Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

1/13/2021
10:00 AM
Altaz Valani
Altaz Valani
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The Data-Centric Path to Zero Trust

Data is an organization's most valuable asset, so a data-centric approach would provide the best value for organizations, now and in the future.

Few people would seriously dispute the advantages of a zero-trust security model, particularly in a fast-changing cloud environment with business being conducted by a dispersed workforce using a wide variety of devices. The question is how best to approach zero trust. While there is still no specific definition or standard for a zero-trust model, two primary approaches have emerged: one taking a network-centric approach, the other a data-centric approach. The latter is the better choice.

Related Content:

Zero-Trust Security 101

How Data Breaches Affect the Enterprise

5 Email Threat Predictions for 2021

Zero trust has gained a lot of ground since the term was coined by a Forrester Research analyst in 2010 (though its foundations go further back to ideas that percolated out of the Open Group's Jericho Forum). Google helped popularize the approach with its BeyondCorp framework, but it's still mostly a goal for CISOs rather than a widespread practice. No organization has completely implemented a zero-trust model, though organizations clearly recognize the need for it.

With the prevalence of cloud computing and an ever-increasing number of remote workers as well as mobile and Internet of Things devices, enterprises have long since outgrown their network perimeter. Employees work anytime, from anywhere. Organizations share information, sometimes in situations where they must cooperate with their competition. And even if an organization stores its data with a third party in the cloud, that organization is still responsible for securing that data. Add to that a dynamic threat landscape that is constantly growing in speed, scale, and complexity, and the traditional notion of focusing security on the perimeter doesn't hold.

Perimeter security is still important, of course, but organizations need to extend security out to where business is being conducted. Zero trust replaces the perimeter-centric mindset with one of continuously authenticating and verifying users, devices, and applications, since that's where data — the lifeblood of any organization — is being exchanged. Zero trust is more evolutionary than revolutionary, reflecting how computing has changed and how security needs to evolve toward the data layer.

Fork in the Road
Despite agreement on the need for zero trust, however, the industry is at a fork in the road on how best to implement it — whether by focusing on the network or the data. As an example, take a look at the National Institute of Standards and Technology (NIST) Zero Trust Architecture framework and the Open Group. Both approaches focus on the two most fundamentally important questions: how to provide security that enables organizations to conduct operations, and how to manage risk. But for a number of reasons, I believe focusing on the data level is the better long-term option.

The reasons for zero trust inevitably lead us into a data-centric approach. From an atomic level — the data level — a data-centric approach affords organizations the flexibility to, for example, establish and enforce policies on top of their security. If someone who has access to certain data but moves to another job where they should not, it can be difficult to go in and manually undo some of the controls that exist around user authentication. But if your policy is to authenticate every time a person tries to access that data, it goes to a policy engine that confirms who they are, where they are, what device they're using, or whatever rules the policy establishes. If something isn't right, that person doesn't get in. A data-centric approach abstracts the complexity out and puts it into a policy enforcement engine, which gives organizations the assurance they need in real time.

Even organizations that rely on legacy infrastructure, such as industrial control systems, have to face the IT/OT integration head on. Network vendors offer zero trust based on "shrinking the network perimeter" through microsegmentation, or dividing the network into small logical segments with security and access controls defined for each. This may be an adequate interim solution but does not address the IT perspective strongly enough. It doesn't go directly to the data. It's still focused on the network.

In today's computing environments, security is more than just the network — it's the applications, the devices, the users, and other levels that need to be secured and monitored for anomalous conditions. A data-centric approach is better able to support the security of a remote workforce, counter potential insider threats, and enable the kind of operations that organizations are aiming for. The network perimeter, while useful, doesn't support the kind of agility that businesses need today.

Common Ground
Zero trust shouldn't be perceived as a purely technical solution, nor will it eliminate all threats. But it is the best model for securing today's fast-evolving computing environments while simultaneously managing security risk. Getting there requires a cultural change in how organizations think of security, which would be best served by embracing a data-centric approach.

At the moment, the industry is faced with reconciling the two dominant approaches. Proponents of a data-centric approach don't want to do away with network-centric security—it's still important. Standards groups are working together in hopes of coming to a consensus on the best option, in terms of costs (such as training and retooling) and providing business value. Because data is an organization's most valuable asset, a data-centric approach would provide the best value for organizations, now and in the future.

Altaz Valani, Director of Insights Research at Security Compass, manages the overall research vision and team. He is a regular conference speaker who conducts ongoing research in the software security domain. Prior to joining Security Compass, Valani was a Senior Research ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jwchapman101
50%
50%
jwchapman101,
User Rank: Author
2/5/2021 | 4:04:10 PM
Data - Centric Approach
I like your view and perspective of a Data-Centric approach to Zero Trust.  This is very similar to the approach by Forrester and the ZTX model they represent.

 

I would only challenge the missing element of Identity Centric Approach to Zero Trust that encompass Business resoures/assests as opposed to just data.  In my mind Data becomes a business resource or asset to be protected.  

 

Would love to hear your feedback.

 

-jwc
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8032
PUBLISHED: 2021-02-25
A Insecure Temporary File vulnerability in the packaging of cyrus-sasl of openSUSE Factory allows local attackers to escalate to root. This issue affects: openSUSE Factory cyrus-sasl version 2.1.27-4.2 and prior versions.
CVE-2020-36254
PUBLISHED: 2021-02-25
scp.c in Dropbear before 2020.79 mishandles the filename of . or an empty filename, a related issue to CVE-2018-20685.
CVE-2021-27670
PUBLISHED: 2021-02-25
Appspace 6.2.4 allows SSRF via the api/v1/core/proxy/jsonprequest url parameter.
CVE-2021-27671
PUBLISHED: 2021-02-25
An issue was discovered in the comrak crate before 0.9.1 for Rust. XSS can occur because the protection mechanism for data: and javascript: URIs is case-sensitive, allowing (for example) Data: to be used in an attack.
CVE-2020-9051
PUBLISHED: 2021-02-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2020. Notes: none.