In the past, IT security was relatively straightforward. Organizations relied on perimeter-centric security controls like firewalls, intrusion detection systems, and virtual private networks (VPNs) to govern access to networks and data. However, with the broad scale shift to cloud computing, the traditional IT perimeter has vanished, and the security game has fundamentally changed.
The benefits of cloud computing are numerous including: increased scalability, flexibility, and cost-effectiveness. However, the cloud has also introduced new security challenges because data itself is now stored in various locations within different cloud platforms, accessed by multiple devices, and commonly shared externally with third-party collaborators.
The result is a complex security conundrum for companies in every industry: Either err on the side of “risk management” and strictly curtail employees’ ability to share sensitive data – or err on the side of “productivity” and enable employees to share information more freely to get work done.
The solution to this conundrum is transitioning information governance to a combination of Zero Trust and data-centric security (DCS) controls.
Zero Trust security assumes that no device, user, or network should be automatically trusted and that each must be verified before being granted access to resources. This approach helps to minimize the risk of insider threats and unauthorized access to data. Data-centric security, on the other hand, prioritizes protecting the data itself rather than just the perimeter of the network. This approach involves encrypting sensitive data, controlling access to it, and monitoring its usage to detect any suspicious activity.
Combining these two security approaches creates a more resilient system that will allow us to simultaneously protect data that we possess internally, and also data that we commonly share externally.
To date, the vast majority of Zero Trust security transformations have focused exclusively on governing identities, endpoints, networks, and applications that are essential components of protecting access to data that we possess internally. Unfortunately, embracing Zero Trust security practices alone is not sufficient to solve the information-sharing conundrum defined above. Why? Because protecting sensitive information that we possess internally is very different from protecting sensitive data that we share externally.
For this reason, DCS with Attribute-Based Access Controls (ABAC) is an elegant complement to Zero Trust security. Specifically, DCS prevents data leakage and fosters collaboration by enabling real-time control of sensitive data, even after it's been shared externally.
Furthermore, adopting open standards such as the Trusted Data Format (TDF) can further enhance DCS capabilities. TDF, an open standard for secure encapsulation of sensitive data, allows organizations to maintain control over access and usage while ensuring the integrity and confidentiality of their information. Together, DCS, ABAC, and TDF offer a granular yet dynamic approach to information sharing, fostering collaboration without compromising security.
At this point, you’re likely thinking to yourself: “Combining zero trust and DCS sounds great, but it also sounds complicated and expensive.” But here’s the truth as demonstrated every day by organizations like AFWERX (a Technology Directorate of the Air Force Research Laboratory), Zwift, Platte Valley Bank, and Omada Health. Combining Zero Trust and data-centric security controls is much easier than you think.
How is this possible? Because data-centric security controls have now been elegantly integrated directly into tools like Microsoft Outlook, Google Gmail, Google Drive, and a wide variety of SaaS applications that the vast majority of people use every day to do their jobs. This level of integration into everyday tools enables large-scale adoption of DCS hygiene. The result is that you can embrace DCS as a complement to Zero Trust security initiatives.