Zero Trust Data Protection applies zero trust security principles to data access and, critically, to data usage once access is granted. IIt is a fundamental building block of zero trust data security, ensuring that sensitive data access is always authorized, tightly controlled, and continuously monitored. Zero Trust Security is a cybersecurity model that eliminates implicit trust found in traditional security models. At its core, it follows the principle of “never trust, always verify.” Under a zero trust security model, an organization’s cybersecurity framework should never trust that a user or application is authorized to access a network, resources, or data, and that if authorized to access the resource it should never be assumed they should be able to do anything they want with it. Instead, a zero trust data protection approach authenticates every request at the time it is made and enforces least-privileged access—granting only the minimum level of access required. This principle is central to Data Access Security, which focuses on verifying every access attempt.
This approach prevents a malicious actor from subverting one control and then leveraging that access to move laterally across networks, resources, or data. It also prevents malicious actors from compromising the credentials of a peripheral user of protected data and using those credentials to change, delete, or download that data when the user doesn’t require that level of access. The zero trust security model can be applied across multiple domains, including Zero Trust Architecture (ZTA) for internal systems, Zero Trust Network Access (ZTNA) for network access, and Zero Trust Data Protection, which governs how protected data is accessed and used.
How Zero Trust Security Enables Zero Trust Data Protection
Zero Trust Data Protection can be applied to both structured and unstructured data, both for data at rest in a database or in a protected file store, as well as for data on the move, when such data is being accessed over the network or being shared as attachments. Whatever the context, zero trust data security requires that any access to or use of data is authenticated at the time of access and governed by least-privileged access. This ensures strong data access security across both structured and unstructured data as part of a zero trust security strategy.
By applying zero trust security principles to data access and use, zero trust data protection provides a data-centric approach to protecting an organization’s data. Instead of focusing on protecting access to a network or to physical resources, a data-centric security (DCS) approach focuses on protecting access to the data itself. Therefore, data access and use policies are centered around what data is being accessed. Appropriate policies are applied based on attributes of the data being accessed, the user who is requesting access, and the environment (see our post on Attribute-Based Access Control, or ABAC for more information on how this can be done). These policies remain in effect whenever and however the data is being accessed, whether it is at rest on a local system or in a database or being shared and on the move. Zero trust data security ensures that each time a user requests access to data, the request is authenticated and only the minimum required entitlements are granted.
How Can Organizations Implement Zero Trust Data Protection and Zero Trust Data Security?
Zero Trust Data Protection requires that data is secure by default, and access is only granted when sufficient conditions are met. The following principles should be followed when implementing zero trust data security as part of a zero trust security strategy:
- Apply data access security policies at the most granular level possible – Defining data access policies to grant access to data at the most granular level possible, that access can follow the principles of least privileged access, granting no more access or entitlements than are absolutely necessary
- Enforce Data Access Security policies everywhere – Data access policies should be defined to protect access and entitlements to all structured and unstructured data, regardless of whether that data is at rest or in motion, inside an organization’s network, or outside the network.
- Enforce policies for all access types – Data access requests can come from many sources, such as users who are accessing the data directly or applications that are requesting access to resources and data. Data access policies should be aware of the context around the origins of the data access request, and grant access and entitlements accordingly. For instance, programmatic access to data may be more limited than manual access to the same data.
- Automate policy enforcement and logging – Data access policy evaluation and enforcement should be as automated as possible and all data access requests, whether granted or denied, should be logged for later auditing and analysis. This significantly reduces the time and cost requirements of policy development and maintenance, as well as the effort to identify any potential malicious activity to support continuous monitoring and auditing within a zero trust security model.
For more information on NextLabs and zero trust security, check out the following resources:
