Putting Zero Trust 2.0 into Practice - in 5 Steps [Part 4: Data Security]

Author
Reinhold Zurfluh
Published
02. April 2024

In an era in which digitalisation is progressing inexorably and gigantic quantities of data are being generated, transmitted and stored every day, the risk of data breaches is also increasing exponentially. Companies face the daunting challenge of protecting data as a key asset. This necessity has led to the development and implementation of new security strategies such as zero trust. The fourth part of our blog series explores data security – the fourth pillar of Zero Trust 2.0.

In our series, we’ll show you specific approaches for the practical implementation of Zero Trust 2.0 based on the five pillars of “Identity”, “Devices”, “Networks”, “Applications & Workloads” and “Data”. Did you miss the last part? Here you’ll find our tips for securing your network.

Data security as a shield for your crown jewels

Cyber crime is big business and targeted attacks are on the rise – not least because cyber attacks and attack tools are being offered “as a service”. This means that attackers require little expertise of their own, but instead can order attacks on the dark web, some of which even run automatically. Protecting sensitive data is therefore paramount – and ultimately, so is zero trust! At the end of the day, all conceivable measures are taken to protect data. To achieve excellence in data security, companies should implement the following measures:

  1. Encrypt data both during transmission and storage to ensure confidentiality.
  2. Implement data loss prevention (DLP), which monitors and prevents unauthorised transmission of sensitive data.
  3. Assign data permissions using the principle of least privilege.
  4. Ensure constant classification and data labelling of data to prioritise security measures based on data sensitivity.

In the digital age, data is the lifeblood of your business – it’s your most important asset. But with great value comes great responsibility. Pillar 4 of Zero Trust 2.0 (data) is the vault that protects the crown jewels. In this section, we’ll look at the essential components of this pillar and present concrete actions and approaches using existing technologies to improve your data security.

Data encryption as a basic requirement of zero trust

Encryption is at the heart of data security within the zero trust concept. Only by using reliable encryption methods can you ensure the confidentiality of your sensitive information.

Encryption converts data into an unreadable format that can only be decrypted with the correct encryption code. To achieve an advanced level of data security, companies should use data encryption both for data in transit and data at rest. This means that data should be protected during transmission over networks and when stored on servers or devices.

Data in transit

Encryption plays a central role in protecting data during transmission (data in transit, also known as data in motion or data in flight) and also data at rest.  Encryption of data in transit protects information against wire-tapping or interception during transmission of data over networks. Examples from everyday life include withdrawing money from an ATM, placing or tracking an order with Amazon, uploading photos from your smartphone to your private cloud or sending an email or text message.

Data at rest

When your data reaches its destination, it becomes data at rest. This means that it is stored in a database, server, cloud service or other device. This category does not include information that is currently being used – e.g. transmitted over a network or opened for viewing or editing – which is classified as data in use. Examples include opening a Word document for editing or checking your recent transfers in your mobile banking app.

Encryption at rest or in transit is essential to ensure that information is accessible exclusively to authorised users. Encryption provides:

  • confidentiality by encrypting the contents of a message;
  • authentication by verifying its origin;
  • integrity by proving that it has remained unchanged since dispatch;
  • non-repudiation in that the sender cannot deny that they sent the message.

Data loss prevention (DLP) as watchman

Data loss prevention (DLP) is a critical tool in an advanced data security strategy. DLP should never be considered in isolation, but as part of a comprehensive security strategy. The integration of DLP solutions into other security systems such as IAM (identity and access management) and EDR (endpoint detection and response) reinforces the protection and effectiveness of the zero-trust model.

DLP solutions monitor and prevent the unauthorised transmission of sensitive data. You can detect and block attempts to transfer sensitive information through various channels such as email, cloud storage or external drives. Companies can use DLP to proactively protect their important data from accidental or malicious leaks.

How to implement DLP in a zero-trust model

The first step is to classify data based on its sensitivity. This helps to create policies for handling different data types and to determine which data should be protected by DLP. Be sure to document DLP policies on how different data types should be handled. These policies may include measures such as encryption (see previous section), access restrictions or blocking data transfer.

DLP includes permanent monitoring of traffic and user activity to identify unusual or unauthorised access. This involves analysing behaviour patterns to identify potential threats at an early stage. Not least, raising employee awareness and training about data security practices is crucial to ensure that DLP policies are effectively implemented. Your employees need to understand how their own behaviour affects data security.

As you can see: implementing DLP within a zero-trust model requires thoughtful planning and continuous adaptation to ensure security measures keep pace with changing threat landscapes and business needs. By combining strict access controls with effective DLP strategies, organisations can achieve a high level of data security while maintaining the flexibility and efficiency of their IT systems.

Data classification for targeted protection

Not all data is equal and your data security strategies need to account for this. Data classification categorises data based on its sensitivity and importance. By classifying data, companies can prioritise security measures. Highly sensitive data may require strict access controls and encryption, while less important data may be subject to less stringent safeguards. Classification is important to determine what data is allowed into the cloud, for example, and how it needs to be protected. Not only confidentiality, but also availability and, if necessary, integrity requirements need to be specified. Also consider the data lifecycle, because responsibility for security lies with you – from the creation to the disposal of the data.

Data security in the cloud era

The introduction of cloud services means that data is now located outside the traditional network boundaries. To protect data effectively, organisations need to extend their data security practices to the cloud. Implementing a zero-trust model in cloud environments therefore requires a well-thought-out strategy that encompasses both technological and organisational aspects. This requires security measures in the cloud to be seamlessly integrated into your company’s entire security architecture, and of course such measures must also support the zero-trust principle. It is crucial to work with cloud providers that offer robust security controls.

Essential components of an advanced data security strategy include not only cloud-native security solutions, but also encryption, identity and access management for cloud resources and monitoring. This approach ensures that data remains protected regardless of its location. In addition, you must ensure that the cloud services meet the relevant data protection and compliance requirements, such as the revised Swiss Data Protection Act and GDPR in Europe.

Zero trust – the fifth and final step is called “Analytics & Automation”...

In summary, the fourth pillar of Zero Trust 2.0, data security, protects your company’s most important asset: your data. Organisations can reliably protect their crown jewels by implementing data encryption during transmission and storage, leveraging data loss prevention and classification solutions for comprehensive protection and extending data security to the cloud. In the concluding part of our blog series on zero trust, we’ll look at analytics and automation and show why this is so crucial.

So stay tuned.

Interested to know your state of zero trust readiness?

The InfoGuard “Zero Trust Readiness Assessment” is precisely the right starting point for identifying the risks and any weaknesses in the current zero trust strategy and its implementation.

We’ll show you for instance which good practices have not yet been sufficiently defined or implemented in your zero-trust strategy. Discrepancies are assessed in terms of their risk criticality. Prioritised recommendations for action are developed on this basis and presented in the form of a solution path. Interested? Then we look forward to hearing from you!

Zero Trust Readiness Assessment

Would you like to deepen your insight?

Our blog series "Zero Trust 2.0 - Implemented in 5 steps" gives you a complete 360° perspective:

Part 1: Device security
Part 2: Identity management
Part 3: Network security
Part 4: Data security
Part 5: Analytics and automation

We wish you an inspiring read.

Share article