Missing the Forest for the Trees: The Data Pillar Approach to Zero Trust

The technology community has been chasing new approaches to cybersecurity in an attempt to sway the continuing wave of attacks against every market segment.  The traditional approach of trying to protect networks through a series of firewalls has failed.  The explosion of devices and cloud storage and applications has blurred the definition of network to the point where it is difficult to determine where a network starts and stops.  A daily review of the successful ransomware and data breaches shows how this has failed.

From this failure has grown a new approach, Zero Trust and Zero Trust Architectures (ZTA).  As stated in the National Institute of Standards and Technology (NIST) Special Publication 800-207

Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.

Federal and commercial organizations have begun to pursue ZTA utilizing a broad range of approaches described by both government and commercial books and papers.  The core component of ZTA is the assumption the attacker is already in the network and that no item can be trusted without validation.  It is not a single approach, but a set of guiding principles that can improve the security posture of an organization.

There is, however, a major issue in how zero trust is being pursued.  The focus is improving the network and identity access.  The idea being that by limiting how the attacker gets in and moves around the network, that their ability to compromise the environment will be blocked.  This is done through the calculation of a trust rating or score for users and systems in the environment.

What is the issue with this approach?  You can’t determine who and what should access different systems and services if you do not have detailed understanding of the underlying data that is being stored, transmitted, analyzed, displayed and consumed.  The routers, switches, laptops, applications and devices are the trees, the data is the forest.

Evolver proposes a different method of pursuing zero trust.  Start with data, and then move to the other elements of ZTA.  Our Data Pillar First approach is described in the following paper.

In the End, It Comes Down to the Data 

There has been a number of publications and papers written on ZTA.  One of the critical documents is the Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model.  This document aligns with the White House Executive Order M-22-09 titled Moving the U.S. Government Toward Zero Trust Principles in January 2022.   In the CISA Maturity Model, ZT is broken into five Pillars as shown below.

Discussions with many organizations has shown that most are approaching ZT starting from the Identity Pillar and working toward the Data Pillar.  This matches the traditional approach to information security of securing the environment and then placing data and applications on that network.  Evolver proposes a very different approach, start with the Data Pillar.

As stated in the NIST 800-207 document mentioned above, ZT is changing from a static network approach to focus on users, assets and resources.  In the end, the assets and resources are data.  To be clear, Evolver is talking about data in all contexts, from databases to files to configurations of applications.  Data is everything from user profiles, data stores, application files and logs.  In the end, the objective of cybersecurity is protecting this data from attackers.

Moving Security Closer to the Data – Architecture, Access and Encryption 

Evolver’s approach to ZTA is based on moving security closer to the data and, in many cases, embedding the security into the data.  This method leverages off the concepts developed in the paper written in 2020 by Chip Block and Michael Conlin titled Toward a Data Aware Cybersecurity Strategy.  In this paper, numerous strategies that enable securing data across constantly changing environments that include cloud, mobile and remote users was presented.  Evolver’s takes the concepts and employs new technologies to achieve these objectives.

The approach to moving security closer to data includes items such as  where and how data is stored, how data is tagged, how long data exists, determination of who can and cannot view, change or delete data and who owns data.  These concepts go much further than the actions listed under the CISA pillar description, but are essential to ZTA success.

Enabling The Other Pillars 

So why the Data Pillar First approach?  Almost all of the ZT documents, from NIST to the O’Reilly Book, “Zero Trust Networks” by Evan Gilman and Doug Barth, describe the concept of a trust score that is used to determine what actions are, or are not, allowed in the environment.  In order for this concept to work, there has to be an understanding of what data is being protected.  Evolver’s Data Pillar First approach provides this critical information up front so that the other pillars can effectively operate.  For example, by understanding the data environment, the proper attributes for identity can be determined at the proper fidelity to make sure the right people have the right access to information.  All of the ZT capabilities are enhanced by a solid data security approach.

You can contact our team to learn how Evolver provides cyber operations across entire organizations, including endpoint security, network security, application security, identity management, and more. You can also learn more about all of Evolver’s cybersecurity offerings on our services page.