Effective Zero Trust Requires a New Definition of Data Protection

Zero Trust Data Protection provides continuous, real-time access and policy control based on users, devices, apps, threats, and data context.

blog 7 image

Data is the ultimate asset of modern business and the foundation of digital transformation. It is the currency that funds innovation and growth. Data must be protected with the utmost rigor, but it must also flow effortlessly to where it can deliver the greatest benefits.

In an era where the cloud rules infrastructure, traditional network security is no longer useful.  The current construct for data protection is outmoded and in urgent need of an update. The biggest fundamental shift in the world of digital transformation is that data is no longer on a CPU that the enterprise owns. Security teams must invest in the right technology to achieve more complete data protection, and we all need to ensure Zeron Trust principles are applied everywhere data needs protection.

At Netskope, we describe this as Zero Trust Data Protection, and the key to this is context.

(We will be covering this in depth at Netskope’s Aiming for Zero event on March 30—a day of Zero Trust topics, with zero b.s.! Register for Aiming for Zero here.)

Zero Trust as a concept has been around for a while. In its simplest form it is this: Don’t trust the things you do not need to trust. For the things you must trust, trust but verify constantly.

Today there are many isolated Zero Trust projects focused on networks, users, devices, or isolating servers. The main miss on most of these projects, like deploying only Zero Trust Network Access (ZTNA), is that they are not focused on the data. Data is the grand strategy for security teams protecting the core digital assets of any organization. As one of the more familiar Zero Trust concepts, ZTNA describes application-level access that enables specific users to access specific applications.

But we must go beyond just access control and isolation, and there is a fast-growing group that believes Zero Trust must extend all the way to data protection. Zero Trust Data Protection provides continuous, real-time access and policy control based on users, devices, apps, threats, and data context. This approach is the only effective way to dynamically manage risk across a mix of third-party applications and a remote-first workforce that needs always-on access to cloud apps and data to stay productive. We all have to accept that this is the new normal as of 2021.

DLP Grows Up

Let’s take a step back and examine how we arrived here. Concepts like data loss prevention (DLP) are rooted in the idea that data is already safe. But like other traditional frameworks for data protection, DLP is founded on the pre-cloud idea that everything is inside a data center and essentially protected by a perimeter. The job of data protection in that setting is to prevent data from leaking out in unauthorized ways and to stop bad things from getting in.

In the cloud era, the traditional premise of DLP no longer applies. Yes, there is still crucial data housed in the data center inside the perimeter. But in most organizations, there is now as much or more data in SaaS applications and in private applications hosted in the public cloud. To protect this data, while also doing a better job of protecting data in the data center, we must rethink data protection in a way that is fully cognizant of the way users really work these days. We have to protect a much wider, much more dynamic attack surface.

This starts with recognizing all the ways in which the problem of data protection has gotten more complex, including the inarguable facts:

  • Data protection is a responsibility shared by multiple players
  • SaaS and IaaS vendors must protect themselves, and involve a shared security model
  • There is still a significant security threat that accompanies the allowed uses of data within the context of even mundane interactions with cloud apps

The challenge has become to find the means to follow the data wherever it goes and make sure it is always safe whether it is stored, in use, or in motion. To solve these problems, we have to take full advantage of the fact that the flexibility cloud infrastructure provides also allows us to do a better job of protecting data.

With new systems built to create the kind of security cloud described by analysts in various ways—most commonly, Secure Access Service Edge (SASE), coined by Gartner, but also Zero Trust Edge (ZTE), coined by Forrester—and implemented with critical building blocks such as Next Gen Secure Web Gateway, we can now not only grant access to data but also monitor its use in real time. Moving the policy and inspection point from the data center to the cloud makes enforcement possible regardless of the paths between user and data.

Data protection is ultimately about context. By monitoring traffic between the user and the apps, including API traffic, we can exert granular control. We can both allow and prevent data access based on a deep understanding of who the user is, what they are trying to do, and why. That is the context that Zero Trust Data Protection leverages to deliver security. Knowledge of the interplay between user, device, app, and data enables security teams to define and enforce conditional access controls based on data sensitivity, app risk, user behavior risk, and other factors. The result is more effective security via continuous risk management.

Ever since Gartner coined the SASE term, there’s been healthy debate in the industry over what that really means. But Zero Trust is front-and-center as a key component of a SASE architecture. With that in mind, here is the practical take we hear from forward-thinking CIOs and CISOs:

  1. SASE, when implemented properly, offers a number of benefits, including:
    • Protecting the use of data, so sharing of data, downloading data, and other potentially harmful uses of data can be controlled
    • Allowing different levels of protection for company and personal data
    • Involving users and advising them of dangerous behavior
    • Eliminating the backhaul and “hairpinning” that restricts productivity and prevents users from using the best and most effective tools to drive business growth
  2. Whether in a traditional, on-premises architecture, a SASE architecture, or across architectures that are transitioning from traditional to SASE, Zero Trust principles must be applied.
  3. Where Zero Trust Data Protection comes in—and why it goes well beyond the more specific uses of Zero Trust Network Access and other Zero Trust constructs—is that it offers real-time, conditional application, data access, and protection enforcement for data on-premises or in public or private cloud applications.

Zero Trust Data Protection isn’t just a new way to think about DLP, nor is it yet another “marketecture” hitching itself to the popularity of the term Zero Trust. Zero Trust Data Protection gets to the heart of what SASE is all about, which is to transform security and networking for the era of cloud, enable access-from-anywhere, and ensure data is protected everywhere it needs to go. The ability to do this effectively and completely, instead of in a piecemeal approach, is what separates the true SASE technology providers from the pretenders.

Copyright © 2021 IDG Communications, Inc.