If Mugatu (of Zoolander fame) was a technology guy, you know what he’d likely say about Zero Trust?
Probably something along these lines.
That’s because Zero Trust is indeed hot right now – but perhaps for better reasons than Hansel in the classic Ben Stiller comedy.
Zero Trust is, rather, popular for all the right factors.
It doesn’t innately trust any user or application until verified by multi-factor authentication (MFA). It also doesn’t require much CapEx to get off the ground.
And, maybe most importantly, it has been shown to be effective in minimizing data breaches perpetrated by bad actors both inside and outside an organization – something that traditional “castle-and-moat” IT security approaches haven’t dealt with particularly well.
That’s important, because according to a 2019 survey, 90 percent of companies say they are vulnerable to insider attacks.
And while that sounds bad, the coronavirus pandemic and subsequent rush to work from home has no doubt made things worse.
A July 2020 survey indicated that 91 per cent of businesses reported an uptick in cyber threats due to large-scale remote work in the first half of the year.
Security Magazine reported that spear-phishing attacks rose by 667 per cent from February to March 2020.
In short, Zero Trust is hot for some very good reasons.
But what exactly is it?
What’s behind Zero Trust?
The essence of Zero Trust is just like it sounds: To not trust any entity, not even an employee or a company document, not even once that entity has passed through the company’s network perimeter.
That’s not to say that employees are untrustworthy, says Zero Trust creator John Kindervag.
It’s simply that “There are no trusted devices, systems, or people,” he says. “This doesn’t mean that people are fundamentally untrustworthy; it means that they generate data packets which appear to be coming from them – and sometimes it isn’t them.”
Sage words – and, for precisely this reason, Zero Trust networks are segmented into batches of smaller perimeters (rather than just one big one), each with strict authentication measures.
That means if someone does breach a network perimeter they’re not able to roam around your system undetected. It also means they can’t freely access all your sensitive data.
Many of the world’s worst data breaches didn’t happen over one or two days – the American Medical Collection Agency (AMCA) data breach, which affected more than 20 million patients, lasted for eight months and was only discovered thanks to an 8-K filing by the U.S. Securities and Exchange Commission.
That kind of long-term, ultra-damaging breach can’t (or is far less likely to) happen when organizations deploy a Zero Trust architecture – which, as we mentioned earlier, doesn’t require a lot of money to get going.
Most companies can use their existing security stacks, more or less, and creating a Zero Trust environment doesn’t require any new hardware or infrastructure.
Rather, it’s a new way of thinking about data. It’s also a new way of rearchitecting and redesigning networks using next-generation processes like MFA, stringent network access policies, microsegmentation, and least privilege permissions so users, partners, and apps can only access the data they need to do their jobs.
As many organizations have also discovered, Zero Trust is also a good way to stay compliant with a multitude of data privacy laws, from GDPR to CCPA to POPIA.
Titus: Providing crucial context in the age of (too much) data
Forrester says Zero Trust compliance rests on two main pillars: Strong identity and access management, and a mature data identification and classification framework.
That means that to implement a true Zero Trust framework, organizations need to know everything about their sensitive data (including personally identifiable information, payment card information, intellectual property and other sensitive data types): When it’s created and by whom, where it’s stored, how and with whom it can be shared, and so forth.
Increasing data velocities and volumes, however, have made that job much more difficult than even just a few years ago.
According to a 2019 survey, data volumes for organizations are growing at a rate of 63 per cent per month (with around one in ten reporting 100-per-cent-plus month-over-month data growth).
New data types, such as streaming or internet of things (IoT), along with the steady growth of unstructured data such as emails, instant messages, photos or videos just makes the problem worse.
So it’s not surprising that many organizations struggle with real-time data identification, classification and protection of sensitive information both at rest and at creation.
Titus data identification and data classification software, however, can help.
It uses machine learning and intuitive processes that integrate with day-to-day workflows to identify, classify and then provide critical context around all your data.
It’s this data context that connects every other part of the Zero Trust ecosystem, from identity management, to firewalls, to security automation and orchestration, device security, workload security, and threat analysis.
Persistent classification metadata applied to documents and emails can be leveraged by your entire downstream security stack, and a flexible, totally customizable policy engine means companies aren’t bound by data classification parameters outside their control.
Titus also integrates seamlessly with other security tools, allowing you to proactively define all your structured or unstructured data the moment it’s created – or scan your growing amounts of at-rest data in on-premise and cloud storage.
It’s this data context that acts as the ties that bind the rest of your Zero Trust ecosystem, providing a strong foundation for the implementation of a Zero Trust framework.