As you look back on the state of cybersecurity in 2022 and set your security priorities for 2023, Zero Trust Data Access should top your New Year’s Resolutions list. Zero trust was probably the most talked about security trend last year, and for good reason – it is clear no matter how much we layer our defenses, hackers, malicious insiders and simple negligence are impossible to eradicate. Instead, we need to assume breach and focus on protecting the end goal of all bad actors – sensitive data. Zero Trust Data Access provides a roadmap to do just that.
What is Zero Trust?
Zero Trust is a modern security approach that refocuses security defenses from securing the perimeter to instead focus on the users, assets and resources for more effective security. Zero trust principles dictate that there is no implied trust given to users or assets – instead, you must verify and validate each action, every time, in context. The goal is to enforce least privileged per access decisions using fine-grained security controls.
There are 3 guiding principles that underpin a zero trust methodology:
- Verify explicitly. Authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies – each and every time.
- Use least privileged access. Employ ‘Just-In-Time’ and ‘Just Enough’ Access (JIT/JEA), risk-based adaptive polices and data protection controls to safeguard both data and productivity.
- Assume breach. Minimize the attack surface of breaches and prevent lateral movement by segmenting access by network, user, devices, and application awareness. Verify all sessions are encrypted end to end. Use analytics to get visibility, drive threat detection, and improve defenses.
This approach is considered so critical, that in May 2021 a U.S. Presidential Cybersecurity Executive Order for Cybersecurity was issued mandating that all US Federal agencies must transition to a Zero Trust Architecture (ZTA). DoD CIO John Sherman is aiming to have zero trust deployed across a majority of enterprise systems in the Department of Defense by 2027 – a lightning pace for the government.
What is Zero Trust Data Access?
Zero Trust essentially boils down to verifying and validating each step, each action, and each element in order to enforce granular access control to prevent unauthorized access to data and services.
In a data-centric zero trust model, you must consider the following information each and every time an access request is made for a particular file:
- Who (the user’s “Identity”) is asking for what (the “request”)?
- In what context (device, network, status, location)?
- While also considering the terms and conditions of access (“policies”).
Zero Trust Data Access applies the same stringent controls to the data that sits behind the networks and applications, even if access has already been granted to these services. By default, it does not grant access to a document unless all of the right conditions are met.
Benefits of ABAC-enabled Zero Trust Data Access
An attribute-based access control or ‘ABAC-enabled security model helps to enforce the principles of zero trust at the data layer. It uses fine-grain policies using attributes (user, document and environment) to dynamically control who accesses information and under what conditions in real time. It ensures only the right people – access the right information – at the right time. ABAC policies can also apply fine-grain protection to control what authorized users can do with a document once access is granted.
ABAC policies can approve or deny access to a file based on the conditions at the time of the request to ensure authorized access.
For example, when a user is working in the office or is on a company laptop, he may be permitted to access a sensitive finance document, make changes, print, and copy text and images. However, if the user is in an airport using public Wi-Fi, access to the same document can be denied based on the sensitivity of the information and their current environment, which poses a potential security risk.
ABAC policies can also be used to limit what can be done with a file if access is granted to stop data loss and misuse.
For example, instead of denying access in the example above, a restricted view of the document can be provided to limit what can be done with it. such as removing the ability to edit, print, copy, paste or share the document. A dynamic watermark can also be applied, automatically adding information about the users and access conditions (e.g., user name, IP address, date, time) to the document for tracking purposes.
As user-driven data loss and insider threats become more prevalent and stringent regulations governing sensitive data continue to evolve, adding data-centric zero trust underpinned by ABAC to your security arsenal provides tremendous benefits. Your organization will benefit from more granular, real-time control over access to and usage of sensitive and business-critical information stored and shared across enterprise document management and collaboration tools.
If you’re considering implementing zero trust in 2023, one of the cornerstone steps is to understand, clarify your scope, and define what you’re working with. We recommend that you:
- Talk to your decision makers about how you currently define your information, your systems, your networks, and your conditions of access that support your business operation.
- Ask the CIO how you can define your network boundaries, as traditional perimeters no longer apply in a distributed and often remote workforce.
- Ask the CISO how you can clearly define the Enterprise in a security context. Organizations tend to have multiple cloud providers, in multiple jurisdictions, and potentially complex hybrid technology models where many different sources come together to present business value.
- Consider roughly how much it costs to protect your data at the moment, and whether is it actually effective.
Need practical Zero Trust Data Access that delivers benefits, rapidly?
archTIS solutions apply and enforce dynamic, ABAC-enabled access and protection policies that leverage user, data and environmental attributes to ensure your users and partners access, share and collaborate on sensitive and classified information — securely. Whether you need to store classified information or help with securing sensitive files within your Microsoft 365 applications, archTIS products enable fine-grain zero trust access and data security out of the box.
For Defence, Defence Industry, and Intelligence who need the ability to share sensitive and classified information internally and with partners and clients, Kojensi is a proven and government-accredited platform for classified information collaboration and file sharing. It enables productivity while managing the compliance and security of highly sensitive and regulated information. Kojensi enables secure, policy-driven compartmentalized collaboration out of the box.
NC Protect provides advanced data-centric security collaboration applications, including Microsoft Office 365, SharePoint Online and on-premises, OneDrive, and Exchange emails, as well as Nutanix Files, and Windows File Shares. It discovers, classifies and secures unstructured data including files, messages and chat content. Access and security are dynamically adjusted based on real-time comparison of user context and file content to make sure that your users access, use and share files according to your business regulations and policies.