Beef up your IP Security with Zero Trust  – 5 Guiding Principles to start protecting your IP effectively

Zero Trust is the new Buzz word in the cybersecurity arena. Ever since, Forrester Analyst, Kindervag introduced the term Zero Trust in his article “Zero Trust Architecture”, traditional security measures have become obsolete. 

The concept of zero trust is a security framework that is based on an Trust No One principleit doesn’t matter if the user is within or outside the organization. A user is not granted access unless he/she is authenticated and authorized first.  

According to the “Encryption, Privacy in the Internet Trends Report” of 2019, more data is now stored in the cloud than on private enterprise servers or consumer devices. As attackers are now targeting data stored in the cloud, it becomes important for organizations with sensitive research information or intellectual property (IP) to go for a Zero Trust Architecture to secure their data.  

There are five guiding principles to begin before you start protecting your IP effectively by implementing a Zero Trust Architecture. 

Principle 1 – Identify which portion of your IP is the most critical.

This is the first and most critical step. Discovering your organization’s sensitive data may sound simple but in practice it is not.

Systems are complex and are always changing. It is important to know which systems contain data that is most critical and which databases have a specific combination of sensitive data that place them at higher risk.

One way to identify which portion of your IP is the most critical is to classify itThere are countless variables to consider as different data require different treatment. 

Also, remember this is not a one-time project as critical data keeps changing anrequires constant tracking. Three levels of data classification are needed: 

  • Restricted – This is the most critical data that could cause great risk if compromised. Access to be provided only a need basis. 
  • Confidential or Private – This is moderately sensitive data. Access is internal to the company or department that owns it.  
  • Public – This is non-sensitive data that would cause little or no risk if accessed. Access control is loose or not controlled.  

Remember the more sensitive your data the more control layers you have to consider protecting it 

Principle 2 – Identify which application is affected. 

Once you have discovered which data is sensitive, it is now time to assess the risks. Organizations should also think about how the loss of the confidentiality, integrity, or availability of that information would impact the organization in case of a data breach. 

You need a robust risk assessment in place. Once you know where your highest vulnerabilities lie, you would be able to shape your security plan. 

Principle 3 – Identify the User

The next principle is to identify the user. How do you verify if your users are who they say they are? Authenticating users, knowing who they are, where they are, and how they are accessing your applications and networks is important to adopt Zero-Trust security. 

Multi-factor authentication (MFA) can be used to authenticate a user’s identity and trust can be established by using passwords or biometrics. MFA does the following: 

  • Identifies if the user is who they say they are 
  • Identifies if that user has the right to access the sensitive data 
  • Identifies if the user’s device is secure and can be trusted 

Principle 4 – Identify if the access is necessary 

Many organizations give privileged access to sensitive data to a number of employees and insiders. Transactions will be secure if the person accessing the data really needs to access the data. 

Organizations are totally unaware of the details of the individuals that have access to sensitive data and why they need access. This is a huge risk. Therefore, it is necessary for organizations to limit data access.

They should determine who needs access and ensure that they access the information to only what they need and not every other detail present in the system. This can be ensured by enforcing access control. 

As most of the organizations, today work in hybrid environments where data moves from on-premise to cloud to homes, offices, etc with open Wi-Fi hot spots, enforcing access control can be a daunting task. 

The most common access control method is Attribute-Based Access Control (ABAC), where each user is assigned a series of attributes such as time of day; position, location, etc are used to make a decision on the access to sensitive information. 

Principle 5 – Identify what happens to the data once it is accessed 

Data breaches are a constant threat to any organization.  However, even after companies enforcing strict policies, procedures, and strategies data breaches occur. 

So it is important to stay protected and do everything possible to prevent data breaches. Organizations should have a good recovery plan in case a data breach does occur.  

Once a breach is noticed, it is important to quickly contain it. Disconnecting breached accounts and having multiple layers of security infrastructure can help to locate and isolate the attack quickly and efficiently.

Investigate and assess the damage done. Once the damage is identified, notify the concerned users including third-party vendors. Lastly, perform a security audit and plan so that future attacks are not possible. 

The above five guiding principles are necessary for managing any sensitive or intellectual dataMore than that organizations must generate transparency by automatically monitoring data flows. 

Complete data visibility allows business leaders to see how data flows throughout each set of business processes in isolation as well in totality. This provides end-to-end data visibility.

At SECUDE, we provide a consulting-led approach to help SAP clients obtain transparency, assess risk potential, and change their business process security standards if required for protecting their sensitive data.  

To know more about how we implement data security you can always contact me at:

Matthias Possehl
Director of IP Protection Solutions
SECUDE International AG