Zero-Trust at the Data Layer
Often, ideas are ahead of their time. In October 2017, IDC’s Simon Piff and Hugh Ujhazy published a paper positing that data was the new endpoint. There is good chance that, in the near future, they will stand on the same zero-trust pedestal as Forrester’s John Kindervag, who’s credited with creating the zero-trust security model around 2010. While the zero-trust concept was very much alive and was gathering interest, even four short years ago the concept was only a shadow of what today is the latest and greatest approach to cybersecurity. But if you read the IDC paper searching for where the authors discuss zero-trust, well, I will save you the trouble—it is not there. Perhaps that’s proof positive that the idea was ahead of its time!
Data as an Endpoint
If you break zero-trust down to its basic tenets, it proves who the user is, their current need and privilege level to access a computing resource every time access to the resource is requested. Zero-trust was developed as a network construct, and almost every zero-trust reference is in relation to a network endpoint. Think about that phrasing—endpoint is the subject; network is the modifier. This simply means that an endpoint doesn’t need to be part of the network’s physical architecture. And this is where Piff and Ujhazy come in.
Their hypothesis considered data differently. The basic point they made was, “If we can secure the data from its creation to the end of its useful life and ensure only authorized users can access, use and amend that data, security issues will be greatly reduced.” Sounds a lot like zero-trust, doesn’t it?
They explained, in great detail, their belief that the focus of data security is misplaced; it’s focused on the network and not the data itself. Let’s face it, over the past 25 to 30 years since the advent of the firewall, cybersecurity has constantly battled to keep attackers away from data by attempting to keep them away from the network. A strong argument can be made that the cybercriminals have an edge.
What if, however, we were to treat data the same as we do those network endpoints and apply principles of zero-trust? There is no reason why that same data can’t be treated as you would any network endpoint and be protected within the overall zero-trust framework. Piff and Ujhazy suggest four tests to designate when a file could be considered an endpoint and thus be subject to the same application of a zero-trust strategy.
Four Milestones to Achieve Endpoint Designation
What are those four milestones data files must meet to achieve endpoint designation?
Data is a policy decision and enforcement point – According to Piff and Ujhazy, data files decide access rights by initiating a secure conversation and interacting with someone seeking to interact with it. In a real sense, they are discussing one of two primary zero-trust tenets: the policy decision point’s independent user authentication function and outside communications through a policy decision point.
Data is independent – “Regardless of how often it is copied, duplicated or moved data retains the rules around who can use it. Therefore, if an attacker were to copy the data … that data would be useless to the attacker.” Again, it seems Piff and Ujhazy are discussing the overall architecture of the policy decision point.
Data understands itself – Simply put, the data must know that it needs to interact with a user to be accessed and dictate through APIs how interactions will occur. This, to a large degree, is a nod to the fact that the data will need to have inherent protections that restrict access when it is not being used.
Data appreciates its value – “The data object can inherit a series of rules, governing when, where, how and why it might be accessed. Given, viewing customer information on the corporate network might be allowed but viewing that same data on public Wi-Fi may be forbidden.” Again, in a very real sense, this functionality very closely resembles the policy enforcement point’s device authorization and need-to-know functionality.
Data is the reason we have computers; transporting that same data is the reason we have networks. A key cybersecurity issue, perhaps even its greatest fault, is the assumption that by successfully protecting networks and computers we are also successfully protecting data. Data needs to be protected on its own terms, protected as an endpoint within the zero-trust construct. Combining network based zero-trust concepts with data protected using those same zero-trust tenets provide a promising path towards cybersecurity success. The software that gives data files those four characteristics, while still in their infancy, do exist—Piff and Ujhazy blazed the trail.
