Zero Trust and Data Security: Guiding Principles for CISOs
Over the years, the concept of Zero Trust security has evolved. Initially rooted in micro-segmentation—blocking adversaries’ access—it struggled to keep pace with the rapid expansion of cloud technology. As a result, the focus has shifted towards safeguarding sensitive data through a more comprehensive approach.
However, CISOs often find themselves overwhelmed with an array of data security features offered by vendors, such as Data Security Policy Management (DSPM), Data Access Management (DAM), data masking, Attribute-Based Access Control (ABAC), and encryption. This multitude of tools not only increases the Total Cost of Ownership (TCO) but also demands a scarce pool of talent to master each one, leaving the critical task of protecting data from both careless insiders and malicious hackers unfulfilled.
This is where the Zero Trust model steps in to bring clarity to the chaos.
Zero Trust introduces three key elements that are crucial for a robust data security strategy:
1. Explicitly Verify: Zero Trust emphasizes the principle of never trusting and always verifying. In the realm of data security, this means continuously monitoring all access to sensitive data. It involves tagging and risk-scoring access requests, especially those revealing large sets of sensitive information.
2. Limit User Access: Zero Trust follows the principle of least privilege access. It restricts user access based on various factors, including location, device, purpose, consent, client assignment, and type. The application of Attribute-Based Access Control (ABAC) is a vital component in enforcing this requirement.
3. Assume Breach: The core tenet of Zero Trust is to always assume a breach. This is achieved by de-identifying data at rest through methods like Format-Preserving Encryption (FPE) and tokenization. In doing so, even if a breach occurs and data is stolen, the most sensitive columns remain secure.
When implementing a Zero Trust approach, it’s crucial to select the right tool that encompasses at least three core capabilities: monitoring and tagging, Attribute-Based Access Control, and the ability to encrypt and de-identify selected columns or data sets at rest. By integrating all these functions into a single platform, you can achieve Zero Trust while streamlining implementation, reducing costs, and enhancing data security.