Data-directed security: How zero trust fits into enterprise data security

September 13, 2023
John Bruggeman
Consulting CISO

If you are looking to build stronger cybersecurity into your business network, where does enterprise data security rank on your to-do list? Zero trust can help with that. It is one of the most fundamental yet most crucial steps you can take to protect your enterprise.

When I think about cybersecurity, I try to keep it simple and focus on the key items that are crucial to a successful cybersecurity strategy. A key component of any strategy is to figure out where to focus your efforts. For cybersecurity, you start by focusing your efforts on what you are trying to secure. Do you need to secure a system, a person, a device, a process, or just the data?

As I talked about zero trust last year at conferences and CIO roundtables, it helped people understand how to get started when I had them focus on the basics—namely, keep access to your confidential data restricted and keep your data secure from modification or destruction.

Enterprise data security protects your most valuable asset

The biggest risk currently to your data are cybercriminals or malicious insiders who attempt to steal or encrypt your data. Zero trust data security emphasizes a shift from “trusted networks” to the least-privilege principle that no network or device may be implicitly considered secure and that all traffic on the network or device must be encrypted and authenticated at the earliest opportunity.

Those of us in the information security field—CISOs and BISOs—implement technologies to keep laptops, desktops, and servers free from viruses and malware, but we do that to protect the data on those devices or systems. We secure the device to make sure that only authorized individuals can access the data that device can view.

We secure the device but what we really care about is the data. We do not really care about the device because it is effectively disposable.

Where does zero trust fit into a data-directed security focus?

If you start with a data-directed security focus, you can leverage the power of zero trust solutions to reduce your risk of a data breach. The news is full of reports about companies and organizations that failed to put appropriate controls in place to mitigate the risk of a cybersecurity incident. I have listed four steps you can follow to simplify the problem of enterprise data security. These steps follow the NIST 800-207 Zero Trust Architecture model that the federal government is implementing with the assistance of CISA.

Read more about Cybersecurity and data privacy: the legislative landscape is changing.

First, you need to discover, classify, and label your sensitive or confidential data. You can’t secure your critical data if you don’t know where it is, how it is used, and who has access to it. By classifying and labeling your sensitive and confidential data you can see where it is, how it moves and then implement appropriate access controls using zero trust principles.

Second, now that you know where the data is, you want to implement data resiliency. For your data to be resilient you need to have it encrypted and have immutable copies of the data so that you can quickly recover from an attack. AES type encryption will preserve the confidentiality of that data, both at rest (like your backups) and in transit (from the application to end user). If the data is encrypted at rest, someone can steal it, but it doesn’t harm you or your customers. With the data encrypted appropriately and with a good 3-2-1 backup strategy, threat actors and criminals can’t exploit you by encrypting the data or extort your customers by disclosing the data.

Third, with the data identified, encrypted, and backed up, you want to grant access only to those individuals who are authorized to view the data. To do that you need appropriate access controls using the principle of least privilege, which is a key component of zero trust. Access will require at least two forms of authentication to protect against compromised credentials, so you will implement multifactor authentication (MFA). Zero trust emphasizes user-centric authentication, where MFA is essential. MFA adds an extra layer of protection by requiring users to provide multiple forms of verification before accessing systems or data. This could include something they know (password), something they have (smartphone token), and something they are (biometric scan).

The fourth and final item from the zero trust model is continuous authentication, where user activity and behavior are constantly monitored to detect anomalies. Many zero trust solutions on the market are leveraging machine learning algorithms that can identify suspicious activities such as unfamiliar login times or access from peculiar locations. These tools can be programmed to respond immediately, by either requesting further authentication or blocking access.

Protecting data can mitigate complex and dynamic attacks

Clearly, protecting your sensitive and confidential data is no longer just an option but a necessity for companies and organizations to survive and thrive in the face of relentless cyberattacks. A data-directed strategy—using zero trust solutions built on the principle of least privilege—offers a robust defense against the dynamic and complex nature of modern-day cyberattacks.

I highly recommend that you identify your sensitive and confidential data, implement strong AES encryption at rest and in transit, with a 3-2-1 backup strategy, and adopt user-centric authentication that is continuously monitored. These four keys will help you build a resilient security posture that continuously verifies users and devices while safeguarding your most valuable asset—your data.

If you need guidance for building zero trust into your enterprise data security, contact our security team.

Subscribe to our blog