It Isn’t All About You – 5 Takeaways from Forrester’s “Zero Trust Approach” Report



Where can you find a good framework for designing and implementing data-centric security?

Forrester Research’s report, The Future of Data Security: a Zero Trust Approach is a good place to start. The report outlines Forrester’s official Zero Trust Model, and includes logical arguments for looking beyond traditional perimeter security. You need to realize that sensitive data is mobile, changing, and at risk inside and outside their perimeters - so your security needs to focus on the data. Here are my 5 takeaways.

1. It isn’t all about you

“Almost every enterprise, from an online retailer to a hospital to a government agency, rarely works in isolation and can rarely confine data to within the four walls of the organization.”

Years of perimeter security efforts can lead security professionals to be inward focused. This model doesn’t work in a perimeter-less world. We need to share sensitive information with customers, partners, and contractors to make our business models work. Unless you are taking an approach that assumes data will leave your organization – and still needs protection beyond non-disclosure agreement – you aren’t doing enough. You need to take steps to ensure your data is protected when it travels.

2. It’s not about your infrastructure either

“On average, 15% of employees are accessing sensitive data such as customer information, nonpublic financial data, intellectual property, and corporate strategy from devices other than work laptops and desktops. So it’s now far less important to focus on protecting individual devices the organization no longer owns, or attempting to lock down the devices that connect to the network, and far more important to protect the organization’s sensitive data regardless of device type or location.”

BYOD is a fact of life. Organizations can’t be responsible for managing (or controlling) users’ personal devices. What you can do, however, is ensure that sensitive data isn’t moved to those devices, or is encrypted when it is moved. Rules governing automatic encryption based on a data’s sensitivity are simple to manage. Better still, keys can be restricted to those devices on which decryption keys reside, where closer control is possible.

3. You need to know which data to protect, and where it is

“Defining the data simplifies its control. We break the problem of controlling and securing data down into three areas: 1) defining the data; 2) dissecting and analyzing the data; and 3) defending and protecting the data.”

This can seem like a formidable task, but it need not be. It’s also the foundation of a data-centric approach to security. Organizations require policies to classify data, and technology to do so automatically and continuously. A simple starting point is to classify data contextually, where data is classified based on the application or user creating the data (e.g., CAD files are automatically classified as sensitive data), or the storage location of the data. Classifying the data on the endpoint, continuously, is critical because…

4. The value of data isn’t static

“The classification of data (e.g., individual files, emails, database fields, etc.) can change as the value of the data changes over time.”

The sensitivity of information changes over time. A file containing credit card numbers should be classified as sensitive. If those numbers are deleted, the file’s classification should reflect this. Similarly, a Word document may not be sensitive, until those credit card numbers are copied into it. A data-centric approach provides the intelligence to understand the value of data as it is modified or used.

5. Trust isn’t static

“’Trust’ is continuously assessed though a risk-based analysis of all available information.”

This, I believe, is Forrester’s most important argument; trust is based on situational awareness. While organizations like to think of their users, contractors and partners as trustworthy, there are different levels of trust, depending on the circumstances. You may trust a class of users to access data inside your network, but not want them to move the data outside your network. You may want to allow users to have Internet access when viewing sensitive documents, but only through your VPN. In other words, trust has contextual parameters based on the user, the information, the location, and the action.

Forrester builds a strong argument that organizations need to focus on protecting sensitive data directly, wherever the data is located, rather than on building fortresses. Protection that travels with the data allows us to make and enforce decisions based on the context of use case. Moving protection to the data makes sense in a world with disappearing perimeters.

You can download a copy of the full Forrester report here.

Mike Pittenger

Forrester Future of Data Security

Security pros must take a data-centric approach over a traditional perimeter-based approach to ensure that security travels with the data. 

Read the report now

Related Articles
Safe Online Shopping Tips for Cyber Monday

Cyber Monday means big savings for online shoppers, but eager consumers aren’t the only ones to take advantage of the savings event. Here’s how to keep your information secure while shopping online this holiday season.

Irish Data Protection Commission Disappointed With 2020 Budget

The data protection commission, one of the world's most vigilant, is disappointed in the government for its smaller-than-expected budget next year.

Breaches are inevitable, but sensitive data loss isn’t – thinking like an attacker to keep your data safe in the face of a breach

When thinking about data protection in today’s world, there is no shortage of attack vectors. Data is everywhere: on laptops, with vendors, on mobile devices, and in the cloud.

Mike Pittenger

Mike Pittenger is vice president, security strategy at Black Duck Software. Mike has over 30 years of technology business experience, including over 15 in application security. He was a co-founder of Veracode and led the product divisions of @stake and Cigital. He can be reached at mwpittenger [at] caddisadvisors.com.

Please post your comments here