Zero-Trust Networks and Data-Centric Security

It’s been nearly ten years since Forrester Research first published a paper recommending the "zero trust" model of information security. The time had come, the paper argued, to abandon the idea of an unbreakable network perimeter, and to deal with the reality that intruders will inevitably find their way into protected networks.

In the years since, the zero trust model has changed the way many organizations design and operate their networks. However, in order to live up to its full potential, zero trust architecture must be paired with a corresponding strategy for protecting the thing hackers are really after: sensitive data itself.

What’s inside those perimeters?

The zero trust model provides a clear framework for redesigning networks so that intruders can’t move around freely once they make it inside. By segmenting networks into smaller perimeters, using strong identity validation technology, and controlling access to network resources, organizations can limit the amount of sensitive data that’s available to unauthorized parties who get inside.

Zero trust says much less about how organizations should think about data that’s inside their segmented, access-controlled environments. Forrester recommends classifying data and building perimeters around data types with similar sensitivity levels. Those are good first steps, but classification on its own will not protect data from misuse when someone gets inside one of those network segments.

To gain full control over its sensitive data and get maximum value from its investment in zero trust architecture, an organization needs to adopt data-centric security technology. Data-centric security makes zero trust architecture more effective, as well as addressing risks that continue to exist even in a well-designed zero trust environment.

The data-centric approach

The underlying concept of data-centric security is that files and database records need to be protected based on what they contain, rather than where they are located. This is compatible with—but distinct from—the zero trust concept that all network traffic should be treated as though it comes from an untrusted source.

secure data

In practical terms, data-centric security involves three ongoing processes:

  • Data discovery: scanning new and modified files to determine whether they contain sensitive data.
  • Data classification: applying visual labels and metadata to indicate a file’s contents and appropriate handling.
  • Data protection: using encryption, redaction, or other techniques to prevent inappropriate exposure of a file’s contents.

When implemented correctly, data-centric security gives the organization complete control over sensitive data, from the point of creation through the entire data lifecycle. Files containing sensitive information are detected as soon as they appear, and managed so that they're always in compliance with the organization’s security policies.

Data-centric security and zero trust

Without data-centric security in place, organizations will find it difficult or impossible to keep data segmented properly within a zero trust environment. Files will inevitably be mislabeled, saved in the wrong location, or left without appropriate protection, reducing the effectiveness of the organization’s network segmentation and granular access controls. Automated data-centric security is the only effective method of ensuring that files are classified and protected according to company policy.

The data-centric approach also allows organizations to maintain control over sensitive data when it leaves the company network, through the use of persistent encryption. Unlike transparent data encryption, which is stripped away as soon as a file is moved off a protected server, persistent encryption remains with the file even when it’s shared via email, stored in the cloud, or copied to another external location.

PKWARE’s whitepaper A Blueprint for Data-Centric Security, provides an overview of the key concepts and considerations involved in data-centric security, along with recommendations for designing and implementing an effective solution. To find out how PKWARE can help your organization meet its security goals, schedule a consultation with one of our experts today.