Click to learn more about author Mark Cassetta.
Zero Trust has earned a promotion from reference architecture to an integral data protection strategy. After all, we are in a time when there should be zero trust in any data that has not been authorized or authenticated.
While conversations around Zero Trust have been taking place for years, we now are seeing tactical strategies and plans come forward. Industry visionaries, such as Dr. Chase Cunningham at Forrester, reinforce how an effective Zero Trust framework can kickstart a holistic security strategy.
A fully realized Zero Trust framework requires attention to multiple pillars, and the most challenging, hands down, is related to data. Of course, the data pillar arguably is the most important foundational and valuable one as it protects your crown jewels and allows adherence to mandatory regulations such as privacy. Many early data security deployments (think DLP) have fallen short of expectations, and the reasons typically fall into one, or more, of the following categories:
- “Boiling the ocean” proved an impossible task.
- Sponsorship at the proper level was missing.
- Data protection rules forgot about context and created false positives.
To avoid these unfavorable outcomes, it’s imperative to understand that achieving Zero Trust requires building a foundation of trust. While many organizations say they already are fully committed, most have an incomplete idea of just what it takes to deploy a successful Zero Trust strategy.
The Currency of Trust
Consider viewing trust as a currency. When there’s lots of it, people will rally behind you to make things happen. If you have none of it, then it is very difficult to bring forth change — no matter how positive that change might be. In the context of security, think about your recent rollouts. Have they increased the currency of trust from your employees or decreased it? If you are in a “negative trust” situation, then trust needs to be rebuilt.
Building trust is best done through small wins. Yes, the ultimate goal is to protect all your data; however, you need to compartmentalize each step to show employees the value that protection will bring to the organization.
The first step to any successful data security strategy is the identification of what needs to be protected. Many programs fall apart if this is not done properly. The challenge, of course, is that with the amount of data already created and being created, it is difficult to find small wins. So here are some suggestions:
1. Get a small win for data at creation: Often, data security looks at the amount of data that already has been created sitting at rest and sees that as the place to start. While this is true, the value of data being created (think the email from your CEO right now) is likely much higher than that which is sitting at rest. Often people think that identifying data at creation requires a fully baked data classification taxonomy. That is not true. In fact, using automation, you can start identifying data/metadata tagging as it is created while it is completely hidden from the user. As you prove how much sensitive information is being created, then start to mature toward a more formal data classification taxonomy.
2. Get a small win for data at rest: It is often overwhelming to think about tackling the protection of data at rest. Organizations get stuck in analysis/paralysis, especially for unstructured data. The small win, in this case, can be creating a data inventory, which is arguably easier than thinking about the problem E2E. The goal: Use that inventory to help build a risk analysis for stakeholders to understand what you want to do next, be it tagging, move/archive, encrypt, etc.
Data security is a big undertaking for any organization, and gaining the trust necessary to be successful can take a long time. This reality reinforces the importance of embracing a fluid, ongoing strategy. Companies that decide to take a headfirst dive might end up drowning. Instead, opt for a series of small wins that increasingly gain users’ participation, confidence, and trust. These victories can add up to big gains and, ultimately, acceptance of the more complex aspects of Zero Trust, which lead to the protection of unstructured data.
Automation Helps Decision-Making
Automation should play a major role in the decision-making process by helping to build the business case for more actionable data protection policies. Automation also aids in avoiding the aforementioned trap of “boiling the ocean.”
There is a ton of value once the data pillar of Zero Trust is connected to the rest of your strategy. To be successful, however, you need to establish a certain level of trust in the business as data is a tangible asset to every employee. Banking on a cache of trust is inconceivable if users do not believe in the security organization. If you face resistance, make sure you have been successful with some of the easier Zero Trust pillars, such as a workload-based solution, then move into broader data initiatives. Companies that are most successful at tackling data protection challenges are ones that have built up the currency of trust within their ranks.
Solutions, once in place, are only as effective as the people using them. Therefore, it’s imperative to find and assemble the pieces that work best for your organization and its particular needs. Fortunately, there are a growing number of options that should make this journey accomplishable without compromising the goals of your Zero Trust strategy.