Organizations are working to bring existing security capabilities up to date with Zero Trust standards. An organization’s path to Zero Trust Data Security often starts with an existing DLP solution set.
Zero Trust is all about explicit risk assessments, monitoring, and control. One that extends beyond just managing access to data but to control how you use the data. An approach that uses continuous monitoring to make dynamic, explicit decisions each time a user accesses sensitive files.
Traditional DLP falls short of these standards.
Here are three essential capabilities to bring your existing data security up to Zero Trust standards.
1. Centrally Apply File Encryption
DLP solutions monitor data – Allow/Block – but the sensitive data itself is left unprotected.
Zero Trust principles dictate stronger measures like file encryption. This eliminates implicit access to files and sets a clear reference point to make Zero Trust explicit access decisions.
Zero Trust Data Security also cares about “who” encrypts the file. Many solutions rely on the user to encrypt sensitive files and in some cases, a user sets a password. This can lead to errors in protecting data and requires the encryptor – your employees – to grant access to your own critical data.
A centralized policy platform is foundational to Zero Trust Data Security. With centrally enforced policies, a file with sensitive data can be automatically encrypted when created or modified, all transparent to the user. It lifts the burden from the user, eliminates errors, and keeps workflows moving.
This also gives you control over the encryption keys – not the user, cloud provider, or any other third party. This is increasingly important in hybrid and multi-cloud workplaces as privacy regulations become more proscriptive regarding data residency and access rights.
Consistently and proactively centrally applied file encryption is a big step toward achieving Zero Trust Data Security.
2. Control Data-In-Use
Insider threats expose a major gap in DLP solutions. It’s the poster child example for implicit trust that Zero Trust looks to eliminate.
With DLP, once a verified user gains access to the file, it’s a free pass to use corporate sensitive data. Users can copy, cut, and paste sensitive data into new file formats; share the data across multiple collaboration applications; and store and print sensitive files on personal (BYOD) devices.
DLP binary actions, full or no access, are no longer enough. Zero Trust principles are based on a continuous, explicit risk assessment that takes a least-privilege approach to access and use. It considers the sensitivity of the data and the context in which it’s being used.
Zero Trust Data Security requires the availability of a broader range of file permissions to control data-in-use. For example, a user that only needs to read a document should be restricted from extracting or sharing the data. Allowing a user to edit a file, but restricting copy or print, are other examples of granular document controls. Disabling screen sharing when displaying sensitive data, and print watermarking are other necessary capabilities in a Zero Trust world.
Upgrading DLP with granular document rights controls provides the data-in-use options that enable Zero Trust Data Security.
3. Monitoring Depends on Visibility
The ability to continuously monitor data activities so you can make explicit decisions each time someone tries to access sensitive files is central to a Zero Trust approach. How you use data, how it moves about, and what users do with it is an essential input to an explicit model.
However, traditional DLP and network tools create a patchwork approach to data visibility with some organizations employing over 40 IT and security tools to trace data. Visibility is also thwarted in today’s hybrid workplace by cloud and work-from-home environments where data can be stored in unauthorized locations and devices.
To move toward Zero Trust Data Security, you should upgrade your DLP solutions with a file-centric approach, making the file itself the source of reporting. A unique ID embedded in each file logs every access (network/application/individual), what was done with the file, and other context-aware information like device and geographical location.
Implement a file-centric approach to achieve the visibility necessary to enable Zero Trust Data Security.
Update DLP to Zero Trust Data Security
Implementing a Zero Trust approach to an existing security model is gradual. The Fasoo Data Security Platform helps you achieve success without ripping out your current DLP infrastructure. This protects your existing investment but gives you true Zero Trust Data Security to meet your governance and regulatory requirements.