Unpacking Zero Trust - Part 2

Extending Zero Trust to Applications and Data

While most organizations excel in implementing Zero Trust principles for?Identity,?Network, and?Device, the pillars of?Applications?and?Data?are often more complex and harder to address. Yet, these two pillars are where the most critical assets reside, and they are often the ultimate targets of cyberattacks. This article explores how organizations can extend Zero Trust principles to these overlooked but essential pillars.

The Application Pillar: Moving Beyond Network-Level Control

Applications are the gateway to sensitive business functions and data, yet many organizations ignore application security and let it rest 100% with the Business Units. It can be argued that application security belongs with the business, however, it creates isolated security practices and creates a potentially unyielding governance process, completely de-centralized.

Organizations, that attempt to use Zero Trust Network Access (ZTNA) as an step forward, this is usually managed and implemented by the security or network security organization and it primarily governs access at the network layer, this does not necessarily include the business security needs. True Zero Trust for applications requires granular control at the application level.

Challenges in Application Security

Securing applications in today’s digital environment is no small task. Organizations manage a mix of custom-built, off-the-shelf, and cloud-based applications, each with its own unique access and security requirements. This complexity creates several challenges:

• Complexity of Application Ecosystems: Organizations often have a mix of custom-built, off-the-shelf, and cloud-based applications, each with its own access and security requirements.
• Inconsistent Access Policies: Policies for network access are often applied uniformly, but application-specific access policies can vary widely and lack centralization.
• Integration with Business Logic: Applications often enforce their own access rules, which may not align with organizational policies or externalized controls. What Zero Trust for Applications Looks Like Zero Trust for applications involves creating and enforcing policies that go beyond simple access controls. Policies must be dynamic, context-aware, and extend into the application's internal functionality. Here’s what this looks like in practice

1. Role-Based and Attribute-Based Access Control (RBAC/ABAC): Define granular roles and attributes to control who can do what within an application.
2. Dynamic Policy Enforcement: Policies must adapt based on contextual factors such as time of day, geolocation, device health, and user behavior. For instance, a financial analyst working from a trusted office location may have full access to reporting tools, but access may be restricted if they attempt to log in from an unapproved device or location.
3. Externalized Authorization: Decouple policy enforcement from applications by using centralized policy engines like Open Policy Agent (OPA) or tools that integrate with Zero Trust architectures. Applications should query these engines to determine if access is permitted based on real-time policies.

A Real-World Example Imagine a healthcare organization where employees access an Electronic Medical Record (EMR) system. A Zero Trust implementation might enforce the following:

• Physicians can view patient data only for their assigned patients during their scheduled hours.
• Administrators can view billing data but cannot access patient medical records.
• Data access is restricted to devices that meet compliance standards, such as up-to-date patches and antivirus software. This level of control requires integration between identity providers, application authorization layers, and device posture systems.

The true value of Zero Trust in these examples lies in its ability to externalize policies from the applications themselves. Whether the policies are based on roles, attributes, or purely contextual rules, they can be applied consistently across multiple applications. Moreover, these policies are designed to evolve over time while maintaining a foundation of strong governance.

The Data Pillar: Protecting the Crown Jewels

If applications are the gateway, data is the ultimate asset that Zero Trust aims to protect. Yet, protecting data is significantly more challenging because it requires organizations to understand, classify, and control access to their most valuable information.

Challenges in Data Security

Securing sensitive data has never been more challenging as it spreads across on-premises systems, cloud platforms, and SaaS applications, creating significant gaps in visibility and control. Many organizations struggle to classify data based on its sensitivity or regulatory requirements, making it difficult to enforce effective security policies. The following outlines some of these challenges:

1. Data Sprawl: Sensitive data often resides across multiple locations—on-premises, in the cloud, or within SaaS platforms—making it difficult to monitor and secure comprehensively.
2. Lack of Data Classification: Many organizations fail to classify data based on sensitivity, regulatory requirements, or business impact, making it impossible to enforce appropriate policies.
3. Granular Access Control: Applying fine-grained access policies to data is a complex task that requires detailed knowledge of the data's context and classification.

What Zero Trust for Data Looks Like To extend Zero Trust principles to data, organizations need to focus on three core strategies:

1. Data Discovery and Classification: Use tools to scan data repositories and classify data based on its sensitivity (e.g., personal identifiable information, HIPAA-regulated data, financial records).
2. Policy-Driven Access Control: Define and enforce policies that determine who can access data, under what conditions, and for what purpose. For example:

• A marketing analyst can access customer data for analysis but cannot download or export it.
• A physician can access patient data only while on a hospital-approved device within the network

3. Real-Time Monitoring and Encryption: Implement tools to monitor data access in real-time, flagging suspicious activity such as unauthorized downloads or attempts to access sensitive files outside business hours. Additionally, data should always be encrypted both at rest and in transit.

A Real-World Example Consider a financial institution that stores sensitive customer data, such as Social Security numbers, in a cloud-based database. With Zero Trust:

• Access to customer data is restricted to specific roles (e.g., customer support representatives) and specific use cases (e.g., resolving customer inquiries). Therefore, utilizing external ZT Policies to enforce.
• Anomalous activity, such as a bulk data download, triggers an automated response, such as revoking access or flagging the event for review. (More than a SIEM playbook, the capability not only to monitor and maintain but respond).

Enabling Technologies for Applications and Data

1. Identity and Access Management (IAM): Advanced IAM solutions integrate directly with applications and data stores to enforce Zero Trust policies and Policy Servers.
2. Data Loss Prevention (DLP): DLP tools monitor and control the movement of sensitive data within and outside the organization.
3. Cloud Access Security Brokers (CASBs): CASBs provide visibility and control over data stored in cloud environments, enforcing Zero Trust principles.
4. Encryption and Tokenization: Encryption ensures data remains secure, while tokenization helps secure sensitive fields in applications and databases.

Why These Pillars Are Critical

While Identity, Network, and Device are foundational, Applications and Data are where the real value lies. Without extending Zero Trust principles to these pillars, organizations risk leaving their most critical assets exposed. These pillars represent the end goals of cyberattacks, and as such, they require the highest levels of protection.

While these may seem like fundamental elements of cybersecurity programs and the technologies supporting applications and data, the real value lies in integrating them with identity providers, network security solutions, and device context systems. It’s this seamless integration that drives meaningful impact and enhances overall security.

A Call to Action

To extend Zero Trust to Applications and Data, ask yourself:

• Have we classified and categorized our sensitive data?
• Are we enforcing granular, context-aware policies for application access?
• Do we have visibility into who accesses what data, when, and how? In?Part 3, I’ll explore the cross-cutting capabilities—Visibility & Analytics,?Automation & Orchestration, and?Governance—and how they tie the Zero Trust pillars together. These capabilities are key to maintaining and monitoring your Zero Trust environment.

Stay tuned as we continue this journey toward a complete Zero Trust strategy. Keeping in mind, it is NOT ONE PILLAR that will make this successful! #ZeroTrust #DataSecurity #ApplicationSecurity #CyberSecurity #DataGovernance