Confused about Zero Trust? Who isn’t.
Forrester Research, the creator of the Zero Trust Model more than a decade ago, looks to clear up the matter. Marketing hype has co-opted the term, creating confusion and misunderstanding about the actual definition of Zero Trust, and driving skepticism about its practical, real-world implementation.
In its report The Definition of Modern Zero Trust, Forrester recounts the evolution of Zero Trust from 2009’s focus on network segmentation to today’s view that “data protection is the heart of Zero Trust”. The report provides a clear, concise definition of Zero Trust so security teams can cut through the noise to define what Zero Trust is, what it’s not, and what you can do to implement Zero Trust in your organization.
So, what can security teams take away from the report to guide their 2023 Zero Trust journey? Here are a few highlights.
From Network to Data
Make data protection a 2023 Zero Trust priority.
It’s no longer about the network, but more about data. Forrester goes so far as to state “data protection is the heart of Zero Trust.”
Data is often the real value of businesses today. By focusing on data and its movement across the digital ecosystem, Forrester creates an extended Zero Trust framework.
Data intersects with all other pillars of the Zero Trust Model – network, workloads, applications, and people. Building a framework to implement Zero Trust around data covers a broad range of use cases and makes sense in today’s hybrid workplace.
Network security is typically in the background and invisible to users. As the focus moves from networks to data, it’s important to present as little friction as possible, so that security is an easy choice for users.
Fasoo’s methods for safeguarding sensitive files enforce encryption, control over data-in-use, and access management, all implemented at the file. It doesn’t rely on security being in place at every cloud location, endpoint, or third party to implement Zero Trust principles, a key to Zero Trust data protection in today’s hybrid workplace.
Learn more about protecting sensitive files with Fasoo.
Align to Business Drivers
Focus on tactical challenges
Past Zero Trust programs often lacked clear business benefits and were too often developed around Zero Trust concepts rather than present-day challenges.
The hybrid workforce and moving to the cloud are key candidates for introducing Zero Trust into sensitive file protection. Forrester notes compliance as a “secret weapon” to get organizations moving. Insider and supply chain risk, cloud misconfiguration, and external threats are all in play for this dataset that’s growing exponentially.
Look to incrementally implement Zero Trust principles in tactical initiatives of immediate relevance to the business. Buy-in with well-understood drivers and outcomes will get your organization on the right path to Zero Trust.
Refresh of Key Principles
Implement these updated principles in your data protection initiatives
As attacks have evolved, so have Forrester’s published principles for Zero Trust initiatives.
Principle 1. All entities are untrusted by default and access for every session is continuously reviewed and informed by context. Often this context can be the posture of a device, type of workload, attributes around identity, and more.
Principle 2. Least privilege access is enforced. Users, applications, and other computing infrastructure must utilize the bare minimum access needed to perform their function.
Principle 3. Comprehensive security monitoring is implemented. Understand how users operate and assets communicate. Pair this visibility with the tools, processes, and controls required to stop, remediate, and surgically remove or isolate detected threats.
Learn more about Fasoo’s approach to these key Zero Trust principles.
Scope your Zero Trust Data Initiative
Narrow focus for early Zero Trust Wins
Data protection encompasses a broad array of use cases and disparate technologies. Teams should narrow initiatives and look for high pay-off returns that bring Zero Trust principles to enhance current solutions.
Structured databases got early attention as network micro-segmentation tightened access to stop the lateral movement of threat actors. Look for tokenization and format-preserving encryption projects as next step Zero Trust initiatives in this segment.
Attention is now turning from structured to unstructured data risk as sensitive files are created, accessed, shared, and stored across the hybrid workplace, often with little visibility and control. Traditional solutions failed to scale, and data is mostly monitored rather than protected.
Avoid Rip and Replace Initiatives
Enhance data protection by building on existing solutions
Security teams today are adjusting their thinking about Zero Trust as new reference architectures, like NIST and CISA, present Zero Trust as a journey. The transition to Zero Trust is a strategic, multi-year process and is unique to each organization based on its enterprise architecture and risk evaluations.
It’s important that Zero Trust initiatives meet your organization where you are today. Most organizations have in place some form of data loss protection solutions and are already following a subset of Zero Trust principles.
High pay-off Zero Trust enhancements include control over data in use and self-governing files that carry protection and compliance wherever they travel. Capabilities that deliver deep visibility and universal logging of data usage are even more critical today to provide the rich context necessary to inform explicit access decisions.
Read the Forrester report to gain a more in-depth perspective and keep these highlighted guardrails in mind while advancing your 2023 initiatives and Zero Trust Architecture.
Learn how one CISO used a quick-take playbook to get going with Zero Trust Data Security.