By now, you’ve heard of the phrase zero trust (ZT) or zero trust architecture (ZTA). In August 2020, the National Institute of Standards and Technology (NIST) provided general deployment models and use cases where ZT could improve an enterprise’s overall information technology security posture. In May 2021, the Biden administration released the Executive Order on Improving the Nation’s Cybersecurity (EO 14028). The EO requires federal government agencies to make advancements towards ZTA and to develop a plan to implement ZTA. In, January 2022, the Office of Management and Budget (OMB) Memorandum set forth the ZTA strategy for the United States government which requires agencies to meet specific cybersecurity standards and objectives by the end of Fiscal Year 2024.
As a result of the importance placed on ZT at the highest levels, Chief Information Security Officers (CISOs), cybersecurity experts, security operations analysts and security team members have likely been involved in several discussions about how to either align their current security practices with ZT principles or how to create a strategy that will enable ZTA. While there are many organizations with mature security programs that have been exploring ZT for a few years now, due to the growing adoption of cloud services and the increase in hybrid and fully remote work model, there exists a heightened awareness of the need to assess current security practices, develop a ZT strategy and implement ZTA.
What is Zero Trust
According to the National Institute of Standards and Technology (NIST), Special Publication 800-207, the following is an operative definition of zero trust and zero trust architecture: Zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. Zero trust architecture is an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan.
Forrester defines ZT as an information security model that denies access to applications and data by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices. All entities are untrusted by default, least privilege access is enforced, and comprehensive security monitoring is implemented. The Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model, Version 2.0, is one of many roadmaps that agencies can reference as they transition towards ZTA. The maturity model includes five pillars (Identity, Devices, Networks, Applications and Workloads and Data) and three cross-cutting capabilities (Visibility and Analytics, Automation and Orchestration, and Governance) based on the foundations of ZT.
What is Data Loss Prevention
There are many data loss prevention definitions and descriptions. Gartner describes data loss prevention (DLP) as a set of technologies and inspection techniques used to classify information content contained within an object — such as a file, email, packet, application or data store — while at rest (in storage), in use (during an operation) or in transit (across a network). DLP tools also have the ability to dynamically apply a policy — such as log, report, classify, relocate, tag and encrypt — and/or apply enterprise data rights management protections. NIST describes data loss as the exposure of proprietary, sensitive, or classified information through either data theft or data leakage. A strong DLP strategy mitigates the risk of data loss.
What You Need to Know About Zero Trust and Data Loss Prevention
Foundationally, it’s fairly easy to connect the dots between ZT principles and the concept of data loss prevention because, at a high level, both require continuous monitoring to mitigate security risks. ZT principles include the need for per-access-request decision making and a DLP solution must continuously monitor for loss of sensitive data. As a result, comprehensive security monitoring is required for both ZTA and DLP. Challenges arise, however, when organizations attempt to implement ZTA without deploying modern DLP tools. For example, it’s not uncommon to hear security professionals make the following complaints about traditional DLP solutions:
- Many resources are required to implement and maintain DLP tools and the effort is costly
- Responding to numerous false positives drain already thinly stretched security teams and result in burnout and block normal activity which can make life painful administrators and end users
- The traditional DLP tools are less effective due to cloud adoption, the proliferation of Software-as-a-Service (SaaS) applications, and hybrid and remote work models
The complaints are legitimate. In fact, before the ubiquity of cloud platforms and hybrid work, monitoring end user access to sensitive information was done with an on premises data loss prevention tool.
Conclusion
Organizations working to implement ZTA will need to assess their current security tools and explore identify the gaps that may prevent them from moving toward ZTA. This assessment may result in the need to explore modern tools that align with ZT principles. One important tool to explore is a modern DLP solution. This solution will help ensure that the most sensitive data – the organization’s crown jewels – are protected from theft or leakage.
Ambler is an attorney with an extensive background in corporate governance, regulatory compliance, and privacy law. She currently consults on governance, risk and compliance, enterprise data management, and data privacy and security matters in Washington, DC. She also writes with Bora Design about today’s most important cybersecurity and regulatory compliance issues.
