Zero Trust is a buzzword that was coined by the cybersecurity industry FOR the cybersecurity industry, argues this expert.

Recently, I was posed the question: “Where’s the safest place to store data and how do you protect that data?”

This is a very pertinent question … given the way 2020 is going, many organizations are having to make access to their data as flexible as possible to cater for a world in which there is no longer a ‘normal’.

Just as some societies were hoping to “‘return to normal” after lockdown relaxations, various factors forced fresh rounds of restrictions. So, to best cater for business continuity, and assuming that the data in question has undergone assessment and classification for risk and confidentiality, then data should be prepared to be stored wherever it takes to maximize accessibility.

Compensating for accessibility

The thought of data having to be stored anywhere to maximize accessibility made me think about the question again: what is the safest place to store data? A risk-based approach to business continuity demands a balance of convenience and security, but it is understandable that in our current era of unpredictability that convenience may often take precedence over security … meaning that security policies and controls have to compensate for data being available anywhere.

What do I mean by “compensate”’? Some of the fixed terms of reference that we used to be able to use in security models may no longer be available:

  • With people increasingly working in decentralized and somewhat random locations, your data is travelling farther and wider than ever before, and being edited in places you may have never even heard of. Location is no longer a consistent reference for security models, where business continuity demands that people and data should be able to operate from anywhere.
  • Organizations could previously depend on data being accessed only from a predictable set of devices, but not everyone was handed a corporate asset by their employer when deserting centralized locations to work remotely. With BYOD (bring your own device) a specter that many organizations are being forced to face, a fixed set of devices is also no longer a realistic reference for security models.

This leaves people as a factor you CAN trust… and I would rather encourage ‘trust’ than ‘zero trust’. Why? Because the definition of ‘zero trust’ seems to have taken on a life of its own depending on who you talk to. Worse, it is a buzzword that was coined by the cybersecurity industry FOR the cybersecurity industry. So, when discussing the best way to protect data with the owners of the data—and the owners of the budget for such a project—the term ‘zero trust’ cannot be expected to be clearly understood.

Let us talk about trust

Cybersecurity must not forget what is being protected – people, and their ability to continue operations no matter where they are… not just protect data for the sake of protecting data.

In order to continue operations and transactions, people interact with people that they trust: it is how mercantile commerce has worked for thousands of years. This correlation of trust and economics was summed up by political economist Francis Fukuyama: “One of the most important lessons we can learn from an examination of economic life is that a nation’s well-being, as well as its ability to compete, is conditioned by a single pervasive cultural characteristic: the level of trust inherent in the society.”

That is why protection of data starts with people you trust. Start with what you already know: the ‘known good’, not the ‘unknown bad’—and then determine the varying degrees of trust per person, or ideally per group of people.

“What about insider threats?” I hear some say. Great question. But if we trusted someone enough to hire them in the first place, then they need to be afforded the tools to do their job. Hence, we trust, but verify—as highlighted in Australia’s Essential Eight cybersecurity framework with references to re-validating privileged rights.

Everyone should have privileges

Yes, privileged rights. We started this article on potential safe places for data, but instead of asking “where is safe?”, the REAL question we should be asking ourselves is “who do we trust—and how much do we trust them?”

If only some people, whether they are internal staff or trusted external parties, are permitted to access data or an application, and other people cannot, that is privilege right there. This is where I feel that managing privilege is not well understood … It is about what data a person can possibly access, or actions a person can perform: privilege is not just about the account that unlocks access to said data or elevated actions.

Data also comes in several shapes: it is a privilege for someone to view and manipulate personal information in a marketing database; it is a privilege for someone to access R&D details; it is a privilege for someone to access financial data in accounting systems; it is a privilege for someone to manage content on social media feeds. EVERY person should be treated as a privileged user, in some form or another.

So, no matter the form of data, protect access to data wherever and however it resides with a privilege management suite. That lets the same people you know and trust to do the same job, ideally with the toolset they are already familiar with.

This gives you a centralized tool to define which people (both internal and external) are mapped to which resources and data sources, challenge people to prove who they are with multiple factors of authentication, and then broker sessions to authorized resources.

To round out the trifecta of authentication, authorization and accounting (AAA), a privilege management suite is a centralized tool to report on the behavior of, and relationship between, people and the specific resources and data they are accessing, for re-validation or revocation of further access. Trust, but verify … a concept everybody can understand and build from.