Zero Trust beckons a new age of cybersecurity. Gartner projects that spending on Zero Trust in the industry will more than double by 2025, a staggering $1.674 billion. At the start of his tenure, U.S. President Joe Biden issued a directive for the U.S. Government to adopt a Zero Trust security posture by 2024. The Biden administration has followed up on this directive, most recently releasing the National Cybersecurity Strategy on March 2, 2023, calling upon technology providers to internalize and prioritize cybersecurity or to expect to face legal consequences.
Both in the public and private sectors, this outcome-based cybersecurity paradigm shift is a tidal wave - will your company sink, swim, or surf?
Let’s start by unpacking what these directives mean.
The concept of Zero Trust is straightforward: Don't trust, verify. In traditional cybersecurity paradigms, there’s a strong reliance on the perimeter: Actors on the inside can be trusted, while actors on the outside are perceived as potential threats. Insider threats have always existed, but for many, a perimeter-focused posture was “good enough.” However, we no longer live in a world where this is so.
During 2021, 47% of organizations saw a significant increase in the number of employees and extended workforce using their own devices due to the shift to remote work. No longer do we have the safe space of the company building’s network: VPNs are extremely expensive and they are still a virtual perimeter, vulnerable to the same shortcomings of security systems relying on physical boundaries for protection.
If we decide that every single interaction, every communication, and every piece of data that’s shared is subject to scrutiny, how will we ever be able to do business efficiently? The answer is to create a system that performs these checks for you, not just when the data enters your network, or when it leaves — but every time it is accessed. We’re not just talking files here. We’re talking about messages, video streams, and any bytes of data you want to protect.
But won’t that get cumbersome? There are certain things that aren't easily automated, like adding and removing new hires from an access control list. Access control becomes difficult to manage when every interaction must be verified, and when access is so inextricably linked to a person’s identity.
Let’s question the inextricable nature of identity and access control. Today, most access control is governed by roles — administrator, user, developer — and access is determined by whether or not an individual IS an administrator, or user, and so on. This makes sense, but only at the right distance. What if the relationship between the thing being accessed and person accessing it is more generic?
Enter Attribute-Based Access Control (ABAC), an alternative to Role-Based Access Control (RBAC). ABAC is already used extensively by the United States government, and the Association for Computing Machinery (ACM) has published three workshops focused on the topic.
ABAC allows you to assign attributes to both the data itself, as well as the entities trying to access it. When an entity attempts to access the data, a decision is made by comparing these attributes. This means no more deleting Bob from the developers when he leaves the organization — there’s no longer an entity with which Bob can authenticate to access the data.
In practice, an organization likely has an access control paradigm that can be modeled with both ABAC and RBAC. For example, it may be useful to keep some roles and user groups defined, granting or denying access based on membership, but also applying finer-grained access control based on document attributes, or tags. Another benefit of this abstraction is the ability to determine attribute values “on the fly,” something which is unachievable (or, at least, unaccommodating by design) with RBAC. A user being assigned a role is a static relationship: Their role is not computed or derived. This static relationship could be modeled in ABAC, but more interestingly, access can be determined by something of ephemeral value, like the location of the user trying to access the data, or the time of day.
The new age of technology has provided us the luxury of information and collaboration at our fingertips, a luxury that has transformed into an essential right. With that comes a responsibility for technologists to protect those we seek to enable. Protection doesn’t imply prohibition: Users still need to (and will) exchange information at all costs. Scrutiny doesn’t imply stagnation: Work needs to be done, missions need to be completed, and features need to be delivered, and that agility should not be a trade-off when thinking about Zero Trust data security. One paradigm shift often beckons others; to meet our responsibility to all those who share information, we must answer the call to change our way of thinking about security beyond the perimeter.
Just as data is the load-bearing pillar for the Zero Trust model, ABAC puts data at the center of the access model. Instead of relying on the security of the perimeter, arming the data itself is a way to enable Zero Trust without devolving into castle-and-moat.
When it comes to acting on the U.S. government’s Zero Trust directive, start with the data. At Virtru, we protect the sensitive data in your emails, files, SaaS applications, and more, and even use AI to implement DLP rules to automatically encrypt data when humans fail to.
Using the Trusted Data Format, Virtru encrypts data at the object level, then uses ABAC to enable granular but complete control over your emails, files, and other data floating around your organization. It’s easy to deploy, and even easier for users to adopt. Want to see how it works?