By Amit Jaju, Senior Managing Director, Ankura Consulting Group
It’s a strange paradox of the digital age: our connectivity has produced a level of visibility that has revolutionized our access to information and services. But this connectivity has also created the possibility of our information being exploited by people with ulterior motives. It is necessary to balance our need for access. Data protection requirements have created a new category of security threats called “low-trust environments”.
Most businesses today operate in an unreliable environment. It’s a world where trust is low due to uncertainty about who is watching and what they might do with your information. The digital ecosystem is full of low-trust environments, from peer-to-peer networks to public Wi-Fi hotspots. It’s a place where you have to be very careful about what you say, who you talk to, and what you share.
Especially for companies based in low-trust environments, like most Indian companies, the concept of “data security” is synonymous with cumbersome, high-security procedures and hardware solutions that existed before. The low-trust environment is a security threat, not a help to it. The solution is a new low-trust approach we call the “Zero-Trust Security” Architecture (ZTSA). Let’s explore how an Indian company can take this approach to increase their data security while making themselves more accessible to customers.
The problem with traditional cybersecurity
The problem with traditional data security is that it doesn’t work. The reasons are simple: you can’t trust your technology and you can’t trust your employees. The only solution is trust. You have to trust the employees, you trust your suppliers and you trust your technology. You cannot trust any of them.
Trust is fleeting and fragile. It takes time to build and even more time to waste. Once it’s gone, you can never get it back. It’s like money in an account. If someone steals your money, they can keep it. But if you lose the account information, you cannot recover it.
Trust is so fleeting that it is easy to smash it in a single breach. Internal trust is like a pair of glasses. Once you break it, it’s not as easy to fix. Zero-Trust security is like not wearing glasses at all. It doesn’t require you to trust anything.
What is Zero-Trust Security?
Zero-Trust security is about applying minimal trust to your data and technology. The key is to apply as little trust as possible, while still allowing the technology to work. This is the opposite of traditional data security where you try to apply as much trust as possible to a given input and hope that it doesn’t lead to bad results.
Zero-Trust security is about separating data and control. Data should be owned by a service provider, while control should remain with the entity generating it. Data providers must be open and verifiable. They should follow industry best practices and keep data as secure as possible. They should be as open as possible, so that all entries can be audited and verified.
How does Zero-Trust increase security?
Data security in a low-trust environment can be increased in several ways without having to establish trust between parties.
Encryption – With data stored and encrypted in the data provider, it cannot be accessed by the entity that generates it. The data holder provider owns the keys and can prove that it has not accessed the data. Encryption is a “trustless” technology.
Authentication – In addition to being encrypted, data must also be authenticated. This provides an additional level of confidence that the data comes from the source it claims to come from.
Auditing – Auditing is essential to Zero-Trust cybersecurity. Without auditing, it would be impossible to know who accessed the data and when. In a low-trust environment, this is essential to prevent malicious activity. Data providers must be open and verifiable. They should follow industry best practices and keep data as secure as possible. They should be as open as possible, so that all entries can be audited and verified.
Zero-Trust for an Indian company
The average Indian business operates in a low trust environment. He has to be careful what he shares and with whom. It’s also easy for its employees to share sensitive data, like login credentials and business plans, with competitors.
To protect data, the best thing a low-trust Indian company can do is separate data and control. Data should be owned by a data provider, while control should remain with the entity generating the data. A company can create a data storage service using an open source tool like GuardCM. It’s a simple process:
– Generate a GuardCM API key and provide it to your data custodians.
– Create a GuardCM user and provide the user’s API key and GuardCM username to your data custodians.
– On your data warehousing entities, enable data export and import via the GuardCM API.
The Internet of Things (IoT) promises a more connected world, but it also brings new security risks. As companies connect more devices to the network, they increase their security and privacy risks in the event of data loss.
Investors are more inclined to invest in companies with a low trust ecosystem. In order to operate in a low-trust ecosystem, businesses must operate with a modicum of trust.
The Zero-Trust Security Architecture is a conceptually new architecture that seeks to combine security and accessibility through a minimum level of trust. On the contrary, a trust-based approach has become increasingly difficult in a world where data breaches and identity theft have become commonplace.