Zero Trust is the new Buzz word in the cybersecurity arena. Ever since, Forrester Analyst, Kindervag introduced the term Zero Trust in his article “Zero Trust Architecture”, traditional security measures have become obsolete.
Zero Trust is a security framework that is based on an “I Trust No One” principle; it doesn’t matter if the user is within or outside the organization. A user is not granted access unless he/she is authenticated and authorized first.
According to Statista.com as of 2022, over 60 percent of all corporate data is stored in the cloud. As attackers now target data stored in the cloud, it becomes important for organizations to go for a Zero Trust architecture to secure their data.
Here are the 5 guiding principles to protect your IP
Principle 1 – Identify which portion of your IP is the most critical.
This is the first and most critical step. Discovering your organization’s sensitive data may sound simple but in practice it is not.
Systems are complex and are always changing. It is important to know which systems contain data that is most critical and which databases have a specific combination of sensitive data that place them at higher risk.
One way to identify which portion of your IP is the most critical is to classify it. There are countless variables to consider as different data require different treatments.
Remember the more sensitive your data the more control layers you have to consider protecting it.
Principle 2 – Identify which application is affected.
Once you have discovered which data is sensitive, it is now time to assess the risks. Organizations should also think about how the loss of the confidentiality, integrity, or availability of that information would impact the organization in case of a data breach.
You need a robust risk assessment in place. Once you know where your highest vulnerabilities lie, you would be able to shape your security plan.
Principle 3 – Identify the User
The next principle is to identify the user. How do you verify if your users are who they say they are? Authenticating users, knowing who they are, where they are, and how they are accessing your applications and networks is important to adopt Zero-Trust security.
Multi-factor authentication (MFA) can be used to authenticate a user’s identity and trust can be established by using passwords or biometrics. MFA does the following:
Principle 4 – Identify if the access is necessary
Many organizations give privileged access to sensitive data to a number of employees and insiders. Transactions will be secure if the person accessing the data really needs to access the data.
Organizations are totally unaware of the details of the individuals that have access to sensitive data and why they need access. This is a huge risk. Therefore, it is necessary for organizations to limit data access.
They should determine who needs access and ensure that they access the information to only what they need and not every other detail present in the system. This can be ensured by enforcing access control.
As most of the organizations, today work in hybrid environments where data moves from on-premise to cloud to homes, offices, etc with open Wi-Fi hot spots, enforcing access control can be a daunting task.
“The most common access control method is Attribute-Based Access Control (ABAC), where each user is assigned a series of attributes such as time of day; position, location, etc are used to make a decision on the access to sensitive information.”
Principle 5 – Identify what happens to the data once it is accessed
Data breaches are a constant threat to any organization. However, even after companies enforcing strict policies, procedures, and strategies data breaches occur.
So it is important to stay protected and do everything possible to prevent data breaches. Organizations should have a good recovery plan in case a data breach does occur.
Once a breach is noticed, it is important to quickly contain it. Disconnecting breached accounts and having multiple layers of security infrastructure can help to locate and isolate the attack quickly and efficiently.
Investigate and assess the damage done. Once the damage is identified, notify the concerned users including third-party vendors. Lastly, perform a security audit and plan so that future attacks are not possible.
The 3 levels of data classification are:
Restricted – This is the most critical data that could cause great risk if compromised. Access is to be provided only on a need basis.
Confidential or Private – This is moderately sensitive data. Access is internal to the company or department that owns it.
Public – This is non-sensitive data that would cause little or no risk if accessed. Access control is loose or not controlled.
The above five guiding principles are necessary for managing any sensitive or intellectual data. More than that organizations must generate transparency by automatically monitoring data flows. Complete data visibility allows business leaders to see how data flows throughout each set of business processes in isolation as well in totality. This provides end-to-end data visibility.
At SECUDE , we provide a consulting-led approach to help SAP clients obtain transparency, assess risk potential, and change their business process security standards if required for protecting their sensitive data.