Digital Security in a Zero Trust World

Digital Security in a Zero Trust World

When it comes to enterprise security, the times have radically changed, leaving companies vulnerable in ways that they never were before.

We’re hearing about security breaches every day in the news. From retailers like Target and TJ Maxx, to financial services firms like Equifax and J P Morgan Chase, and government agencies like the Securities & Exchange Commission (SEC), it seems like no organization is safe. There are also generalized attacks that affect everyone like WannaCry, Notpetya and ransomware. Unfortunately, there are no signs of this letting up. A recent survey conducted by Enterprise Strategy Group (ESG) found that more than two-thirds of respondents were subjected to ransomware last year, and 22 percent of them were attacked on a daily or weekly basis.

Besides data hacks, enterprises are dealing with more compliance regulations, which impose additional security requirements across sectors, covering financial institutions, public companies, government partners, healthcare, consumer privacy, credit card transactions and more. Examples include: Sarbanes-Oxley Act, Basel II (International Standards for Banking), COBIT (Control Objectives for Information and related Technology), FISMA (Federal Information Security Management Act of 2002), GAAP (Generally Accepted Accounting Principles), HIPAA (Health Insurance Portability and Accounting Act), IFRS (International Financial Reporting Standards), ITIL (Information Technology Infrastructure Library), PCI DSS (Payment Card Industry Data Security Standard), and TQM (Total Quality Management).

In the past, companies could count on isolating confidential and sensitive files and protecting them through firewalls and access control technology. In a time when they had one point of egress, they could create a perimeter that could be secured around their enterprise. But now, in today’s cloud-first environment where there are multiple paths for data to flow in and out of the organization, all bets are off. The data is accessible, anywhere, anytime and from any device. Today, employees are collaborating and sharing data in a free-flowing manner inside and outside the organization, bringing multiple BYOD devices into their companies and using mobile apps in unsecure locations–all creating greater vulnerabilities for the data and making the security professional’s job seem near impossible. The reality is that we are living in a “zero trust” world, as coined by Forrester Research. It’s a world where we can’t count on the security of our internal or external networks and instead need to change our mindset about how we think about safeguarding data. We need to come up with very new, innovative ways to keep it safe.

Unstructured Data Presents Added Problems

One of the most problematic data types to secure is unstructured data, which does not have a defined data format, such as a database. While the most common type of unstructured data is text, it can also include pictures, audio, video, website, network and application logs, social media, medical records, financial transactions, and sensor data from Internet-of-Things (IoT) devices, among other data types.

Unstructured data comprises about 80 percent of an organization’s data. It is the fastest growing, least controlled type of data–and it’s a highly valued asset within the enterprise. The dilemma for security professionals is how they can effectively manage the huge volumes of unstructured data that are shared across all types of documents and formats and spread internally and externally.

Six Strategies for Securing Your Data

Security professionals need to take a radically different security approach to safeguard unstructured data and address the realities of data sharing in today’s enterprise. Following are six key strategies:

Expand your coverage protection. To prevent security breaches before sensitive information becomes exposed, you have to make sure that you’re covering what’s important. But that is often easier said than done in today’s cloud-first environment. The best way to tackle that challenge is to take the zero trust approach and protect all data by default, instead of relying on users to accurately identify what’s important. Zero trust is also a much easier approach, allowing security professionals to simply release specific files that don’t need protection.

Consider the context. You can use contextual information, such as the requestor’s location, device or content of the data to determine the level of security that is needed. For example, it is more likely that confidential information will be created by an organization’s executives rather than those on the front lines. By using context-based security, the most sensitive and timely data, such as financial reports from an ERP system, can be classified and protected automatically.

Don’t overlook internal threats. It was easier when security professionals knew that breaches were only coming from external sources. Now, that’s no longer the case. Up to 43 percent of data breaches are caused by insiders. Disgruntled employees, collaboration, and inadvertent sharing can lead to security breaches and the spread of confidential information. Internal threats also include events such as phishing, malware on devices, using devices in unsecured public networks, downloading unauthorized applications, and more. To be effective, today’s security procedures must treat internal threats with the same level of importance as external threats.

Don’t depend on people. Given the realities of human behavior, security measures that depend on people to do things typically fail. This is especially true for security since it’s usually not in the best interest of the user to make data harder to access. Whether people forget, are too busy, make a mistake, or it’s just an oversight, it’s too easy for confidential information to go unprotected. Automate security in a way that is seamless to end-users, so they don’t try to circumvent it. Look for solutions that automatically protect data regardless of how it moves from place to place. Agnostic solutions should not care if the data is sent or stored in email, a messaging app, a public cloud, or a file server.

Use encryption. Security solutions encrypt data so users without permission cannot access it. Today’s encryption standards are very effective. AES256, for example, meets the requirements for “Top Secret” classified information. Encryption should be automatic and the process invisible to users. Don’t force them to enter passwords or to manually apply encryption before sharing files because it becomes too difficult and often fails. Make sure the encryption protects the data at all phases: at rest, in transit, and in use.

Follow the content – derivative works. Because enterprise users typically re-use and share information, security professionals need to make sure that they are protecting derivative works no matter what form the data takes throughout its lifecycle. For example, if a user copies sensitive information exported from a financial ERP system from a spreadsheet into a presentation, it should still be protected. This requires that data be tracked and followed throughout its lifecycle because it’s content that is really the important asset, not a particular file.

When it comes to security, we’ve entered a brave new world. The old rules of depending on the perimeter and focusing on external breaches no longer apply. Those companies that take a zero trust data-centric approach and adopt the cloud-first mindset of securing their data everywhere and at all times, will be in compliance, be more productive and effectively protect one of their most valuable assets–the proprietary data that lies at the heart of their competitive advantage.

This article originally appeared in the April 2018 issue of Security Today.

Featured

  • Cloud Security Alliance Brings AI-Assisted Auditing to Cloud Computing

    The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today introduced an innovative addition to its suite of Security, Trust, Assurance and Risk (STAR) Registry assessments with the launch of Valid-AI-ted, an AI-powered, automated validation system. The new tool provides an automated quality check of assurance information of STAR Level 1 self-assessments using state-of-the-art LLM technology. Read Now

  • Report: Nearly 1 in 5 Healthcare Leaders Say Cyberattacks Have Impacted Patient Care

    Omega Systems, a provider of managed IT and security services, today released new research that reveals the growing impact of cybersecurity challenges on leading healthcare organizations and patient safety. According to the 2025 Healthcare IT Landscape Report, 19% of healthcare leaders say a cyberattack has already disrupted patient care, and more than half (52%) believe a fatal cyber-related incident is inevitable within the next five years. Read Now

  • AI Is Now the Leading Cybersecurity Concern for Security, IT Leaders

    Arctic Wolf recently published findings from its State of Cybersecurity: 2025 Trends Report, offering insights from a global survey of more than 1,200 senior IT and cybersecurity decision-makers across 15 countries. Conducted by Sapio Research, the report captures the realities, risks, and readiness strategies shaping the modern security landscape. Read Now

  • Analysis of AI Tools Shows 85 Percent Have Been Breached

    AI tools are becoming essential to modern work, but their fast, unmonitored adoption is creating a new kind of security risk. Recent surveys reveal a clear trend – employees are rapidly adopting consumer-facing AI tools without employer approval, IT oversight, or any clear security policies. According to Cybernews Business Digital Index, nearly 90% of analyzed AI tools have been exposed to data breaches, putting businesses at severe risk. Read Now

  • Software Vulnerabilities Surged 61 Percent in 2024, According to New Report

    Action1, a provider of autonomous endpoint management (AEM) solutions, today released its 2025 Software Vulnerability Ratings Report, revealing a 61% year-over-year surge in discovered software vulnerabilities and a 96% spike in exploited vulnerabilities throughout 2024, amid an increasingly aggressive threat landscape. Read Now

New Products

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening.

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame.

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.