What is Zero Trust Data Access (ZTDA)?
Why are Organizations Adopting Zero Trust?
Almost all organizations have either started or are planning to start a zero trust initiative. Organizations in general and critical infrastructure, in particular, are adopting Zero Trust as a security model because traditional security models are no longer sufficient to protect against the evolving threat landscape. Traditional perimeter-based security models rely on the assumption that everything inside the perimeter is trustworthy and everything outside is not. However, this approach is no longer effective in today’s increasingly complex and interconnected IT environment, where users, devices, and applications are located both inside and outside the network perimeter.
Here are some reasons why organizations are adopting Zero Trust:
Increasing cyber threats
- The number and complexity of cyber threats are growing rapidly, and traditional security measures such as firewalls and antivirus software are no longer sufficient to protect against them. Zero Trust provides a more proactive and effective security approach to prevent data breaches.
Remote work and cloud computing
- The shift to remote work and the widespread adoption of cloud computing have made it more difficult to secure data and applications, as they are now accessed from different locations and devices. Zero Trust can help to secure access to resources, regardless of where they are located.
Data privacy regulations and security standards
- Organizations are subject to increasingly stringent data privacy and cyber-security regulations and standards, such as the Critical Infrastructure Act, NIST SP-800-171, CMMC, Critical Infrastructure Cyber Community (C3) Voluntary Program, and sector-specific regulations such as the NERC CIP standards for the energy sector, CMMC for military contractors, PCI DSS for organizations that handle personal financial information or the HIPAA regulations for the healthcare sector. European regulations include GDPR, ISO 27001 and ENISA (European Union Agency for Cybersecurity). Most countries in the EU have privacy laws that outline specific requirements for protecting personal data that apply to all organizations operating within that country and some provincial and state governments also have privacy laws such as the California Consumer Privacy Act (CCPA). Zero Trust provides a way to ensure that only authorized users can access sensitive data, reducing the risk of non-compliance.
- Insider threats, such as employees or contractors accessing data without proper authorization, can be difficult to detect and prevent. Zero Trust can help to mitigate these risks by ensuring that users are only given access to the resources they need to perform their job duties.
The Main Tenets of Zero Trust
A Zero Trust architecture is a security model that assumes no user is inherently trusted, and that all requests to access resources must be authenticated and authorized according to policies for each user. Zero trust security has been defined by the National Institute of Standards and Technology (NIST) and is much deeper than simply ‘never trust, always verify’. You can learn more by reading “How to Meet NIST Guidelines for Zero Trust”. According to NIST zero trust (ZT) is a term for an evolving set of tenants that move an organization’s cybersecurity from the existing paradigm based on a static, network-based perimeter to a new paradigm that focuses an organization’s cybersecurity on users, assets, and resources.
The main tenets of a Zero Trust architecture include:
Verify before trust
- Every request must be authenticated and authorized before access is granted. Requests are also verified against a set of rules that dictate what data can be accessed, and by whom.
Least privilege access
- Users should only have access to the resources and data they need to perform their jobs. Access should be granted on a need-to-know basis and should be reviewed and updated regularly.
- Access should be segmented into smaller, more secure segments to limit the potential impact of a security breach. Access should be restricted based on the segment, files and folders being accessed.
- Activities should be monitored to aid detection and respond to threats quickly.
- A Zero Trust architecture assumes that a security breach has already occurred, and therefore focuses on preventing lateral movement within the network and limiting the damage that can be caused.
By implementing these principles, organizations can significantly reduce their risk of a security breach and improve their overall security posture.
What is Zero Trust Data Access (ZTDA)?
Zero Trust Data Access (ZTDA) is a security model that provides secure access to files and folders for authorized users in a zero-trust environment. The fundamental principle of Zero Trust Data Access is that access to data should be granted only on a need-to-know basis, and every access request should be authenticated and authorized against policy before granting access.
Under the Zero Trust Data Access model, every data access request is verified against a set of rules that dictate what data can be accessed, and by whom.
Zero Trust Data Access is typically implemented through a Zero Trust Data Access platform and a combination of technologies such as Multi-Factor Authentication (MFA), Identity and Access Management (IAM), and Security Information Event Management (SIEM) software. These technologies work together to ensure that only authorized users and devices can access data.
Zero Trust Data Access is a key component of a Zero Trust architecture, which assumes that every access request is potentially malicious and requires rigorous authentication and authorization controls to prevent unauthorized access and data breaches.
The Zero Trust Data Access (ZTDA) Architecture
The tenets of zero trust are achieved for remote access and sharing of files and folders via a zero trust data access (ZTDA) architecture. A zero trust data access architecture is designed to:
- Protect access to a network segment, application, or data without providing access to the organization’s network infrastructure
- Provide IT the tools they need to control that access
- Protect the transfer of information and communications
- Allow for only authorized access and,
- Protect user credentials
To achieve this, a zero trust data access architecture has 3 main components. All 3 components are required in order to make a zero trust solution work. The 3 components are:
- A server
- An agent
- A client app
All 3 components use encryption (AES256 symmetric encryption) in various ways in order to protect the user data, internal data, tokens and communication channels. The use of encryption coupled with architectural design and process flow ensures privacy, security, protection of credentials and authorized access to content.
Diagram 1 outlines a high-level zero trust data access architecture and a logical view of the interaction between the broader 3 main components.
The Server component of the architecture is accessible on the internet and acts like a bank teller to control activity in the service. It enforces the rights and permissions of authorized users and is a relay service to manage activities.
The agent works on behalf of the user per the instructions of the server. It’s also responsible for encryption and decryption functions for all data transmission.
The client app provides a mechanism for the user to use the service. It works in conjunction with the server to allow the user to perform these actions securely with assigned privileges and enforce permission activities. The services are account-based, meaning a user logs into their account from any device – whether Windows or Mac PC, or iOS or Android smartphone or tablet, or web browser. Some can function from within Windows so that a separate client app is not necessary for most daily functionality.
What are the Benefits of Zero Trust Data Access (ZTDA)?
There are several benefits to an organization of adopting Zero Trust Data Access as a security model, including:
- Zero Trust Data Access provides a more comprehensive and adaptive security approach than traditional perimeter-based models, by ensuring that every access request is authenticated and authorized before granting access. This can significantly reduce the risk of data breaches and cyber-attacks.
Reduces the risk of ransomware
- By limiting access to sensitive data and monitoring user activity, Zero Trust Data Access can help prevent ransomware attacks and minimize the impact if an attack does occur.
- Zero Trust Data Access can help organizations to comply with data privacy regulations, by ensuring that only authorized users can access sensitive data.
Reduced risk of insider threats
- Insider threats, such as employees or contractors accessing data without proper authorization, can be difficult to detect and prevent. Zero Trust Data Access can help to mitigate these risks by ensuring that users are only given access to the files and folders they need to perform their job duties.
- Zero Trust Data Access provides greater visibility into who is accessing what data, allowing organizations to better monitor and detect potential security threats.
- Zero Trust Data Access can be applied to a wide range of environments, including on-premises, cloud, SharePoint and hybrid environments, and can be tailored to the specific needs of the organization.
- Zero Trust Data Access can simplify security management by providing a single, unified security approach that applies to all users.
In summary, Zero Trust Data Access is a key component for organizations adopting Zero Trust and is a security model that assumes no user is inherently trusted, and all requests to files and folders must be authenticated, authorized, and verified before access is granted. It describes why organizations in general and critical infrastructure in particular are adopting this model due to increasing cyber threats, remote work, cloud computing, data privacy regulations, and insider threats.
Overall, Zero Trust Data Access can help organizations to achieve a more comprehensive and adaptive security approach that can better protect against cyber threats, support compliance with data privacy regulations, reduce the risk of insider threats, and provide greater visibility and flexibility in managing security.
For more learning about zero trust protection for critical infrastructure organizations see “Protecting Critical Infrastructure Using Zero Trust Data Access Architecture – The Top 8 List”, “Critical Infrastructure Regulatory Compliance via Zero Trust Architectures”, “Critical Infrastructure Management Over Remote Access and Sharing Using Zero Trust Architecture” and “Critical Infrastructure Onboarding and Ease of Use Using Zero Trust Data Access”.