How to build a zero-trust cloud data architecture

Cloud computing has had a profound impact on CISOs. They realize its cheap storage, immense scalability, resource elasticity and accessibility from anywhere in the world, at any time, has created a competitive advantage for the companies whose data they’re in charge of protecting. But these same factors, especially its accessibility, make their jobs infinitely more difficult.

The cloud broadens an organization’s attack surface to the point that CISOs must guard data across multiple clouds, tools, and on-premises locations. This further complicates their main objective of minimizing the risk of unauthorized data access and makes their job of ensuring information assets and technologies are adequately protected an arduous task.

Even worse, traditional security and governance models are ineffective for cloud architecture, partly because each cloud vendor has unique mechanisms for accessing data, which increases the chance of administrators making costly mistakes.

Conventional, centralized, or dictated approaches secure data by routing requests, access, and policies through IT – which limits the speed that a user could leverage the information. The array of clouds and cloud resources requires a more fluid approach to secure access.

Decentralized methods don’t work either, because business units have too much freedom in implementing policies about how data is used and with what tools. This creates silos and conflicts across business units and platforms, as cloud architectures need more uniformity across settings, tools, and departments.

The delegated governance model is becoming the more appropriate style, as it is ideal for streamlining multi-cloud security by combining the best of the above methods. It leverages IT’s uniform, top down policies (customized by line of business data stewards) and is based on IT’s provisioning of a secure platform for the business to access their tools of choice. The platform then distributes these central policies—configured by data stewards—into any repository or tool across clouds and on-premises for zero trust security.

Achieving multi-cloud security

The delegated model enables CISOs to reduce the risk of storing and utilizing data, no matter where they are, by delivering consistent data security across on-premises and cloud settings. These environments benefit from the same centralized data access policies; however, those policies are tailored to the needs of specific business teams by data stewards in those departments who are familiar with the use cases and understand what the data mean. This paradigm expands data access (and speed of access) without increasing risk.

The security platform fortifying this approach issues granular access control at the data level. It supports techniques like masking, encryption, and tokenization based on how data stewards interpret and enforce centralized policies. Additional toolsets for obfuscation aren’t required, while organizations also get clear visibility into the governance process through auditing and reporting about who accessed what data and which policy was invoked to grant or deny access.

Internal auditors can use this traceability to demonstrate compliance to regulators. For example, that a specific marketing team tried accessing PII data when building a campaign and was denied access. There are also alerts for unauthorized access or actions like copying data. These measures collectively address the CISO’s main concern of consistently applying access policies across the enterprise.

Leveraging hybrid cloud security architecture

The delegated governance model hinges on the architectural flexibility of a centralized, secure data access platform. That architecture supports pushing policies and access control mechanisms into distributed resources across on-premises and cloud environments. Implementing those policies into storage units like S3 buckets, for example, is the basis for solidifying zero trust networks while reducing the risk of data breaches.

The consistent application of those policies across the source systems is the true enabler for combining both centralized and decentralized methods with the delegated model. Policies still come from governance councils, but they’re ultimately enforced closer to where decisions are made based on the data, tools, and business use cases.

Best of all, this methodology still provides central oversight into security concerns for CISOs and their infosecurity operatives. There’s a single pane of glass for visibility across clouds and on-premises settings, while policies are readily configured according to roles, attributes, and tags for data.

For example, data stewards in sales may have access to the full range of customer data, whereas salespeople with responsibility for specific regions can only view data related to the customers and prospects in those regions. Consequently, only authorized personnel receive authorized access to data.

Safeguarding the enterprise

The delegated approach is the most effective means of enabling CISOs to decrease the risk of unauthorized access to data across the enterprise in the new cloud first world. It provides centralized benefits for implementing uniform, top-down policies with decentralized advantages of distributing those policies into the sources in which users access data.

This method single-handedly streamlines data security across the cloud and on-premises environments to enable CISOs – and their organizations – to go to the cloud with all the confidence they’re used to having when their resources were comfortably behind firewalls on physical premises. This consistent, secure access to data is increasingly needed to address the growing distribution of the modern data landscape.