Data privacy in cyber-security is a hugely regulated sector. New regulations such as the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR) have added to the list of compliance mandates that already included PCI-DSS for financial data and HIPAA for patient information. Many enterprises now have compliance officers or even teams established, who have a heavy workload in achieving and proving compliance for these regulations, in order to be prepared for an audit and to put best-practices into place.
As data centers have become increasingly complex and dynamic, this workload has increased exponentially. Visibility is understandably hard to achieve in a heterogeneous environment, and if you don’t know where your data is – how can you secure it?
Traditional Perimeter Security Causes Problems for Compliance
If your business relies on perimeter-based security, any breach is a breach of your whole network. Everything is equally accessible once an attacker has made it through your external perimeter. This security model cannot distinguish between types of data or applications, and does not define or visualize critical assets, giving everything in your data center an equal amount of protection.
This reality is a struggle for any IT or Security teams responsible for compliance. Multiple compliance authorities enforce strict controls over the management of customer data, including how it is held, deleted, shared and accessed. Personally identifiable information (PII) and anywhere that financial information is stored (eg: CDE) needs added security measures or governance for compliance mandates, and yet these are often left unidentified, let alone secured. This is made more complicated today by a growing amount of data that resides or communicates outside of the firewall, for example in the cloud. Visibility is the first hurdle, and many enterprises fall immediately at the challenge.
On top of this, with border controls alone, as soon as your perimeter is breached, all your data is up for grabs by attackers who can make lateral movements inside your network. Even if you could see what you have, perimeter security simply can’t protect critical data that falls in scope for compliance at the required level.
Zero Trust as a Solution for Compliance
Many enterprises know that a Zero Trust model would provide a stronger security posture, and are worried about the movement of east-west traffic that remains unprotected, but think of moving to a Zero Trust paradigm as an incredibly complex initiative. Segmenting applications, writing policy for different areas of the business, establishing what access to give permissions to and where, it sounds like it would complicate security, not make it simpler.
However, when completed intelligently, principal analyst at Forrester Research, Renee Murphy explains how a Zero Trust model actually makes security and compliance a whole lot easier. “You end up with a less complex environment and doing less work overall. Once you know what [your data] is, where it is and how important it is, you can [then] put your efforts towards it.”
For this to be successful, and remain simple, your Zero Trust model’s implementation needs to start with visibility. Data classification is not an IT problem, it’s a business problem, and the business needs to be able to automatically discover all assets and data, both in real-time, and with historical baselines for comparison and policy creation.
Your partner in creating a Zero Trust model should be able to provide an automatic map of all applications, databases, communications and flows, including dependencies and relationships. This needs to be both deep, providing granular insight, and also broad, across your hybrid environment covering everything from legacy on-premises to container systems.
Furthermore, pick a vendor with good granular enforcement capabilities. The best protection leaves the least possible exposure. Policies that can lock compliance environments down farther than port and IP are required. Seek those that can create policies at the process, user, and domain name level.
Not only does this provide the best starting point for Zero Trust initiatives, but it also means that compliance becomes far easier as a result of best-in-class documentation and records at every stage.
Regardless of which standard you wish to comply with, utilizing the Zero Trust model for visibility and segmentation to effectively limit scope and resources is essential. For example the PCI-DSS Security Council has come out with the Information Supplement: Guidance for PCI DSS Scoping and Network Segmentation Guidance Scoping in which this is directly called out.
When You Establish Zero Trust, All Data Can be Treated Unequally
Once visibility is established, and you have an accurate view of your network, you can easily identify what needs protecting. Compliance mandates are usually very clear about what data is in scope and out of scope, and only insist on what is in scope keeping to regulations. While perimeter security made it impossible to apportion security differently throughout your data center, this is where micro-segmentation and zero-trust thrive.
With zero trust, your security strategy can recognize that not everything is created equally. Some data or applications need more security and governance than others, and while certain assets need to be watched and controlled closely, others can be left with minimal controls.
With the right partner in place, enterprises can use a distributed firewall to prioritize where to put their compliance, moving from the most essential tasks forward. Granular rules can be put in place, down to process level or based on user-identity, strictly enforcing micro-perimeters around systems and data that are in scope. This is a much easier task than ‘protect everything, all the time.’
Demonstrating Compliance using a Zero Trust Environment
Adopting a Zero Trust mentality is also a really strong way to show auditors that you’re doing your part. A huge part of compliance is being able to guarantee that even in case of a breach, you have taken all reasonable steps to ensure that your data was protected from malicious intent. Each time an east-west movement is attempted, this communication is checked and verified. As such, your enterprise has never assumed that broad permissions are enough to guarantee a safe connection, and with micro-segmentation, you have reduced the attack surface as much as possible. This process also provides an audit trail, making incident response and documentation much simpler in case of a breach.
Consider partnering with a vendor that includes monitoring and analytics, as well as breach detection and incident response, to lower the chance of a cyber-attack, and create a plan for any events that violate policy or suggest malicious intent. This can dramatically improve your chances of an attack, as well as help to bolster a robust compliance checklist.
The days of relying on perimeter-based controls to stay compliant and secure are long gone. In a world where Zero Trust models are gaining acceptance and improving security posture so widely, enterprises need to do more to prove that they are compliant with the latest regulations.
The Zero Trust framework acknowledges that internal threats are now almost a guarantee, and enterprises need to protect sensitive data and crown jewel applications with more than just border control alone. Remaining compliant is an important yardstick to measure the security of your infrastructure against, and Zero Trust is an effective model to achieve that compliance.