How do you protect data when it leaves your building?
A few years ago, hardly anyone asked that question because data stayed home. But with the rise of cloud services, mobile computing and a pandemic, the trend of data following users became the norm in a matter of weeks. Suddenly, your data’s security had far less to do with your physical facility’s security. As a result, there is fresh interest in zero-trust architecture, where the mindset switches from a device-centric security model to a data-centric model.
In a zero-trust world, IT leaders assume that devices, networks and individual user accounts have already been breached. So they attach security factors to the data itself. This not only boosts security but expands the organizations’ business opportunities. With a zero-trust approach, you can continue doing business with a valuable partner even if you’re not confident in their security systems. Thanks to a data-centric model, your data protects itself.
Moving to a Data-Centric Mindset
Not long ago, organizations could almost literally keep an eye on their data. Employees mostly worked in offices on company-owned devices plugged into company networks (or at least linked to company wireless networks). Data lived on a centralized server. For the most part, protecting your data meant controlling who entered your building.
Today, data roams the globe without its traditional bodyguards. The boundaries between work and personal life have blurred as employees access data around the clock and on a variety of desktop and mobile devices and networks. “We’re never fully at work and never fully at home,” says Pratum Founder and CEO Dave Nelson. “We’re always just kind of everywhere.”
The pandemic obviously accelerated adoption of remote work by years. And with 90% of HR leaders saying they intend to maintain some form of work-from-home policies after the pandemic, the call for a data-centric model has unprecedented momentum.
Many organizations are still basing their security model on something that doesn’t exist anymore. You no longer control the devices or networks. And that’s scary for data managers and business leaders. Many of the risks that leaders were willing to take were based on a security model that was basically invalidated overnight.”David Nelson President and CEO, Pratum
Who's Really Accessing Your Data?
From an identity perspective, we now have complete strangers touching organizational data every day. When an employee logs in from a remote location, how much do we know about the security of their network? Are they working on a home computer with outdated antivirus protection? When a vendor logs into your distribution and inventory platform, how do we even know it’s them and not someone who stole their credentials? Are your industry partners protecting the login credentials you give them or handing them out to multiple employees?
Those questions, Nelson says, overturned many long-held best practices. “We saw a lot of IT leaders freaking out when business leaders came to them and said, ‘I know you’ve done all this work over the last 15 years to make our network and data secure, but we’re going to send everybody home, and we need those people to get access to all that data from devices you don’t know.’”
Zero-trust architecture ensures your data is safe, even if, for example, someone intercepts it while your employee is working on a coffee shop network. IT leaders can quit worrying about the specific device or network in use because their security has now become data-centric.
Components of Zero-Trust Architecture
Moving to zero-trust architecture represents a major IT project, but many information security consultants are telling their clients that it should become a top priority. Though widespread adoption is starting only now, the concept has been around for years. All the major information security players support the use of zero-trust architecture, including Microsoft, Fortinet, Cisco and Amazon Web Services.
That’s essential, because in a zero-trust environment, each use of data must be vetted through multiple security layers. For example, you might grant read-only access to a file as long as the user is on a computer with antivirus software installed. Before users can modify the file, their devices must clear a much higher security bar. For example, the system might run a basic “health screen” of the computer for proof that it has run an antivirus check in the last 12 hours, has an acceptable firewall, is part of an approved domain, etc. The system may also grant provisional access by requiring, for example, that the computer run another antivirus scan before it is allowed to modify files.
While the number of zero-trust components varies by the platform you’re using, these are the six core principles:
1. Identities – Strong authentication tools should validate every user’s identity. It starts with strong passwords/PINs and extends into digital signatures and multifactor authentication tools such as tokens, certificates and biometrics. In all situations, organizations should follow a policy of least-privileged access, in which users receive access only to the data they need to do their job.
2. Devices – Any device seeking to access company data must comply with policies such as having a firewall turned on and rules validated; anti-malware software turned on and set to scan daily; and auto-update enabled to ensure software is adequately patched.
3. Applications – The system should inventory all applications and data locations, including client-server (ERP, core platforms, accounting, etc.); desktop (Adobe, Microsoft Access, My Documents/Desktop); and cloud solutions (Salesforce, AWS, etc.). Administrators should determine ownership and management responsibilities and enforce and audit security compliance.
4. Telemetry & Monitoring – We’re overwhelmed with system activity reports, so you need a robust system to make sense of all the noise and spot potential threats. (Pratum’s Security Operations Center ingests about 6 billion events each day across all of our managed XDR/SIEM clients. Organizations should track detailed usage statistics such as date/time of access; location of the access; sizes of files accessed; bandwidth utilization and more.
User & Entity Behavior Analytics (UEBA) solutions model typical user behavior and flag anomalous activity. This system might, for example, note that a user who typically works 9-5 is logging in at midnight from a new device. That might indicate an attempted breach in progress.
In a similar vein, Extended Detection and Response (XDR) solutions with Security Information and Event Management (SIEM) track activity in all corners of your technology stack and proactively stop potential threats before they can do any damage.
5. Networks – Networks still play a key role as security boundaries since they can be explicitly trusted and can encrypt all communications.
6. Information Rights Management (IRM) – In a platform using IRM, data carries its own rules for use. For example, e-mail may be set to restrict forwarding of messages marked as confidential. In Word or Excel, users may be prohibited from opening or printing files unless they are using a company-owned device. Note that these rules often can be circumvented if they aren’t used in conjunction with file encryption.
The Power of Conditional Access
A key step in the zero-trust system is assigning conditional access to different types of files, recognizing that there isn’t a one-size-fits-all solution here. Locking every file down in the same way will surely make daily work harder than it needs to be for many users. Setting file access levels should not fall solely on the IT team. IT needs input from other leaders to explain the sensitivity of data in any given file type and who should be able to use it.
This chart provides examples of how an organization may set access for various types of files.
As you consider how your environment needs to adapt to new working styles and whether zero-trust architecture may be right for your organization, Pratum can help. Contact us today for a free consultation on the best way to protect your critical data.