It’s been nearly ten years since John Kindervag first published a paper recommending what he called the “zero trust” model of information security. The time had come, he announced, to abandon the idea of unbreakable network perimeters, and to deal with the reality that intruders will inevitably find their way into protected networks.
In the years since, the zero trust model has fundamentally changed the way many organizations design and operate their networks. However, in order to live up to its full potential, zero trust network architecture must be paired with a new approach to monitoring and protecting the thing hackers are really after: sensitive data itself.
What’s inside those perimeters?
The zero trust model provides a clear framework for redesigning networks so that intruders can’t move around freely when they get inside. By segmenting networks into smaller perimeters, using strong identity validation technology, and controlling access to network resources, organizations can limit the amount of sensitive data that’s available to a threat actor who gets through their perimeter defenses.
Zero trust says much less about how organizations should approach the sensitive data that’s contained in their segmented, access-controlled environments. Descriptions of the model typically include recommendations for classifying data and using encryption where necessary, but provide little guidance as to how these technologies should be implemented.
To gain full control over sensitive data and get maximum value from their investments in zero trust architecture, organizations need to adopt a new way of thinking about data protection. A data-centric security strategy, implemented across the entire organization, will make zero trust architecture more effective, and address risks that continue to exist even in a well-designed zero trust environment.
The data-centric approach
The underlying concept of data-centric security is that files and database records need to be protected based on what they contain, rather than where they are located.
When implemented correctly, data-centric security gives the organization complete control over sensitive data, from the point of creation through the entire data lifecycle. Files containing sensitive information are identified as soon as they appear, and managed so that they never exist in a condition that is inconsistent with the organization’s security policies.
In practical terms, data-centric security involves three ongoing processes:
- Data discovery: scanning new and modified files to determine whether they contain sensitive data.
- Data classification: applying visual labels and metadata to indicate a file’s contents and appropriate handling.
- Data protection: using encryption, masking, quarantine, or other methods to prevent inappropriate exposure of a file’s contents.
These processes are handled by software agents installed everywhere that sensitive data can be acquired, created, or stored—on servers, desktops and laptops, mobile devices, and other IT assets. Each agent monitors file activity in real-time, and checks file contents against the organization’s definition of sensitive data. Depending on the type of data contained in a new or modified file, the agent can classify the file, encrypt it, move it to a different location, or take any other action required by company policy.
To be effective, data-centric security must be automated, and it must be managed from a central administration point. Automation takes human error out of the question and allows employees to do their work without continual disruption. Centralized administration ensures that the organization, rather than end users, retains control of the process and of protected data.
Data-centric security and zero trust
Without an automated data-centric security solution in place, organizations will find it difficult or impossible to keep data segmented properly within a zero trust environment. Files will inevitably be mislabeled, saved in the wrong location, or left without appropriate protection, reducing the effectiveness of network segmentation and granular access controls. Automated data-centric security is the only reliable method of ensuring that files are classified and protected according to company policy.
The data-centric approach also allows organizations to use persistent encryption to maintain control over sensitive data when it leaves the company network. Unlike transparent data encryption, which is stripped away as soon as a file is moved off a protected server, persistent encryption remains with the file even when it’s shared via email, stored in the cloud, or copied to another external location.
In the past, data-centric security was difficult to implement, primarily because it required too many separate point products. Organizations often faced the prospect of implementing three different applications—one for discovery, one for classification, and one for protection—for each operating system in their environment. Even when companies made the attempt, they would often abandon the project due to user disruption and administrative complexity.
New technologies have eliminated these obstacles, clearing the way for data-centric security on an enterprise-wide scale. Large financial institutions, government agencies, and other organizations have implemented data-centric security using PKWARE’s Smartcrypt platform, which combines discovery, classification, and protection into a single automated workflow.
PKWARE’s new whitepaper, A Blueprint for Data-Centric Security, provides an overview of the key concepts and considerations involved in data-centric security, along with recommendations for designing and implementing an effective solution.
Latest posts by Marty Meehan
- Data-Centric Security and Zero Trust Architecture: - February 3, 2019
- Unstructured Data: Vulnerable, Uncontrolled, and Getting Bigger Every Day - October 1, 2018
- The Entropy Problem: Random Data and Secure Cryptography - July 30, 2018