Proposed ZTDA Action Plan for Enterprise

version:

Enterprise teams interested in implementing zero trust data access (ZTDA) can create an action plan consistent with the high-level management steps outlined in this brief article. Specifically, management teams can tailor the three high-level steps included in this guide toward a ZTDA action plan consistent with local requirements, constraints, and objectives.

Proposed ZTDA Action Plan for Enterprise

By Dr. Ed Amoroso, TAG Cyber

Estimated reading time: 3 minutes

The goal of implementing zero trust data access (ZTDA) to protect unstructured data in the enterprise can only be reached through proper management and oversight. Reducing organizational dependence on perimeters for external data access, often with the replacement of legacy virtual private network (VPN) solutions, is easier said than done. So enterprise teams are strongly advised to emphasize careful planning.

In this brief article, we introduce a general action plan for any enterprise that seeks to implement secure external data access under the assumption that traditional firewall perimeters will not serve as the main compliance control or security mediation component. Instead, the use of ZTDA solutions such as from Qnext are assumed to be the goal – and we outline steps that should help in this regard.

While every enterprise organization will certainly have its own unique requirements, constraints, and objectives, we list below three high-level management tasks that should be present in most practical ZTDA action plans. Readers are advised to peruse the details below and then use the high-level guide as a basis for tailoring their own local ZTDA implementation action plan.

ZTDA Action Plan

Step 1: Assessment of Existing External Data Access Posture

The first step is to perform an assessment of how the organization currently supports secure remote access to enterprise data. Such data is usually represented as files and folders, often hosted in Microsoft SharePoint. The assessment should take inventory of how the organization

creates, stores, shares, and protects its unstructured data. This should include all aspects of external data access from customers and third parties.

One challenge that might emerge in this first step is that a typical enterprise might include a myriad of different and often incompatible solutions for external data access. This could include one approach for employees working virtually (perhaps using a VPN), another approach for suppliers requiring data access (perhaps using tunneling solutions), and yet another solution for merged companies or acquired entities.

Step 2: Prioritization of Functional and Assurance Requirements for Data Access

Once the assessment of existing external data access has been completed, it is recommended that a prioritization step be performed. This involves the enterprise team explicitly designating the relative importance of requirements in two key areas – namely, security and compliance. Furthermore, these should be further decomposed into two types of requirements – namely, functional and assurance. These areas of emphasis can be combined into a decision matrix.

Action plan for ztdaFigure 1. Matrix to Prioritize Requirements for External Data Access

Typical enterprise teams will find that their organization’s mission guides the relative importance placed on the ZTDA requirements in the matrix. Banks and financial institutions will see, for example, high prioritization of the assurance aspects of compliance, whereas less regulated entities such as retail organizations might place a higher priority on the functional aspects of security.

Step 3: Review, Selection, and Trial of Suitable ZTDA Platform

The final step in the ZTDA action plan involves reviewing, selecting, and creating a trial of suitable ZTDA vendors. The inventory performed in the first step will help to define the integration and migration aspects of the proposed plan. The prioritized matrix entries in the second step will help to create a suitable review rubric for the different commercial ZTDA vendors under consideration.

As one might expect, this series of articles includes considerable detail on the Qnext FileFlex platform – and buyers are advised to include this platform in their ZTDA action planning. Nevertheless, TAG Cyber analysts are always available to assist enterprise teams in their review of all possible commercial vendors in a given solution area. Enterprise buyers of ZTDA are thus encouraged to reach out to TAG Cyber for assistance in this regard.

About This Series

This article is the last in a series of 5 from TAG Cyber on Understanding Zero Trust Data Access.

The TAG Cyber analyst team has worked with Qnext to review its ZTDA design and has concluded that it compares favorably with the objectives of the model for corporate cyber risk reduction.

In Article 1, TAG Cyber CEO  Ed Amoroso examines “How To Securely Share Data?”.  In Article 2, TAG Cyber’s Chirs Wilder looks at the risks associated with unstructured data.  In Article 3, TAG Cyber’s Ed Amoroso expands on this theme to outline zero trust access methods and how zero trust data access might work at the file and folder level for customers. Article 4 from Dr. Amoroo is an overview of the FileFlex commercial platform for zero trust data access.

Copyright © 2022 TAG Cyber LLC

Dr. Edward Amoroso is the founder and CEO of TAG Cyber. He is an experienced CEO, Chief Security Officer, Chief Information Security Officer, university professor, security consultant, keynote speaker, computer scientist, and prolific author with experience working in the telecommunications industry beginning at Bell Labs and leading to the position of SVP/CSO at AT&T. He holds a Doctor of Computer Science from Stevens Institute of Technology, and also a graduate of Columbia Business School. Has served directly four presidential administrations in the field of cybersecurity and is now a member of the board of directors of M&T Bank, and is a senior advisor for the Laboratory of Applied Physics at Johns Hopkins University,