Why zero trust is crucial to compliance

The enterprise faces a brand new world when it comes to data privacy and security. New regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have joined PCI-DSS, HIPAA, and more than 25,000 other cybersecurity regulations passed since 2008.

Together, these regulations have vastly increased the workload on security teams already stretched thin by the sheer scale and complexity of modern software business services.

The challenge posed by these new rules is not merely applying them to the massive corpus of regulated data most enterprises hold. With so much data infrastructure currently residing outside the corporate firewall, the mandate now is to protect data and to keep track of it.

A modern security model

Most of the recent high-profile data breaches occurred after hackers exploited vulnerabilities at key endpoints and then moved laterally within the environment to their ultimate target, usually data that falls under the scope of the compliance regs mentioned above. This is why many organizations are turning to a fledgling security model that is finally coming into its own — zero trust security.

In a zero trust paradigm, permissions alone do not confer or equate to trust. Zero trust verifies identity and payload each time an east-west movement is attempted, stopping the attack before data can be reached, much less breached. This exceeds the compliance requirements of today’s regulatory frameworks.

Zero trust allows organizations to adopt a more rigorous security posture in two key ways:

• Discovery of all network assets: Conducting an inventory of applications, databases and other key assets is the first step in any data security plan. Zero trust means that assets are discovered automatically, and compliance mandates can be applied through proper documentation and record-keeping.
• Lock down access: Least privileged access is a core component of zero trust in which the enterprise adopts a policy of granting access only to those resources that actually require it. This reduces the attack surface and demonstrates to users, auditors, regulators and even courts that the organization has taken all reasonable steps to protect data from unauthorized access. As an added benefit, this leaves an audit trail to reconstruct security events if a breach occurs.

These processes are crucial when maintaining compliance with the latest regulations like GDPR and CCPA (also known as AB 375). Both laws define stringent controls for managing, deleting and auditing personally identifying information. Organizations must maintain broad knowledge regarding the way data is collected and stored, where it resides, how it is being accessed and by whom, what security measures are in place, and how it is being shared, sold or otherwise processed.

Protecting the global footprint

Unfortunately, most enterprises have yet to upgrade their legacy security frameworks to fulfill these mandates. Without a mechanism for full discovery of network assets, personal information could be lurking unmanaged and unprotected on any system in a network. The risk of running afoul of data management regulations drives the urgency of preventing data exfiltration across the entire network, not just in the historically well-protected data center.

Under these new regulations, organizations will not be able to dodge these responsibilities just because they employ SaaS or other third-party services. Traditional search-based archival discovery tools lack the broad visibility to maintain zero trust in cross-platform data environments and are largely ineffective when it comes to mapping data across complex networks. However, these requirements are met by the core discovery and access restriction functions of a zero trust security model.

It is also important to note that the process of regulating security and data privacy practices is not complete simply because several major laws have come into effect. We can expect new laws and regulations to emerge on a continual basis as governments attempt to keep up with evolving infrastructure, data services and increasingly sophisticated cyber threats.

Don’t go it alone, but pick your partners well

Deploying new security tooling is no easy task: any new control plane must support and interoperate with multiple generations of legacy and modern infrastructure and application architecture. And it must do so without impeding performance or eroding the core value of critical business services.

The best way to accomplish this is through partnership with a seasoned provider — one with a proven track record of successful deployments on both legacy and modern systems, and both cloud and hybrid-cloud infrastructure. While every enterprise is different, an experienced provider can help avoid the most serious pitfalls before they impact costs, deployment schedules, or the efficacy of compliance-driven security measures.

By adopting the zero trust model now, organizations can begin laying the groundwork for any and all challenges that arise in the future, while gaining a more thorough understanding of expanding, dynamic data architectures and the vulnerabilities they contain.