Data security and privacy sit at the heart of any zero trust strategy. Accelerated cloud migration and recent data breaches now make zero-trust implementations critical, yet many companies struggle to find a way to solve their challenges. Some companies take an operations approach, while others look to mitigate risk. However, to successfully implement zero trust architectures (ZTA), companies need to start by securing the data and content assets they want to protect. Centering a zero trust strategy on data and content enables a more robust approach to security.
You’ve Decided to Implement Zero Trust: Why Take a Data-Centric Approach?
A zero-trust security model is critical to data security. With workforce members connecting to corporate wireless networks or working remotely, securing access is the data security standard of the future.
Most discussions of zero trust center networks, applications, and endpoints, fundamentally seeking to protect sensitive data. Consider the following goals:
- Zero Trust Architecture (ZTA): limit user and device access to sensitive data by applying the principle of least privilege
- Zero Trust Network Access (ZTNA): limit user and device access to applications containing sensitive data by requiring user authentication and endpoint security validation first
No matter what technologies organizations use for the zero trust strategies, the core goal is to protect data.
What is a Data-Centric Approach to Zero Trust?
When people discuss taking a data-centric approach to zero trust security, they often mean building an architecture rooted in data protection. Generally, this means understanding where sensitive data resides across cloud resources and networks.
As companies look to protect data from threats, especially with remote work now the norm, many focus on data security solutions like encryption or identity and access management (IAM).
While these can protect sensitive data from internal threats or cyberattacks, they may not be able to stop malware and ransomware attacks that compromise data. For example, according to the 2021 Cost of a Data Breach Report:
- $5.01 million: Business email compromise clocking in as the costliest data breach type
- $4.65 million: Phishing took second place for costliest data breach type
In both cases, the ZTA and ZTNA failed to prevent the breaches, even though they may have mitigated the impact.
What is Zero Trust Data Security?
Fundamentally, companies understand that zero trust means they should always assume that users and devices are already compromised. However, they need to take the same approach to data and implement zero trust data security (alternatively, zero trust content security).
Data and content can be compromised in various ways. For example, every file transmitted contains metadata about:
- Content: including title, author, publication date, subject
- Components: versions, relationships, file format
- Technical aspects: decoding and rendering, preservation for long-term archiving, usage rights
Files can be composed of hundreds or even thousands of individual elements that can be compromised by malware, and most users never realize that this information exists in a file. For example, malicious actors can hide malware in macros, like those found in an excel spreadsheet.
Organizations building a zero-trust data security strategy need to apply the same assumed compromise approach to files and data that they apply to users and devices. Cybercriminals can compromise data at various points, including:
- Hiding malware in password-protected or other “unscannable” files
- Malicious links and downloads in phishing emails
- Drive-by-downloads from malicious sites on the internet
- File transfers between applications
How Zero Trust Data and Content Sets Your Security Strategy Up for Success
Many companies use anti-virus solutions to prevent malware and ransomware from infecting their systems and networks. Anti-virus is an important endpoint security tool, but it usually relies on using known malware signatures to detect abnormal software. As malicious actors continue to evolve their methodologies, using known signatures only offers partial protection, even with artificial intelligence (AI) to help predict future variants.
To protect themselves from ransomware and malware attacks, companies need to incorporate zero-trust data strategies to ensure continuous protection across their environments.
Remote workforce users and devices
By assuming content has already been compromised, organizations put protections in place that can limit the impact remote work has on data breach risk. Preventing end users from downloading malicious files often comes at the price of productivity. Users need to access data and content, and they need it quickly. Protecting email comes with the same problem when companies quarantine potentially risky messages.
When a company takes a zero trust data security approach and assumes all files have already been compromised, it can mitigate these risks. Traditionally, companies use file sanitization tools, but those can lead to other problems if a sub-standard tool is used. For example, file sanitization tools may, instead of removing the malicious aspects, simply remove all active content and known malware, then rebuild the file. This can lead to:
- False positives
- Removal of critical elements
- Malware left behind
In other words, they fail to provide a true zero trust data security model to files.
Uploading data and content through web portals has become the norm for all users, including employees, third-party contractors, and customers. Malicious actors know this, often using files as a way to attack these portals. For example, companies may ask their employees to upload a health form or ask a contractor to upload a work product. Since these files may have been compromised on the original device, they can act as a threat vector.
By assuming the files have been compromised prior to upload, companies take the needed precautions to reduce risk. Taking a zero trust data security approach to file uploads means only allowing clean, secure files to be transferred through portals or other cloud resources. This eliminates the security risks that end users can transfer from their devices to the organization’s applications, systems, and networks.
Application-to-application file transfers
Assuming data has already been compromised includes transfers at the application level. Malicious actors know that Application Programming Interfaces (APIs) can be weak points in a company’s zero trust strategy. This means that they can compromise the data and content as it transfers from one application to another. Further, they might compromise content in one application, then, when it transfers to the next, it brings the malware with it.
When organizations build zero trust data security strategies, they mitigate these risks. By assuming data and content is already compromised, organizations can put controls in place that allow only safe elements to transfer across applications. This way, they no longer need to worry that files compromised in one place will spread malware to other systems, networks, or applications.
Votiro: Zero Trust Content Security that Protects Data from Malware, Ransomware, and Zero Day Threats
Unlike file sanitization solutions that strip good elements along with malicious elements from files, Votiro’s cloud-native API technology seeks out only the safe elements. We review files for their known-good, safe elements, then rebuild the file using only these confirmed good parts. In doing this, malware is left behind and productivity is not impacted, since we don’t remove business-critical elements.
As an agentless solution, Votiro never needs to be installed on a device. Additionally, our SaaS model means that customers never need to worry about maintenance or updates, eliminating the management issues that come from remote work and employee devices.
Our API-centric solution can be easily integrated into an organization’s existing services, giving companies a way to apply zero trust data security principles to all file transfer processes, including application-to-application.
As companies increasingly look to adopt zero trust architectures, they also need to ensure that they incorporate zero trust principles at the file level to secure data and content.