Zero Trust is a major trend in 2022 and one that affects public and private sector organizations alike. Last year when the Biden administration in the US issued its Executive Order on Improving the Nation’s Cybersecurity, zero trust was a major component of this initiative.
Organizations implement traditional perimeter-based security strategies on the assumption that the perimeter is secure inside. Zero trust assumes that no person or device inside or outside of an organization is trusted. It is a system that requires thorough verification of all users, data, and devices, and allows only minimal privileges.
The concept of zero trust is not new. It was suggested in 2010 by analyst John Kindervag of Forrester Research to denote stricter cybersecurity programs and access control within corporations.
Now 12 years later, security experts agree that a zero-trust-based security strategy is needed, not perimeter-based security. The reason is simple. The environment is changing.
Why zero-trust now?
The pandemic-driven transition to a hybrid workplace has become the norm. As telecommuting and remote work becomes common, concerns about perimeter-based security are growing more than ever before. This is because the boundaries of the work environment have become blurred, driven in part by the increased adoption of mobile and cloud services. This will inevitably lead to a security vacuum.
The environment surrounding data security faces a variety of changes, including cyber warfare caused by the conflict between Russia and Ukraine, cyberattacks on companies by hacker groups like Lapsus$, and numerous incidents of corporate data breaches by trusted insiders.
In this environment, it is natural for zero-trust-based solutions to be in the spotlight. It’s the data itself that we need to protect, so we need a data-driven security system that can safely protect our data in a rapidly changing environment.
Zero Trust Data Security
Protecting sensitive data first requires identifying it, classifying or labeling it, and then determining who should have access to it. This requires constant authentication and verification of user identity. Fasoo’s zero-trust approach to safeguarding sensitive unstructured data goes beyond just access controls. It layers three powerful security methods to achieve a strong, proactive first-line defense again external and insider threats.
- Adaptive Access Control
- Control Data in Use
Cloud misconfigurations, user errors, and work from home environments all expose sensitive files to breaches that access control alone can’t prevent. A true zero-trust approach secures the file at all times – at rest, in transit, and while in use – and continuously monitors user, device, and other contexts to adaptively evaluate access permissions.
The best way to protect a sensitive file is to encrypt it. It ensures files are protected while at rest and in transit no matter the location or network. This sets the foundation for a zero-trust approach on which other safeguards build.
- Automatically discover, classify and encrypt sensitive files when created or modified, all transparent to the user. User errors are eliminated and workflows are uninterrupted.
- Encryption keys are centrally held and controlled by the company – not by the user, cloud provider, or any other third party. This is increasingly important in hybrid and multi-cloud workplaces as privacy regulations become more proscriptive regarding data residency and access rights.
Encrypted files ensure any exfiltration of sensitive information is safe from misuse. Many privacy regulations exempt encrypted file exfiltration from breach reporting or significantly reduce any fines. It all negates one of the worst risks related to today’s ransomware threats – exploitation of exfiltrated data.
Apply Access Control
User verification is enforced each time the file is accessed and incorporates contextual information about the user and device to dynamically adapt to grant or deny access.
- User access to a sensitive document is automatically applied as part of the initial discovery process with presets that are centrally configured and provide flexible and practical settings. Individual users, departments, roles in the organization, and “all internal share” are examples of preset alternatives.
- Fasoo enables a range of other elements, including device identity, time of day, and geolocation to be assessed as part of its adaptive zero-trust access approach. This dynamic linking of multiple verification points ensures the highest degree of trust can be enforced for sensitive data.
While centralized control of document access is the default, the platform provides flexibility so that document owners can unilaterally change access, if business needs dictate. This allows those closest to the data to make security decisions without needing to involve security or IT. Continuous monitoring of user behavior reports such exceptions for line manager and compliance team inspection. Such analytics are also applied to continuous monitoring of device and location information.
Control over Data
Insider threats expose a major gap in many declared zero-trust solutions. Once a verified insider gains access to the file, it’s a free pass to use corporate sensitive data. Joiners and leavers in a transient workforce, work from home environments, and supply chain collaboration opens the door for inadvertent or malicious insider data breaches.
- True zero-trust requires control over usage as well as access. Forward, cut and paste, copy, print, and screen capture are examples of the many ways insiders can maliciously or unintentionally expose sensitive information to unauthorized parties.
- Usage controls must consider the sensitivity of the data, and the context in which it’s being used and enable a wide range of permissions, from restricting actions to watermarking files, to address insider threats.
Fasoo enables a comprehensive set of file permissions to control what authorized users can and can’t do with a document in use. Central pre-set policies can be implemented at the user, department, or organization-wide level as well as by role (all Directors) or project (M&A, Drug Approval).
Proactive control over data usage is essential to a true zero-trust approach.
Talk with us about how Fasoo Data Security will strengthen your zero-trust initiatives.