It Isn’t All About You – 5 Takeaways from Forrester’s “Zero Trust Approach” Report
Where can you find a good framework for designing and implementing data-centric security?
Forrester Research’s report, The Future of Data Security: a Zero Trust Approach is a good place to start. The report outlines Forrester’s official Zero Trust Model, and includes logical arguments for looking beyond traditional perimeter security. You need to realize that sensitive data is mobile, changing, and at risk inside and outside their perimeters - so your security needs to focus on the data. Here are my 5 takeaways.
1. It isn’t all about you
“Almost every enterprise, from an online retailer to a hospital to a government agency, rarely works in isolation and can rarely confine data to within the four walls of the organization.”
Years of perimeter security efforts can lead security professionals to be inward focused. This model doesn’t work in a perimeter-less world. We need to share sensitive information with customers, partners, and contractors to make our business models work. Unless you are taking an approach that assumes data will leave your organization – and still needs protection beyond non-disclosure agreement – you aren’t doing enough. You need to take steps to ensure your data is protected when it travels.
2. It’s not about your infrastructure either
“On average, 15% of employees are accessing sensitive data such as customer information, nonpublic financial data, intellectual property, and corporate strategy from devices other than work laptops and desktops. So it’s now far less important to focus on protecting individual devices the organization no longer owns, or attempting to lock down the devices that connect to the network, and far more important to protect the organization’s sensitive data regardless of device type or location.”
BYOD is a fact of life. Organizations can’t be responsible for managing (or controlling) users’ personal devices. What you can do, however, is ensure that sensitive data isn’t moved to those devices, or is encrypted when it is moved. Rules governing automatic encryption based on a data’s sensitivity are simple to manage. Better still, keys can be restricted to those devices on which decryption keys reside, where closer control is possible.
3. You need to know which data to protect, and where it is
“Defining the data simplifies its control. We break the problem of controlling and securing data down into three areas: 1) defining the data; 2) dissecting and analyzing the data; and 3) defending and protecting the data.”
This can seem like a formidable task, but it need not be. It’s also the foundation of a data-centric approach to security. Organizations require policies to classify data, and technology to do so automatically and continuously. A simple starting point is to classify data contextually, where data is classified based on the application or user creating the data (e.g., CAD files are automatically classified as sensitive data), or the storage location of the data. Classifying the data on the endpoint, continuously, is critical because…
4. The value of data isn’t static
“The classification of data (e.g., individual files, emails, database fields, etc.) can change as the value of the data changes over time.”
The sensitivity of information changes over time. A file containing credit card numbers should be classified as sensitive. If those numbers are deleted, the file’s classification should reflect this. Similarly, a Word document may not be sensitive, until those credit card numbers are copied into it. A data-centric approach provides the intelligence to understand the value of data as it is modified or used.
5. Trust isn’t static
“’Trust’ is continuously assessed though a risk-based analysis of all available information.”
This, I believe, is Forrester’s most important argument; trust is based on situational awareness. While organizations like to think of their users, contractors and partners as trustworthy, there are different levels of trust, depending on the circumstances. You may trust a class of users to access data inside your network, but not want them to move the data outside your network. You may want to allow users to have Internet access when viewing sensitive documents, but only through your VPN. In other words, trust has contextual parameters based on the user, the information, the location, and the action.
Forrester builds a strong argument that organizations need to focus on protecting sensitive data directly, wherever the data is located, rather than on building fortresses. Protection that travels with the data allows us to make and enforce decisions based on the context of use case. Moving protection to the data makes sense in a world with disappearing perimeters.
You can download a copy of the full Forrester report here.