Building a Zero Trust framework today is a constant challenge to find balance: The balance that’s right for your organization’s industry, capacity, and workflow. As a result, all organizations must ask themselves where data fits into the equation.
“Everyone agrees it’s the world’s most valuable resource nowadays. It’s the thing we all leverage to grow our companies and create value,” says Matt Howard, SVP and CMO of Virtru.
In a Zero-Trust climate so focused on identities, networks, devices, and apps, what happens when we center data, the primary object that Zero Trust aims to protect?
Howard and Virtru CTO and Co-Founder Will Ackerly seek to explore this question as panelists in the Information Security Media Group (ISMG)’s Virtual Cyber Security Summit. Guided by Anna Delaney, the webinar begins by acknowledging data itself as a commonly disenfranchised pillar of Zero Trust.
Howard begins by stating that within Zero Trust, data is often overshadowed by a focus on secure identities, networks, devices, endpoints, and apps.
Ackerly agrees: “While it’s important to invest in those things, a lot of that can be a proxy for protecting the data itself. You may not care as much about the device, as you are concerned about the data that lives in it.”
An emphasis on protecting the data within a series of secure perimeters could stem from a simple risk assessment.
“Traditionally with a lot of organizations, like the NSA, data sharing outside the organization was acknowledged to be a big risk,” Ackerly continues. “You had to make risk-based decisions. I had control over this data, whether it was in my devices, on my network, or in my apps, but I have to make a risk-based decision based on the assumption that it’s going to be a dramatically higher threat and out of your control.”
The panel highlights that a data-centric approach has caught wind in recent years with leaders in tech and cybersecurity. Forrester, the United States Department of Defense, and IBM concur that data should be a crucial pillar in Zero Trust architecture moving forward.
“Data moves,” suggested Howard. “If it’s static, it’s not doing you much good. So if you’re trapping it in with all of these handcuffs and networks and everything, then it’s a self-defeating system. The best protections allow data to do what it does: move and be shared.”
Here’s where the central challenge of data as a Zero Trust pillar arises.
“You can’t afford to lock [data] in the closet and protect it at all cost,” Howard said, “but if you’re compelled to share it, you can’t afford to lose control of it either.”
Ackerly and Howard both agreed: A mature identity framework demands portability. In a time where data needs to be shared more than ever, we have to be innovative about how we protect data, and allow it the flexibility to travel and gain value.
At Virtru, that’s accomplished through the Trusted Data Format (TDF), an open and growing industry standard that wraps each individual data object in comprehensive, customizable policy controls. The data owner can maintain control of the data, wherever it goes, whenever they choose, and for its entire lifecycle. Even if that data has already been shared with someone else, the data owner can revoke access at any time.
“It takes, in an open, unencumbered way, a very flexible approach to saying, ‘Here’s my policy for [data] and I can protect it through encryption,’” explained Ackerly. “And on a distributed, decentralized basis, you can determine how you want the keys managed, and the conditions for access.”
Delaney asks the panel: Given the opportunities presented in the realm of Zero Trust, “What mindset do organization security leaders need to adopt?”
Ackerly and Howard emphasize that data-centric opportunity isn’t just a fiscal move, it can relieve the burden on security leaders internationally, too. Ackerly paints the current landscape of choppy network- and device-focused security.
“Network segmentation has gone to the extreme,” says Ackerly. “Nineteen separate networks where each network is for a different permutation of collaborators. And that network boundary is the principal security mechanism. That means they have to purchase the same thing over and over again and they don’t have global insight across these different fabrics. The telemetry is constrained.”
On a practical level, protecting the data itself using data-centric policy controls is a framework that unifies businesses internally, and externally.
“Data-centric security is unifying. If you go data-centric, you can unify to a single fabric over time, practically speaking … What was 19 networks, [now] the telemetry can go to a single point.”
Data that used to be impossible to remove from its cage, can now travel with individual policies that put total control in the hands of the owner. This control and respect for the data itself not only unifies organizations under one roof or network, but also allows for open collaboration across businesses and even borders.
Data is only one pillar of the massive ecosystem that comprises Zero Trust data security. When data-centric protections can bear as equal a load as the rest of your Zero-Trust pillars, you strengthen your practice of Zero Trust as a whole.
“It’s incredibly hard work to enact Zero Trust,” Howard stated. “We know how important it is to get all the pillars right, from identities to endpoints to networks [to] apps. We think it’s important for people to have the opportunity to visualize an additional capability around policy controls that [is] protecting the data itself … We welcome the opportunity, the chance to share with people how we leverage TDF, an open standard, and how we present open TDF as an SDK (software development kit).”
You can learn even more about this topic by watching the Virtual Data Security Summit Webinar for free here.
If your team is looking to level up its current Zero Trust data strategy, Virtru can help you get there. Contact our team today for a demo.