Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

1/13/2021
10:00 AM
Altaz Valani
Altaz Valani
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The Data-Centric Path to Zero Trust

Data is an organization's most valuable asset, so a data-centric approach would provide the best value for organizations, now and in the future.

Few people would seriously dispute the advantages of a zero-trust security model, particularly in a fast-changing cloud environment with business being conducted by a dispersed workforce using a wide variety of devices. The question is how best to approach zero trust. While there is still no specific definition or standard for a zero-trust model, two primary approaches have emerged: one taking a network-centric approach, the other a data-centric approach. The latter is the better choice.

Related Content:

Zero-Trust Security 101

How Data Breaches Affect the Enterprise

5 Email Threat Predictions for 2021

Zero trust has gained a lot of ground since the term was coined by a Forrester Research analyst in 2010 (though its foundations go further back to ideas that percolated out of the Open Group's Jericho Forum). Google helped popularize the approach with its BeyondCorp framework, but it's still mostly a goal for CISOs rather than a widespread practice. No organization has completely implemented a zero-trust model, though organizations clearly recognize the need for it.

With the prevalence of cloud computing and an ever-increasing number of remote workers as well as mobile and Internet of Things devices, enterprises have long since outgrown their network perimeter. Employees work anytime, from anywhere. Organizations share information, sometimes in situations where they must cooperate with their competition. And even if an organization stores its data with a third party in the cloud, that organization is still responsible for securing that data. Add to that a dynamic threat landscape that is constantly growing in speed, scale, and complexity, and the traditional notion of focusing security on the perimeter doesn't hold.

Perimeter security is still important, of course, but organizations need to extend security out to where business is being conducted. Zero trust replaces the perimeter-centric mindset with one of continuously authenticating and verifying users, devices, and applications, since that's where data — the lifeblood of any organization — is being exchanged. Zero trust is more evolutionary than revolutionary, reflecting how computing has changed and how security needs to evolve toward the data layer.

Fork in the Road
Despite agreement on the need for zero trust, however, the industry is at a fork in the road on how best to implement it — whether by focusing on the network or the data. As an example, take a look at the National Institute of Standards and Technology (NIST) Zero Trust Architecture framework and the Open Group. Both approaches focus on the two most fundamentally important questions: how to provide security that enables organizations to conduct operations, and how to manage risk. But for a number of reasons, I believe focusing on the data level is the better long-term option.

The reasons for zero trust inevitably lead us into a data-centric approach. From an atomic level — the data level — a data-centric approach affords organizations the flexibility to, for example, establish and enforce policies on top of their security. If someone who has access to certain data but moves to another job where they should not, it can be difficult to go in and manually undo some of the controls that exist around user authentication. But if your policy is to authenticate every time a person tries to access that data, it goes to a policy engine that confirms who they are, where they are, what device they're using, or whatever rules the policy establishes. If something isn't right, that person doesn't get in. A data-centric approach abstracts the complexity out and puts it into a policy enforcement engine, which gives organizations the assurance they need in real time.

Even organizations that rely on legacy infrastructure, such as industrial control systems, have to face the IT/OT integration head on. Network vendors offer zero trust based on "shrinking the network perimeter" through microsegmentation, or dividing the network into small logical segments with security and access controls defined for each. This may be an adequate interim solution but does not address the IT perspective strongly enough. It doesn't go directly to the data. It's still focused on the network.

In today's computing environments, security is more than just the network — it's the applications, the devices, the users, and other levels that need to be secured and monitored for anomalous conditions. A data-centric approach is better able to support the security of a remote workforce, counter potential insider threats, and enable the kind of operations that organizations are aiming for. The network perimeter, while useful, doesn't support the kind of agility that businesses need today.

Common Ground
Zero trust shouldn't be perceived as a purely technical solution, nor will it eliminate all threats. But it is the best model for securing today's fast-evolving computing environments while simultaneously managing security risk. Getting there requires a cultural change in how organizations think of security, which would be best served by embracing a data-centric approach.

At the moment, the industry is faced with reconciling the two dominant approaches. Proponents of a data-centric approach don't want to do away with network-centric security—it's still important. Standards groups are working together in hopes of coming to a consensus on the best option, in terms of costs (such as training and retooling) and providing business value. Because data is an organization's most valuable asset, a data-centric approach would provide the best value for organizations, now and in the future.

Altaz Valani, Director of Insights Research at Security Compass, manages the overall research vision and team. He is a regular conference speaker who conducts ongoing research in the software security domain. Prior to joining Security Compass, Valani was a Senior Research ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
jwchapman101
50%
50%
jwchapman101,
User Rank: Author
2/5/2021 | 4:04:10 PM
Data - Centric Approach
I like your view and perspective of a Data-Centric approach to Zero Trust.  This is very similar to the approach by Forrester and the ZTX model they represent.

 

I would only challenge the missing element of Identity Centric Approach to Zero Trust that encompass Business resoures/assests as opposed to just data.  In my mind Data becomes a business resource or asset to be protected.  

 

Would love to hear your feedback.

 

-jwc
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3493
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
CVE-2021-3492
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
CVE-2020-2509
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later Q...
CVE-2020-36195
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...