will remain safe.

Here are four best practices for implementing zero-trust data management for better data protection wherever your data resides.

Apply policy control directly to data projects

We live in an environment with no perimeter and data is not static. It constantly flows in and out of your organization at high speed.

Therefore, it is critical to apply policy control directly to data objects themselves. This essentially means that a protective wrap is placed around each data object. With this approach, you can continue to manage your data wherever it resides, inside or outside your organization, and make sure it’s protected even if it moves outside your virtual walls. It also allows you to assign role-based access controls directly to individual data objects so that externally shared information is accessible only to intended parties and no one else.

Use TDF to support your zero-trust initiatives

An ideal way to apply policy control to data objects is through the Trusted Data Format (TDF) standard. Those data objects can be files, videos or other forms of information. TDF protects them all by encrypting the objects and then checking that the recipient has the authorization to access the data.

TDF is an established open standard for protecting sensitive data. It has been used by the United States government since 2012 and is currently an open specification hosted by the Office of the Director of National Intelligence (ODNI). Now is the time to help organizations of all kinds secure information at a very granular level and support their zero-trust initiatives.

TDF applies military-grade encryption to wrap each data object in a layer of security and privacy that stays with the data. With TDF you can:

• Easily implement data-centric policy controls without friction for your administrators. TDF allows you to create simple and intuitive controls that can be easily used by a variety of users regardless of their skill level. The lack of friction means organizations can achieve greater security posture without security getting in the way of mission or business goals.
• Link attribute-based access controls (ABAC) to data. Traditional role-based access controls can lead to too much data access being granted, allowing the wrong people to get their hands on information. TDF allows you to assign detailed ABAC tags to data so that only users who really need access can access it.
• Revoke access when circumstances change. People are working on short-term projects, being transferred, changing jobs, and so on. TDF provides the ability to easily revoke access to data at any time and at any time, so that users do not have rights to data forever.
• Secure data in multicloud environments. On average, organizations use about five cloud providers, including AWS, Microsoft Azure and Google Cloud. In these multi-cloud environments, it is essential to use cloud-independent data protection technology. TDF protects data regardless of which cloud service it resides on, as well as when it is passed between clouds.

Focus less on ‘attack surface’ and more on ‘protection surface’

We’re so used to focusing on the attack surface, but that quickly becomes an outdated way of thinking. Yes, you need to do the basics to protect your attack surface with policy controls focused on identities, endpoints, and networks. But the attack surface of any organization is constantly expanding; if you’re not careful, trying to rule it can take up all your time and attention.

A better and more efficient approach is to focus on the protective surface. The protection surface contains the data that is most valuable to your organization. By focusing on the protective surface, you can focus your security efforts on the things that matter most, without expending all your energy defending an ever-expanding attack surface.

Zero-trust: shifting to control over ‘micropolicies’ to protect data itself

Of course, you need to implement multi-factor authentication and contextually authorize who can access data you own internally. And yes, you have to do your very best to protect endpoints, networks and the like. But it’s also wise to narrow the scope of security control down to the data itself. By shifting only a small portion of your overall security investment to data-centric controls, you can enforce granular policies that protect data that enters and exits your business through emails, files, applications, and more, no matter where the data resides. lives.

When it comes to implementation, start small and work your way up. For example, consider protecting your email and files first, then moving to Software as a Service (SaaS) applications and the cloud. Build your security program from the ground up, starting at the grassroots level with detailed policy controls applied to unstructured data in email and files, and expand from there without losing focus on protecting what matters most: your data .

Mike Morper is Senior Vice President of Product Market at Virtru.