Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

1/13/2021
10:00 AM
Altaz Valani
Altaz Valani
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Data-Centric Path to Zero Trust

Data is an organization's most valuable asset, so a data-centric approach would provide the best value for organizations, now and in the future.

Few people would seriously dispute the advantages of a zero-trust security model, particularly in a fast-changing cloud environment with business being conducted by a dispersed workforce using a wide variety of devices. The question is how best to approach zero trust. While there is still no specific definition or standard for a zero-trust model, two primary approaches have emerged: one taking a network-centric approach, the other a data-centric approach. The latter is the better choice.

Related Content:

Zero-Trust Security 101

How Data Breaches Affect the Enterprise

5 Email Threat Predictions for 2021

Zero trust has gained a lot of ground since the term was coined by a Forrester Research analyst in 2010 (though its foundations go further back to ideas that percolated out of the Open Group's Jericho Forum). Google helped popularize the approach with its BeyondCorp framework, but it's still mostly a goal for CISOs rather than a widespread practice. No organization has completely implemented a zero-trust model, though organizations clearly recognize the need for it.

With the prevalence of cloud computing and an ever-increasing number of remote workers as well as mobile and Internet of Things devices, enterprises have long since outgrown their network perimeter. Employees work anytime, from anywhere. Organizations share information, sometimes in situations where they must cooperate with their competition. And even if an organization stores its data with a third party in the cloud, that organization is still responsible for securing that data. Add to that a dynamic threat landscape that is constantly growing in speed, scale, and complexity, and the traditional notion of focusing security on the perimeter doesn't hold.

Perimeter security is still important, of course, but organizations need to extend security out to where business is being conducted. Zero trust replaces the perimeter-centric mindset with one of continuously authenticating and verifying users, devices, and applications, since that's where data — the lifeblood of any organization — is being exchanged. Zero trust is more evolutionary than revolutionary, reflecting how computing has changed and how security needs to evolve toward the data layer.

Fork in the Road
Despite agreement on the need for zero trust, however, the industry is at a fork in the road on how best to implement it — whether by focusing on the network or the data. As an example, take a look at the National Institute of Standards and Technology (NIST) Zero Trust Architecture framework and the Open Group. Both approaches focus on the two most fundamentally important questions: how to provide security that enables organizations to conduct operations, and how to manage risk. But for a number of reasons, I believe focusing on the data level is the better long-term option.

The reasons for zero trust inevitably lead us into a data-centric approach. From an atomic level — the data level — a data-centric approach affords organizations the flexibility to, for example, establish and enforce policies on top of their security. If someone who has access to certain data but moves to another job where they should not, it can be difficult to go in and manually undo some of the controls that exist around user authentication. But if your policy is to authenticate every time a person tries to access that data, it goes to a policy engine that confirms who they are, where they are, what device they're using, or whatever rules the policy establishes. If something isn't right, that person doesn't get in. A data-centric approach abstracts the complexity out and puts it into a policy enforcement engine, which gives organizations the assurance they need in real time.

Even organizations that rely on legacy infrastructure, such as industrial control systems, have to face the IT/OT integration head on. Network vendors offer zero trust based on "shrinking the network perimeter" through microsegmentation, or dividing the network into small logical segments with security and access controls defined for each. This may be an adequate interim solution but does not address the IT perspective strongly enough. It doesn't go directly to the data. It's still focused on the network.

In today's computing environments, security is more than just the network — it's the applications, the devices, the users, and other levels that need to be secured and monitored for anomalous conditions. A data-centric approach is better able to support the security of a remote workforce, counter potential insider threats, and enable the kind of operations that organizations are aiming for. The network perimeter, while useful, doesn't support the kind of agility that businesses need today.

Common Ground
Zero trust shouldn't be perceived as a purely technical solution, nor will it eliminate all threats. But it is the best model for securing today's fast-evolving computing environments while simultaneously managing security risk. Getting there requires a cultural change in how organizations think of security, which would be best served by embracing a data-centric approach.

At the moment, the industry is faced with reconciling the two dominant approaches. Proponents of a data-centric approach don't want to do away with network-centric security—it's still important. Standards groups are working together in hopes of coming to a consensus on the best option, in terms of costs (such as training and retooling) and providing business value. Because data is an organization's most valuable asset, a data-centric approach would provide the best value for organizations, now and in the future.

Altaz Valani, Director of Insights Research at Security Compass, manages the overall research vision and team. He is a regular conference speaker who conducts ongoing research in the software security domain. Prior to joining Security Compass, Valani was a Senior Research ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Thezanet01
50%
50%
Thezanet01,
User Rank: Apprentice
1/14/2021 | 3:25:46 AM
Pending Review
This comment is waiting for review by our moderators.
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3113
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
CVE-2021-21245
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...