Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Altaz Valani
Altaz Valani
Connect Directly
E-Mail vvv

The Data-Centric Path to Zero Trust

Data is an organization's most valuable asset, so a data-centric approach would provide the best value for organizations, now and in the future.

Few people would seriously dispute the advantages of a zero-trust security model, particularly in a fast-changing cloud environment with business being conducted by a dispersed workforce using a wide variety of devices. The question is how best to approach zero trust. While there is still no specific definition or standard for a zero-trust model, two primary approaches have emerged: one taking a network-centric approach, the other a data-centric approach. The latter is the better choice.

Related Content:

Zero-Trust Security 101

How Data Breaches Affect the Enterprise

5 Email Threat Predictions for 2021

Zero trust has gained a lot of ground since the term was coined by a Forrester Research analyst in 2010 (though its foundations go further back to ideas that percolated out of the Open Group's Jericho Forum). Google helped popularize the approach with its BeyondCorp framework, but it's still mostly a goal for CISOs rather than a widespread practice. No organization has completely implemented a zero-trust model, though organizations clearly recognize the need for it.

With the prevalence of cloud computing and an ever-increasing number of remote workers as well as mobile and Internet of Things devices, enterprises have long since outgrown their network perimeter. Employees work anytime, from anywhere. Organizations share information, sometimes in situations where they must cooperate with their competition. And even if an organization stores its data with a third party in the cloud, that organization is still responsible for securing that data. Add to that a dynamic threat landscape that is constantly growing in speed, scale, and complexity, and the traditional notion of focusing security on the perimeter doesn't hold.

Perimeter security is still important, of course, but organizations need to extend security out to where business is being conducted. Zero trust replaces the perimeter-centric mindset with one of continuously authenticating and verifying users, devices, and applications, since that's where data — the lifeblood of any organization — is being exchanged. Zero trust is more evolutionary than revolutionary, reflecting how computing has changed and how security needs to evolve toward the data layer.

Fork in the Road
Despite agreement on the need for zero trust, however, the industry is at a fork in the road on how best to implement it — whether by focusing on the network or the data. As an example, take a look at the National Institute of Standards and Technology (NIST) Zero Trust Architecture framework and the Open Group. Both approaches focus on the two most fundamentally important questions: how to provide security that enables organizations to conduct operations, and how to manage risk. But for a number of reasons, I believe focusing on the data level is the better long-term option.

The reasons for zero trust inevitably lead us into a data-centric approach. From an atomic level — the data level — a data-centric approach affords organizations the flexibility to, for example, establish and enforce policies on top of their security. If someone who has access to certain data but moves to another job where they should not, it can be difficult to go in and manually undo some of the controls that exist around user authentication. But if your policy is to authenticate every time a person tries to access that data, it goes to a policy engine that confirms who they are, where they are, what device they're using, or whatever rules the policy establishes. If something isn't right, that person doesn't get in. A data-centric approach abstracts the complexity out and puts it into a policy enforcement engine, which gives organizations the assurance they need in real time.

Even organizations that rely on legacy infrastructure, such as industrial control systems, have to face the IT/OT integration head on. Network vendors offer zero trust based on "shrinking the network perimeter" through microsegmentation, or dividing the network into small logical segments with security and access controls defined for each. This may be an adequate interim solution but does not address the IT perspective strongly enough. It doesn't go directly to the data. It's still focused on the network.

In today's computing environments, security is more than just the network — it's the applications, the devices, the users, and other levels that need to be secured and monitored for anomalous conditions. A data-centric approach is better able to support the security of a remote workforce, counter potential insider threats, and enable the kind of operations that organizations are aiming for. The network perimeter, while useful, doesn't support the kind of agility that businesses need today.

Common Ground
Zero trust shouldn't be perceived as a purely technical solution, nor will it eliminate all threats. But it is the best model for securing today's fast-evolving computing environments while simultaneously managing security risk. Getting there requires a cultural change in how organizations think of security, which would be best served by embracing a data-centric approach.

At the moment, the industry is faced with reconciling the two dominant approaches. Proponents of a data-centric approach don't want to do away with network-centric security—it's still important. Standards groups are working together in hopes of coming to a consensus on the best option, in terms of costs (such as training and retooling) and providing business value. Because data is an organization's most valuable asset, a data-centric approach would provide the best value for organizations, now and in the future.

Altaz Valani, Director of Insights Research at Security Compass, manages the overall research vision and team. He is a regular conference speaker who conducts ongoing research in the software security domain. Prior to joining Security Compass, Valani was a Senior Research ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
2/5/2021 | 4:04:10 PM
Data - Centric Approach
I like your view and perspective of a Data-Centric approach to Zero Trust.  This is very similar to the approach by Forrester and the ZTX model they represent.


I would only challenge the missing element of Identity Centric Approach to Zero Trust that encompass Business resoures/assests as opposed to just data.  In my mind Data becomes a business resource or asset to be protected.  


Would love to hear your feedback.


Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the han...
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-...
PUBLISHED: 2021-06-16
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This...
PUBLISHED: 2021-06-16
Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within th...
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).