Visibility, control, and trust are pivotal for maintaining advanced data security. Thanks to the growing threat landscape, organizations simply cannot leverage the true power of data without ensuring its security beforehand. Tim Reilly, CEO at Zettaset, discusses the need for rethinking the approach to data protection in building trust.
Enterprise environments have grown increasingly complex and have created numerous challenges for organizations to address to secure their data. One of the most critical difficulties is sharing data while maintaining data ownership – without this, organizations cannot share data securely.
Further, mounting regulations make maintaining compliance with privacy laws a top priority for all businesses. The transition to DevOps has highlighted a slew of new data security gaps that organizations must prioritize and fill.
So how do we build trust within an organization and enable seamless data sharing?
See More: Enhancing Enterprise Security with 5G Networks
Introducing Zero Trust
Traditionally, once an entity passed the authentication and authorization points and its credentials were confirmed to be valid, it could access resources based on its roles and permissions.
Today, zero trust architecture changes that. It asserts that there is no implicit trust granted to assets or users based solely on their physical location within a network. This new zero-trust security model removes the concept of trusted or untrusted entities and replaces it with confidence levels based on multiple attributes. It defines authentication and authorization policies based on the concept of least privilege access.
According to a recent PwC surveyOpens a new window of 3,600 global executives, 52% said they have started implementing zero trust or are planning to do so – but only 11% have begun realizing benefits from zero trust, and only 28% have implemented it at scale.
In February of 2021, the Zero Trust Reference Architecture version 1.0, collectively authored by the Joint Defense Information Systems Agency (DISA) and National Security Agency (NSA), was approved. This reference architecture introduced a fundamental shift in thinking and design principles. The idea was to move away from the perimeter and location-based authorization to continuous verification and confirmation of access based on resources that are being accessed and the context in which users, applications, and services are accessing these resources.
The White House recently mandated a Federal zero trust architecture (ZTA) strategyOpens a new window , which requires agencies to meet specific cybersecurity standards and objectives by the end of Fiscal Year 2024. The goal is to reinforce the Government’s defenses against the increasingly sophisticated and persistent threat landscape.
It’s proving true that implementing zero trust can help improve the nation’s cybersecurity posture. But to address zero trust security principles, like the government’s new zero trust architecture, it will require implementing a modern approach to current data protection strategies.Â
Incorporating Zero Trust Within Your Data Protection Strategy
Zero trust is a reference framework for implementing modern data protection systems that no longer rely on perimeter authentication and “tokens of trust†authorization methods used. It means that every access to the data by an entity or a service goes through an authentication and authorization process. This process is sensitive both to the data being accessed and the context in which the access is performed. By adopting zero trust security principles – identify, protect, detect, respond, and recover – organizations can improve their security posture wherever data is stored.
Introducing data protection after an application has been designed and deployed will result in insufficient security measures that impede operations and slow the application down. These security measures will likely provide marginal protection at a high cost in the form of maintenance and their impact on business processes. Data protection must be built into the application from inception throughout the design cycle.
Data protection should be transparent and non-intrusive; it should not impact performance or require users and administrators to change how they operate. This is critical in edge and microservices environments, especially those operating under zero trust guidelines.
As such, zero-trust environments are highly dynamic in handling access and policies. This requires making real-time adjustments – and data protection systems must be able to handle that without introducing performance or administrative hurdles.
Data protection should be granular at the level of objects it is protecting. For example, if Kubernetes persistent volumes are protected, the protection keys should be unique for each persistent volume. If Linux OS partitions are protected, the protection keys should be unique for each partition. This means that data protection cannot be trusted by the underlying infrastructure.
See More: Identity, Access and Zero Trust in the Metaverse Era
Building Trust
DevSecOps establishes the foundation for securing microservices environments, and zero trust architecture defines approaches for implementing comprehensive data security systems that protect, detect and respond timely to security compromises without compromising mission-critical systems.
Overall, zero trust architecture is highly beneficial to traditional data centers but requires a careful approach to be implemented in a way that is not intrusive to business processes and will not compromise performance.
How can enterprises rethink data protection while ensuring a seamless user experience? Tell us what you think on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We love it when you share your thoughts!