Based on in-depth analysis of zero trust and data governance conducted by the practitioner analysts of Acceleration Economy so far this year, I think we can agree on the following points:
- Information (data + context) that allows better, faster decisions to be made is a (or the) raison d’etre for information technology (IT)
- Protecting data — from unauthorized alteration, inappropriate disclosure, malicious destruction, improper denial of access — is vital for organizations to function
- Zero trust security — ensuring that users (people or applications) get access only to the organizational resources (applications, data, networks) needed for their job function, and even then get only the least amount of access needed — is an effective way to provide security in today’s cloud-centric world
- Data governance includes the policies, procedures, and tools that allow organizations to balance desires for information access against security, privacy, confidentiality, and regulatory constraints on that access
The points above can be summarized simply by saying that zero trust principles allow an organization to implement proper data governance. Now, let’s look at the details of how to put that into practice.
Which companies are the most important vendors in data? Check out the Acceleration Economy Data Modernization Top 10 Shortlist.
Why Roles Are Core to Zero Trust Implementation
When properly implementing zero trust, you start by considering the uses and users of data. The notion of roles is central to that analysis.
A role is something like a job title, only narrower and better defined. A role — for example, an accounts payable (A/P) processor — needs access to certain data elements (systems, records, and fields; or tables, rows, and columns if you prefer) to process invoices for payment. The role needs access to invoices, of course. And access to receiving documents, requisitions, vendor records, contracts, and so on.
By identifying roles and associating each role with the data that’s needed, you start building both your zero-trust rules and your data governance rules. For example, the A/P processor can’t access employee payroll records, health insurance claims, or research and development (R&D) files.
(As an aside, if you have an effective identity and access management or IAM process and associated tools, you’ve got a mechanism and a repository for managing roles. If you don’t have such an IAM mechanism, go get one!)
But you’re not done yet. Access to data for any given role is limited by what individuals in that role can do to and with the data. While our A/P processor can change the status of an invoice (“approved for payment” or “forwarded to manager for exception approval”), deleting an invoice should be forbidden. This latter rule protects the organization against a ransomware attack that deletes records after encrypting them.
How about disallowing changes to the amount due, or the pay-to account and bank information? This restriction helps thwart other fraudulent schemes in which funds are diverted.
Another data restriction would involve exfiltration: accessing data records (not invoices perhaps, but imagine other records you wouldn’t want leaked) and sending them — via email or data transfer — out of the organization for use by competitors or for corporate blackmail purposes.
The argument often expressed against the “role-based data access” part of zero trust is the work required to identify roles and enumerate every type of access for every record and field. But here’s the secret of effectively implementing zero trust:
- You can start with the most critical databases, records, and columns. For example, restrict every social security number (SSN) column in every database as step one. Find those columns (there’s data governance software that can help) and lock them up using data security software. Then define only those roles that need access to the SSN data and add the role: Everyone not in one of those roles has no access; in other words, zero trust is in force.
- Over time, extend your definition of critical data elements as well as critical data access types such as record deletion and data exfiltration. Then:
- identify the databases, rows, and columns (with software) that need zero trust protection
- define appropriate roles in your IAM software; this is the labor-intensive part that involves “data owners” and “data stewards” from business units
- activate zero-trust protection so that only people with the proper roles can access those data elements and have their access restricted to what’s defined for their role
As you can see from the foregoing, zero trust and data governance should be intertwined. IAM and data security tools work together to define roles and the associated data elements. And data governance tools plus security tools combine to allow role-based access while denying access that falls outside that which is prescribed.
I hope you can also see that modern security isn’t just the chief information security officer’s (CISO’s) job. It takes collaboration among the CISO, chief data officer (CDO), and chief information officer (CIO) to implement policies and tools that protect the organization from evildoers (and many types of accidents!) while providing appropriate data access to those who play by the rules . . . errr, I mean “roles.”
Looking for more insights into all things data? Subscribe to the Data Modernization channel: