Digital Security in a Zero Trust World

When it comes to enterprise security, the times have radically changed, leaving companies vulnerable in ways that they never were before.

• By Jeff Capone
• Apr 01, 2018

We’re hearing about security breaches every day in the news. From retailers like Target and TJ Maxx, to financial services firms like Equifax and J P Morgan Chase, and government agencies like the Securities & Exchange Commission (SEC), it seems like no organization is safe. There are also generalized attacks that affect everyone like WannaCry, Notpetya and ransomware. Unfortunately, there are no signs of this letting up. A recent survey conducted by Enterprise Strategy Group (ESG) found that more than two-thirds of respondents were subjected to ransomware last year, and 22 percent of them were attacked on a daily or weekly basis.

Besides data hacks, enterprises are dealing with more compliance regulations, which impose additional security requirements across sectors, covering financial institutions, public companies, government partners, healthcare, consumer privacy, credit card transactions and more. Examples include: Sarbanes-Oxley Act, Basel II (International Standards for Banking), COBIT (Control Objectives for Information and related Technology), FISMA (Federal Information Security Management Act of 2002), GAAP (Generally Accepted Accounting Principles), HIPAA (Health Insurance Portability and Accounting Act), IFRS (International Financial Reporting Standards), ITIL (Information Technology Infrastructure Library), PCI DSS (Payment Card Industry Data Security Standard), and TQM (Total Quality Management).

In the past, companies could count on isolating confidential and sensitive files and protecting them through firewalls and access control technology. In a time when they had one point of egress, they could create a perimeter that could be secured around their enterprise. But now, in today’s cloud-first environment where there are multiple paths for data to flow in and out of the organization, all bets are off. The data is accessible, anywhere, anytime and from any device. Today, employees are collaborating and sharing data in a free-flowing manner inside and outside the organization, bringing multiple BYOD devices into their companies and using mobile apps in unsecure locations–all creating greater vulnerabilities for the data and making the security professional’s job seem near impossible. The reality is that we are living in a “zero trust” world, as coined by Forrester Research. It’s a world where we can’t count on the security of our internal or external networks and instead need to change our mindset about how we think about safeguarding data. We need to come up with very new, innovative ways to keep it safe.

Unstructured Data Presents Added Problems

One of the most problematic data types to secure is unstructured data, which does not have a defined data format, such as a database. While the most common type of unstructured data is text, it can also include pictures, audio, video, website, network and application logs, social media, medical records, financial transactions, and sensor data from Internet-of-Things (IoT) devices, among other data types.

Unstructured data comprises about 80 percent of an organization’s data. It is the fastest growing, least controlled type of data–and it’s a highly valued asset within the enterprise. The dilemma for security professionals is how they can effectively manage the huge volumes of unstructured data that are shared across all types of documents and formats and spread internally and externally.

Six Strategies for Securing Your Data

Security professionals need to take a radically different security approach to safeguard unstructured data and address the realities of data sharing in today’s enterprise. Following are six key strategies:

Expand your coverage protection. To prevent security breaches before sensitive information becomes exposed, you have to make sure that you’re covering what’s important. But that is often easier said than done in today’s cloud-first environment. The best way to tackle that challenge is to take the zero trust approach and protect all data by default, instead of relying on users to accurately identify what’s important. Zero trust is also a much easier approach, allowing security professionals to simply release specific files that don’t need protection.

Consider the context. You can use contextual information, such as the requestor’s location, device or content of the data to determine the level of security that is needed. For example, it is more likely that confidential information will be created by an organization’s executives rather than those on the front lines. By using context-based security, the most sensitive and timely data, such as financial reports from an ERP system, can be classified and protected automatically.

Don’t overlook internal threats. It was easier when security professionals knew that breaches were only coming from external sources. Now, that’s no longer the case. Up to 43 percent of data breaches are caused by insiders. Disgruntled employees, collaboration, and inadvertent sharing can lead to security breaches and the spread of confidential information. Internal threats also include events such as phishing, malware on devices, using devices in unsecured public networks, downloading unauthorized applications, and more. To be effective, today’s security procedures must treat internal threats with the same level of importance as external threats.

Don’t depend on people. Given the realities of human behavior, security measures that depend on people to do things typically fail. This is especially true for security since it’s usually not in the best interest of the user to make data harder to access. Whether people forget, are too busy, make a mistake, or it’s just an oversight, it’s too easy for confidential information to go unprotected. Automate security in a way that is seamless to end-users, so they don’t try to circumvent it. Look for solutions that automatically protect data regardless of how it moves from place to place. Agnostic solutions should not care if the data is sent or stored in email, a messaging app, a public cloud, or a file server.

Use encryption. Security solutions encrypt data so users without permission cannot access it. Today’s encryption standards are very effective. AES256, for example, meets the requirements for “Top Secret” classified information. Encryption should be automatic and the process invisible to users. Don’t force them to enter passwords or to manually apply encryption before sharing files because it becomes too difficult and often fails. Make sure the encryption protects the data at all phases: at rest, in transit, and in use.

Follow the content – derivative works. Because enterprise users typically re-use and share information, security professionals need to make sure that they are protecting derivative works no matter what form the data takes throughout its lifecycle. For example, if a user copies sensitive information exported from a financial ERP system from a spreadsheet into a presentation, it should still be protected. This requires that data be tracked and followed throughout its lifecycle because it’s content that is really the important asset, not a particular file.

When it comes to security, we’ve entered a brave new world. The old rules of depending on the perimeter and focusing on external breaches no longer apply. Those companies that take a zero trust data-centric approach and adopt the cloud-first mindset of securing their data everywhere and at all times, will be in compliance, be more productive and effectively protect one of their most valuable assets–the proprietary data that lies at the heart of their competitive advantage.

This article originally appeared in the April 2018 issue of Security Today.