Digital Security in a Zero Trust World

Digital Security in a Zero Trust World

When it comes to enterprise security, the times have radically changed, leaving companies vulnerable in ways that they never were before.

We’re hearing about security breaches every day in the news. From retailers like Target and TJ Maxx, to financial services firms like Equifax and J P Morgan Chase, and government agencies like the Securities & Exchange Commission (SEC), it seems like no organization is safe. There are also generalized attacks that affect everyone like WannaCry, Notpetya and ransomware. Unfortunately, there are no signs of this letting up. A recent survey conducted by Enterprise Strategy Group (ESG) found that more than two-thirds of respondents were subjected to ransomware last year, and 22 percent of them were attacked on a daily or weekly basis.

Besides data hacks, enterprises are dealing with more compliance regulations, which impose additional security requirements across sectors, covering financial institutions, public companies, government partners, healthcare, consumer privacy, credit card transactions and more. Examples include: Sarbanes-Oxley Act, Basel II (International Standards for Banking), COBIT (Control Objectives for Information and related Technology), FISMA (Federal Information Security Management Act of 2002), GAAP (Generally Accepted Accounting Principles), HIPAA (Health Insurance Portability and Accounting Act), IFRS (International Financial Reporting Standards), ITIL (Information Technology Infrastructure Library), PCI DSS (Payment Card Industry Data Security Standard), and TQM (Total Quality Management).

In the past, companies could count on isolating confidential and sensitive files and protecting them through firewalls and access control technology. In a time when they had one point of egress, they could create a perimeter that could be secured around their enterprise. But now, in today’s cloud-first environment where there are multiple paths for data to flow in and out of the organization, all bets are off. The data is accessible, anywhere, anytime and from any device. Today, employees are collaborating and sharing data in a free-flowing manner inside and outside the organization, bringing multiple BYOD devices into their companies and using mobile apps in unsecure locations–all creating greater vulnerabilities for the data and making the security professional’s job seem near impossible. The reality is that we are living in a “zero trust” world, as coined by Forrester Research. It’s a world where we can’t count on the security of our internal or external networks and instead need to change our mindset about how we think about safeguarding data. We need to come up with very new, innovative ways to keep it safe.

Unstructured Data Presents Added Problems

One of the most problematic data types to secure is unstructured data, which does not have a defined data format, such as a database. While the most common type of unstructured data is text, it can also include pictures, audio, video, website, network and application logs, social media, medical records, financial transactions, and sensor data from Internet-of-Things (IoT) devices, among other data types.

Unstructured data comprises about 80 percent of an organization’s data. It is the fastest growing, least controlled type of data–and it’s a highly valued asset within the enterprise. The dilemma for security professionals is how they can effectively manage the huge volumes of unstructured data that are shared across all types of documents and formats and spread internally and externally.

Six Strategies for Securing Your Data

Security professionals need to take a radically different security approach to safeguard unstructured data and address the realities of data sharing in today’s enterprise. Following are six key strategies:

Expand your coverage protection. To prevent security breaches before sensitive information becomes exposed, you have to make sure that you’re covering what’s important. But that is often easier said than done in today’s cloud-first environment. The best way to tackle that challenge is to take the zero trust approach and protect all data by default, instead of relying on users to accurately identify what’s important. Zero trust is also a much easier approach, allowing security professionals to simply release specific files that don’t need protection.

Consider the context. You can use contextual information, such as the requestor’s location, device or content of the data to determine the level of security that is needed. For example, it is more likely that confidential information will be created by an organization’s executives rather than those on the front lines. By using context-based security, the most sensitive and timely data, such as financial reports from an ERP system, can be classified and protected automatically.

Don’t overlook internal threats. It was easier when security professionals knew that breaches were only coming from external sources. Now, that’s no longer the case. Up to 43 percent of data breaches are caused by insiders. Disgruntled employees, collaboration, and inadvertent sharing can lead to security breaches and the spread of confidential information. Internal threats also include events such as phishing, malware on devices, using devices in unsecured public networks, downloading unauthorized applications, and more. To be effective, today’s security procedures must treat internal threats with the same level of importance as external threats.

Don’t depend on people. Given the realities of human behavior, security measures that depend on people to do things typically fail. This is especially true for security since it’s usually not in the best interest of the user to make data harder to access. Whether people forget, are too busy, make a mistake, or it’s just an oversight, it’s too easy for confidential information to go unprotected. Automate security in a way that is seamless to end-users, so they don’t try to circumvent it. Look for solutions that automatically protect data regardless of how it moves from place to place. Agnostic solutions should not care if the data is sent or stored in email, a messaging app, a public cloud, or a file server.

Use encryption. Security solutions encrypt data so users without permission cannot access it. Today’s encryption standards are very effective. AES256, for example, meets the requirements for “Top Secret” classified information. Encryption should be automatic and the process invisible to users. Don’t force them to enter passwords or to manually apply encryption before sharing files because it becomes too difficult and often fails. Make sure the encryption protects the data at all phases: at rest, in transit, and in use.

Follow the content – derivative works. Because enterprise users typically re-use and share information, security professionals need to make sure that they are protecting derivative works no matter what form the data takes throughout its lifecycle. For example, if a user copies sensitive information exported from a financial ERP system from a spreadsheet into a presentation, it should still be protected. This requires that data be tracked and followed throughout its lifecycle because it’s content that is really the important asset, not a particular file.

When it comes to security, we’ve entered a brave new world. The old rules of depending on the perimeter and focusing on external breaches no longer apply. Those companies that take a zero trust data-centric approach and adopt the cloud-first mindset of securing their data everywhere and at all times, will be in compliance, be more productive and effectively protect one of their most valuable assets–the proprietary data that lies at the heart of their competitive advantage.

This article originally appeared in the April 2018 issue of Security Today.

Featured

  • New Report Reveals Top Trends Transforming Access Controller Technology

    Mercury Security, a provider in access control hardware and open platform solutions, has published its Trends in Access Controllers Report, based on a survey of over 450 security professionals across North America and Europe. The findings highlight the controller’s vital role in a physical access control system (PACS), where the device not only enforces access policies but also connects with readers to verify user credentials—ranging from ID badges to biometrics and mobile identities. With 72% of respondents identifying the controller as a critical or important factor in PACS design, the report underscores how the choice of controller platform has become a strategic decision for today’s security leaders. Read Now

  • Overwhelming Majority of CISOs Anticipate Surge in Cyber Attacks Over the Next Three Years

    An overwhelming 98% of chief information security officers (CISOs) expect a surge in cyber attacks over the next three years as organizations face an increasingly complex and artificial intelligence (AI)-driven digital threat landscape. This is according to new research conducted among 300 CISOs, chief information officers (CIOs), and senior IT professionals by CSC1, the leading provider of enterprise-class domain and domain name system (DNS) security. Read Now

  • ASIS International Introduces New ANSI-Approved Investigations Standard

    • Guard Services
  • Cloud Security Alliance Brings AI-Assisted Auditing to Cloud Computing

    The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today introduced an innovative addition to its suite of Security, Trust, Assurance and Risk (STAR) Registry assessments with the launch of Valid-AI-ted, an AI-powered, automated validation system. The new tool provides an automated quality check of assurance information of STAR Level 1 self-assessments using state-of-the-art LLM technology. Read Now

  • Report: Nearly 1 in 5 Healthcare Leaders Say Cyberattacks Have Impacted Patient Care

    Omega Systems, a provider of managed IT and security services, today released new research that reveals the growing impact of cybersecurity challenges on leading healthcare organizations and patient safety. According to the 2025 Healthcare IT Landscape Report, 19% of healthcare leaders say a cyberattack has already disrupted patient care, and more than half (52%) believe a fatal cyber-related incident is inevitable within the next five years. Read Now

New Products

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis.

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises.

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.