Visibility is the first step in effectively managing cyber risk. This principle applies to risk across all domains, and yet we expect security professionals to accurately assess and mitigate risk without being able to track access and exposure of unstructured data, such as files, across an organization. And, with the rise of remote work, bring-your-own-devices (BYOD), and storing data in the cloud, it becomes increasingly challenging to know what data exists let alone where it exists or who is accessing it. Zero Trust Data Access (ZTDA) can be used to track unstructured data and applies the concept of least privilege at a granular file level to provide deep visibility to protect and monitor unstructured data as it flows across an organization.
How We Got Here: A look at perimeter security and past practices
The previous standard practice was to lock down an organization’s perimeter to keep adversaries out. Perimeter security is only effective when users are contained within that perimeter, and data is contained on those users’ devices. If a document never leaves a corporate device that also never leaves a corporate network, then the organization needs only to protect against adversaries getting into the network. As we changed how we interact with data, we also changed how we attempted to secure it.
Models such as the Cyber Defense Matrix allow us to visualize the various NIST Cybersecurity Framework functions we should focus on (Identify, Protect, Detect, Respond, Recover) and the assets we should apply them to (Devices, Applications, Networks, Data, Users). We saw improvements by adding tools to various intersections such as Anti-Virus at Device and Protect, or Runtime Application Self Protection (RASP) at Application and Protect. As many of the areas evolved, one area was left relatively neglected: the intersection of Data and Protect.
One solution at the intersection of Data and Protect is Data Loss Prevention (DLP). However, an effective DLP requires a significant time commitment to properly set up policies. Furthermore, if not all boundaries are accounted for, such as in the case of shadow IT, then DLP is not effectively protecting the data as it flows across the organization. Using DLP as the first line of defense for your data protection means the first chance to catch data being breached is as it’s walking out of the door.
What Lies Hidden: Dangers of not tracking unstructured data
By not having visibility of unstructured data, we’re essentially asking security professionals to secure boxes of valuables in a dark room that has multiple doors and windows. There are three primary challenges that make the job of tracking unstructured data exposure even more difficult.
Challenge 1: Remote Users. Users are not always physically located within the corporate perimeter, which means their devices are also not within that boundary. Organizations need to ensure their users’ identities are properly authenticated so that they know they are appropriately allowing access to the proper resources. Ideally, that identity can be bound to as many resources as possible since there is not always an easy way to confirm that the person who accessed one resource remotely is the same as that is attempting to access another.
Challenge 2: BYOD. Devices are no longer always corporate devices, whether or not BYOD is allowed. Users often access their data, such as email attachments, on personal devices. If these non-corporate devices do not have security tools on them, or are not accounted for in the same way as the corporate devices, then there is a major blindspot as corporate data drifts into this space. Only monitoring certain networks, devices, and database access excludes the possibility of sensitive data living outside of the protected zones.
Challenge 3: Cloud Sprawl. Data is transferred and shared in numerous methods with the rise of cloud storage and cloud solutions like databases. Collaboration tools increased ways that data can slip out from protection unknowingly. Even secured databases can be downloaded into a spreadsheet that gets emailed or placed into a personal cloud drive. Moreso, most data lives outside of databases and needs its own tracking mechanism. Only monitoring corporate cloud activity leaves out all the other areas (e.g., local desktops) where unstructured data could find itself exposed.
How to Track Unstructured Data: Identity meets data access
Combining ZTDA with unstructured data brings identity to individual files so that organizations know exactly who accessed what, where, and when in the same way they do with many other assets in the organization. Instead of inherently trusting that just because a file is on someone’s computer they should be allowed to see that data, ZTDA instead verifies the user first. ZTDA provides three primary benefits:
Proactive vs Reactive Protection: ZTDA allows for proactive data protection instead of reactive data protection. ZTDA can perform actions, such as denying access outside of a geofenced location, and can also allow for predictive analysis by sending alerts when a user’s behavior is suspicious, such as accessing a significant amount of data at non-work hours. In contrast, DLP is reactive since it can only tell you that sensitive data has already been compromised and breached. ZTDA lets you plan mitigation strategies to prevent breaches instead of waiting for an attack to respond.
Another Defense-in-Depth Layer: The most effective security is a combination of multiple technologies for a defense-in-depth. The most effective defense-in-depth strategies will account for the NIST Cybersecurity Framework functions across all the asset domains. ZTDA fills the current gap in suitable technologies at the intersection of Data and Protect in a way that allows organizations to put a barrier at every step of an adversary’s way.
Visibility to Enable Security: Ultimately, understanding where unstructured data resides in an organization, and how it is being accessed, is an incredibly powerful tool to reduce the risk of a data breach. If the threat of a breach of unstructured data can be measured through visibility, then the risk associated with it can be mitigated and managed. ZTDA allows for insight into data access without a burdensome overhead.
