“Never Trust, Always Verify”
Zero Trust Architecture (ZTA) is a security framework that eliminates implicit trust by requiring strict access controls and continuous verification of users, devices, and systems, focusing on securing resources regardless of location, assuming breaches can occur, and enforcing least-privilege access to protect data and applications in modern, decentralized environments.
Such frameworks can be implemented through various approaches, each focusing on a specific aspect of an organization's infrastructure. A network-centric approach secures access with micro-segmentation and traffic monitoring, while an identity-focused approach enforces strict authentication and authorization based on roles and context. A data-driven approach ensures sensitive data protection through encryption and access controls, and an application-centric approach secures applications by monitoring their behavior and enforcing access policies. The endpoint-forward approach emphasizes trusted, compliant devices, and the workload-focused approach protects cloud or hybrid workloads by securing interactions between containers, virtual machines, and services.
The choice of a Zero Trust approach depends on your organization’s specific business needs, priorities, and infrastructure, as certain approaches may align more closely with your security goals, whether focusing on identity, network, data, or other aspects.
In this discussion, we will focus on a data-focused Zero Trust strategy, which emphasizes the protection of sensitive information throughout its lifecycle and during processing, following the comprehensive framework developed by the Zero Trust (ZT) Data Security Working Group in their Federal Zero Trust Data Security Guide document, which provides practical guidance on implementing robust controls to safeguard data while maintaining compliance with regulatory and organizational requirements.
What Is the Traditional Approach?
The traditional approach is to implement a network-focused security model, with a primary focus on securing the network perimeter through tools like firewalls, VPNs, and access controls, assuming that once users or devices are inside the perimeter, they can be trusted, creating a "trusted internal network" mindset.
However, this trust-by-location paradigm introduces significant vulnerabilities. For example, an attacker managing to breach the perimeter—whether through phishing, malware, or exploiting a vulnerability—would be able to move laterally within the network with minimal resistance. Also, it has limited adaptability to modern, decentralized environments like cloud or hybrid architectures, with potential performance bottlenecks due to excessive segmentation and insufficient focus on securing endpoints, applications, and data, that may cause struggles to meet the broader objectives of Zero Trust (ZT), which prioritize user and resource identity over network boundaries.
What Is a Data-Centric Approach?
Unlike the traditional network-focused approach, which primarily focuses on controlling access through network segmentation and perimeters, data-focused approach emphasizes securing the data itself - that is, its classification, tagging, and policies - regardless of its location or access mechanisms.
Such a change in focus not only aligns with modern regulatory demands, like General Data Protection Regulation (GDPR) and Health Insurance Portability and Accountability Act (HIPAA), but also ensures resilience against sophisticated cyber threats targeting sensitive information. As perimeters, as understood until now, are slowly disappearing or becoming blurred, securing the data directly is key to safeguarding critical assets and maintaining operational integrity.
How To Do?
Implementing a data-centric approach to Zero Trust Architecture (ZTA) requires a comprehensive strategy focused on securing data at every stage of its lifecycle.
Data Discovery and Classification
Organizations should conduct a thorough data inventory to identify sensitive and critical data assets, and classify data based on sensitivity levels (e.g., public, internal, confidential) and tag it appropriately to inform security policies.
ISEC7 CLASSIFY, our easy-to-use data marking and classification solution, can help with that task allowing users to mark and disseminate sensitive documents while using any office application on any device following data sensitivity regulations.
It ensures compliance with government data marking and classification regulations, supports data tagging requirements in Zero Trust Architecture (ZTA) and verifies proper sender and receiver permissions based on classification level and dissemination controls. It does not require additional infrastructure to deploy, and works on any endpoint, including iOS and Android mobile devices, offering the same user experience on Microsoft Office applications on the web as well as native clients.
Granular Access Controls
Organizations should follow the Principle of Least Privilege (PoLP) by implementing granular access controls to protect sensitive data effectively, ensure users and systems have only the minimum access necessary to perform their functions, reducing the risk of accidental or intentional misuse of data and improving overall organizational security posture. For that, they should implement Role-Based Access Controls (RBAC) assigns permissions based on job responsibilities, ensuring users access only the data required for their roles, as well as Context-Aware Access, that further enhances security by considering factors like user location, device type, time of access, or security posture before granting access. Both measures help prevent unauthorized access and mitigate potential insider threats.
Encryption and Tokenization
Protecting data in transit and at rest, using data encryption, is critical to ensure that sensitive information remains secure from unauthorized access or breaches.
Data in transit should be encrypted using strong encryption protocols like Transport Layer Security (TLS) to secure data travel between systems, such as between a user’s browser and a web server. This ensures that even if the data is intercepted during transmission, it cannot be read without the decryption key.
In conjunction, data at rest, for example stored data, should be protected by leveraging encryption standards like AES (Advanced Encryption Standard) with 256-bit keys, which provides robust protection for databases, file systems, and backup archives. Encryption of at-rest data ensures its confidentiality even if storage media are lost or stolen.
Furthermore, for highly sensitive data, such as Personally Identifiable Information (PII) or payment details, tokenization can add an extra layer of security; it works by replacing sensitive data with a randomly generated, non-sensitive equivalent, called a token, which, unlike encrypted data that can be decrypted with a key, has no intrinsic value or relationship to the original data and is stored in a secure token vault. For example, sensitive information like a credit card number can be replaced by a token used only for specific transactions (ex: online payments), reducing exposure to risk if systems are breached.
Organizations should perform a cybersecurity risk discovery and cryptographic inventory using a cryptographic monitoring and risk assessment tool like Quantum Xchange™ CipherInsights, to monitor their network and identify cryptographic vulnerabilities in real time, including unencrypted traffic, clear-text passwords, expired certificates, self-signed intermediate certificate authorities, insecure encryption, providing a clear understanding of your cybersecurity posture and a prioritized list of risk mitigation to maintain compliance, pass audits, and better prepare for the inevitable migration to Post-Quantum Cryptography (PQC).
Data Lifecycle Management
Organizations should implement robust policies for data retention, archival, and deletion to manage and safeguard information effectively. These retention policies should specify how long data is retained based on legal, regulatory, and business needs, and archival practices should securely store infrequently used data while maintaining accessibility for compliance or operational purposes.
Deletion policies must outline secure methods to remove data permanently from systems once it is no longer needed, such as secure wiping or cryptographic erasure, to prevent unauthorized access or recovery. In the end, these measures will not only enhance security and support compliance with data protection and privacy regulations, but also reduce unnecessary storage costs.
Regulations include the Health Insurance Portability and Accountability Act (HIPAA) in the United States (US), that requires healthcare entities to retain patient records for at least six years, or the famous General Data Protection Regulation (GDPR) in the European Union (EU), that requires organizations to limit data retention to what is necessary for processing purposes, with specific durations dependent on the data type and purpose, and data must be securely deleted once no longer needed.
Continuous Monitoring
Deploy tools to monitor data flows in real-time, detect anomalies, and respond to potential threats. Use automated solutions to track compliance with data protection policies.
ISEC7 SPHERE enables organizations to manage and monitor their entire digital workplace infrastructure and network, and quickly identify and resolve issues — from one web-based, central console. With support for over 200,000 endpoints, ISEC7 SPHERE streamlines the administration of even the most complex infrastructure, regardless of the diversity of UEM systems, servers, networks, and applications. The solution retrieves data from all the company’s systems and presents them on one dashboard. With only one system to manage, issues are identified and resolved faster, requiring less IT staff with a significant impact on the operational cost.
Policy Enforcement
Policy enforcement is a critical component of a Zero Trust Architecture (ZTA) framework, ensuring that data-focused policies are consistently applied across all systems and environments. Integrating technologies such as Data Loss Prevention (DLP) and Cloud Access Security Brokers (CASBs) enables organizations to monitor, control, and safeguard sensitive data effectively. DLP tools prevent unauthorized data transfers or leaks, while CASBs enhance visibility and enforce security policies for cloud-based applications. These technologies work together to enforce the earlier mentioned Principle of Least Privilege (PoLP) and continuous verification, ensuring that only authorized users and systems can access or transfer sensitive information, regardless of location or device.
Regular Training
Properly training employees is crucial, as human error often represents the weakest link in data security, so organizations must ensure employees understand the value of sensitive data, the potential risks of mishandling it, and their role in safeguarding it.
Training should cover recognizing phishing attempts, security best practices when handling sensitive data like Controlled Unclassified Information (CUI), prioritizing interactive workshops that rely on simulated attacks and role-specific guidelines, which enhance employee’s engagement and retention.
Conclusion
As enterprises increasingly adopt hybrid and multi-cloud environments, the shift from a network to data-centric approach in Zero Trust Architecture (ZTA) is becoming essential. Traditional network-based security, which relies on perimeter defenses and internal trust, is no longer sufficient in a landscape where data is highly distributed across endpoints, clouds, and external systems. Perimeter breaches, insider threats, and regulatory compliance requirements expose the limitations of solely network-focused strategies. A data focused Zero Trust approach addresses these gaps by prioritizing the protection of the data itself, regardless of its location.
Built on Zero Trust Architecture (ZTA) and designed around end-to-end security and traffic obfuscation to the mobile endpoints, ISEC7 SEVENCEES leverages existing infrastructure to create a bespoke solution that addresses the business needs of organizations whilst securing traffic across trusted and potentially compromised networks. ISEC7 SEVENCEES not only simplifies the complex task of balancing security and operational demands but also ensures cost-effectiveness by leveraging existing infrastructure, allowing CISOs to meet budget constraints while enhancing overall security posture. ISEC7 SEVENCEES provides a flexible framework that delivers great end user experience and a comprehensive monitored and managed end-to-end security to the endpoints regardless of the business needs, with the ability to integrate other elements as the business and security demands of the ecosystem. If you have an questions about ISEC7 SEVENCEES, Zero Trust Architecture (ZTA), or implementing a data-centric approach to cybersecurity, please do not hesitate to reach out to the team at ISEC7 and we can help you assess your options.