The need for zero trust security a certainty for an uncertain 2021
In this article I’ll consider next year’s data security landscape with a focus on the two key issues you need to have on your planning agenda. Of course, how the pandemic plays out will have a huge say on tactical questions ranging from budget to manpower to project priorities – but these long-term strategic trends will impact IT organizations well beyond 2021.
The “bring your own” genie will leave the bottle
Over the last decade, authority for every productivity-related technology decision has inexorably moved away from IT professionals to the users and lines of business closest to those decisions. The first phase of this trend, bring your own device, is essentially over. It’s nearly impossible to imagine a return to corporate-controlled Blackberries without also imagining a large-scale employee revolt.
Last year, work-from-home practices increasingly put line employees in charge of data access and management decisions. And it goes without saying that in 2020 this trend broadened exponentially. Cloud storage and productivity applications maximize online productivity by making collaboration easy from anywhere.
But while link sharing may be liberating, the data security ramifications lend the trend a darker edge that’s hard for security professionals to control.
Next year, the BYO trend will continue as line of business teams will further claim the authority to choose as-a-service solutions without IT involvement. Functionally specialized online services are now as capable as their on-premises predecessors, they’re easier to stand up, and they’re cheaper to own.
Call it “bring your own SaaS” if you like, but you can expect, as an example, the accounting department to pick (and maybe implement) the online invoicing solution they like without much consultation with the IT team.
Data privacy goes in unexpected directions
The GDPR (as of this writing) had assessed a record level of fines totaling €220 million. California’s CCPA enforcement kicked in on July 1st, and voters in that state passed additional privacy restrictions via a November ballot initiative (the California Privacy Rights Act or CRPA). The CRPA extends and modifies the CCPA, with new mandates taking effect at the end of 2022.
Here’s where things are going to get interesting. Optimistically, effective COVID-19 vaccines will facilitate the ability for in-person work by mid-year. But it’s just as likely delays in distribution, reluctance to inoculate and lingering stress on the healthcare system will extend work-from-home practices for many through 2021. Either way, organizations will face obligations and temptations to collect more data on their employees – about their immunization status, health situation, work habits, even their social interaction patterns – than ever before.
Today, most practitioners focus on risks from external threat actors. But with a bracing action in October, the GDPR authority showed they’re equally concerned with human resources data when they slapped clothing retailer H&M with a €35 million fine for illegal employee surveillance.
Regulations governing employee data management are currently more forgiving in the US. The CCPA, for example, includes a so-called HR exception (which exempts internal employee information from the regulation) that’s set to expire at the end of 2023. But regardless of the go-live date, privacy protections for employee data are clearly in the cards.
There’s no way to predict every 2021 eventuality. But we can forecast at least two key trends:
- End users and business stakeholders will assert the right to choose and use technology as they see fit. IT leaders need to find ways to support security even in the absence of control.
- Comprehensive privacy and data protection are the fundamental IT imperatives for the foreseeable future. Regardless of the regulatory environment, taking steps to understand and secure data will pay off.
What’s the right path forward? Your strategic data security plan in 2021 (and beyond) should follow this simple guiding principal: apply zero-trust security principles to data wherever it’s stored and used. In an uncertain regulatory and threat environment, zero trust security (which protects data by limiting access to only those with a need) is the ideal policy approach. The devil is, as they say, in the details.
In 2021, those details will increasingly be met by AI-enabled data discovery and risk assessment tools that can automate zero-trust security. Vendors commercializing some of the most promising deep learning research can now autonomously categorize data, assess business criticality, and even deduce appropriate data management policies – all without extra IT overhead, rule development or end user help.
Planning matters. A hefty dose of uncertainty is certain to await us in 2021. And whatever may be in store for us next year, we can take steps now to anticipate the data security trends that’ll shape IT in 2021 and beyond.