Why Zero Trust is key to data protection [Q&A]
Since the idea of Zero Trust was first proposed back in 2010 it's sparked interest from organizations of all sizes.
But why is Zero Trust seen as a game changer when it comes to protecting organizations and data? We spoke to Jason Clark, chief security and strategy officer at Netskope to find out.
BN: What are the basic principles behind Zero Trust?
JC: If there is trust, it must be verified -- constantly. Zero Trust principles for security are based on the idea that no one should be blindly trusted inside the network or allowed to access anything until they have been validated as legitimate and authorized, and that validation must be continuous. Zero Trust supports the implementation of 'least privilege access', which is designed to selectively grant access to only the resources that users or groups of users require, nothing more. With an increasingly remote workforce and mobile flexibility, access has to be controlled, limited, and based on the context of who the user is, what the user is intending to do, and a host of other important criteria.
Almost every organization has a Zero Trust project these days, but at Netskope we believe Zero Trust has to go well beyond solving problems of access and identity. So, taking this one step further, Zero Trust Data Protection is a term our team has coined to represent a new approach to protecting data that resides everywhere and moves across applications without ever touching the corporate network or endpoints. Zero Trust Data Protection provides continuous, real-time access and policy control based on users, devices, apps, threats, and data context. It focuses on the data, and it's a must in this era of digital transformation when data is no longer on a CPU that the enterprise owns.
BN: Why is Zero Trust the best way to prevent data breaches?
JC: Zero Trust principles, when judiciously applied, are believed by many to be the best protection against data breaches in today’s widening threat landscape. This is because of its ability to verify users and context before granting users access to data. It ensures the protection of systems and data no matter where they are hosted, and no matter what users or devices are attempting to access them.
Implementing Zero Trust core values might have helped in recent, headline-grabbing cases such as the Verkada hack, where tighter control over super admin credentials would likely have avoided attack. These types of attacks are becoming more common as more organizations move to the cloud, but don’t have the policies or measures in place to properly secure a cloud-first environment.
BN: Visibility and control of data is important, how does Zero Trust help?
JC: Most enterprise organizations are adopting a Zero Trust model to provide both full visibility and control over users and devices that have access to a growing number of cloud applications and data services. This includes both managed applications within an enterprise’s ecosystem as well as unmanaged applications used by lines of business and individuals within the enterprise.
Here's the important thing to remember about Zero Trust. We all need to ensure Zero Trust principles are applied everywhere data needs protection. As mentioned above, we at Netskope describe this as Zero Trust Data Protection. Today there are many isolated Zero Trust projects focused on networks, users, devices, or isolating servers. The main miss on most of these projects, like deploying only Zero Trust Network Access (ZTNA), is that they are not focused on the data.
Data is the grand strategy for security teams protecting the core digital assets of any organization. It's the only effective way to dynamically manage risk across a mix of third-party applications and a remote-first workforce that needs always-on access to cloud apps and data to stay productive.
Again, data protection is ultimately about context. By monitoring traffic between the user and the apps, including API traffic, we can exert granular control. We can both allow and prevent data access based on a deep understanding of who the user is, what they are trying to do, and why. That is the context that Zero Trust Data Protection leverages to deliver security. Knowledge of the interplay between user, device, app, and data enables security teams to define and enforce conditional access controls based on data sensitivity, app risk, user behavior risk, and other factors. The result is more effective security via continuous risk management.
BN: What do businesses need to do to pave the way for deploying ZTDP?
JC: The first step to deploying ZTDP at your company is ensure you have buy-in from senior leadership. You'll have a higher success rate if you have internal stakeholders beyond the security and IT departments are involved and aligned with your approach. Also, be sure that you treat your Zero Trust model as a security transformation strategy, not just a project.
In terms of technical next steps, you need to have a good foundation. Make sure you understand what your critical assets are to protect. Then follow with these four principles:
- Identify your sense of data in rest and in motion. Be sure to segment the network based on data
- Map out your data routes and workflows. You have to know who is talking to who and when. This can be automated but you must map out your work flows.
- Define zones. Microsegmentation is critical for Zero Trust to function accordingly. Be sure to define most trusted versus not trusted and which application data will go in each zone.
- Log, audit, monitor and tweak. Adjust your authentication model based on new information that
BN: How does this tie in with other security approaches?
JC: When the challenge is finding the means to follow the data wherever it goes and make sure it is always safe whether it is stored, in use, or in motion, we have to take full advantage of the fact that the flexibility cloud infrastructure provides also allows us to do a better job of protecting data.
With new systems built according to create the kind of security cloud described by analysts in various ways -- Secure Access Service Edge (SASE), Zero Trust Edge (ZTE), CSG -- and implemented with critical building blocks such as Next-Gen Secure Web Gateway, we can now not only grant access to data but also monitor its use in real time. Moving the policy and inspection point from the data center to the cloud makes enforcement possible regardless of the paths between user and data.
Ever since Gartner coined the SASE term, there's been healthy debate in the industry over what that really means, but Zero Trust is always a key component of a SASE architecture. With that in mind, here is the practical take we're hearing from forward-thinking CIOs and CISOs and their teams:
- SASE, when implemented properly, offers a number of benefits, including:
a. Protecting the use of data, so sharing of data, downloading data, and other potentially
harmful uses of data can be controlled.
b. Allowing different levels of protection for company and personal data.
c. Involving users and advising them of dangerous behavior.
d. Eliminating the backhaul and hairpinning that restricts productivity and prevents users from using the best and most effective tools to drive business growth.
- Whether in a traditional, on-premises architecture, a SASE architecture, or across architectures that are transitioning from traditional to SASE, Zero Trust principles must be applied.
- Where Zero Trust Data Protection comes in -- and why it goes well beyond the more specific uses of Zero Trust Network Access and other Zero Trust constructs -- is that it offers real-time, conditional application, data access, and protection enforcement for data on-premise or in public or private cloud applications.