Zero Trust

The untold story of zero trust and data privacy

Jan 20, 2022
Zero trust and data privacy

I’ve recently spoken with several CTOs, infrastructure VPs, and network leaders about data protection and data privacy. Typically these topics monopolize discussions with policy-oriented cyber security analysts and the CISOs they work for. And they point to the same truth: network, endpoint, data center, and enterprise architecture teams are engineering data protection capabilities into their architectures and data privacy compliance practices into their management processes.   

Great things can happen when you shift to engineering data protection capabilities into architectures that were traditionally meant to provide full, untethered access to all data and systems within an enterprise network. You stop trusting everyone and every device on the network and start limiting access to the data and, more importantly, where it resides. You have “checkposts” that enforce policies on specific users accessing specific business systems and can block all other traffic unless explicitly allowed.

At that point you have an understanding of the applications your users need to access and what administrative traffic has to flow over the network (e.g., domain controllers). You can limit access for everything else into and out of the locations where data resides. This significantly reduces the attack surface of business systems that can be compromised and significantly lowers the chances of a data privacy compliance incident.  

Move one step further and abstract those checkposts with the data protection capabilities they deliver and move them to a model where 100% of traffic flows can be controlled via a cloud platform (not just in the data center) and you can understand where all of your data is going, who is sending it, from what device, and most importantly why. This enables an architecture where the internet is the network without circumventing the data protection capabilities required to enforce data privacy practices. That equates to more bandwidth, the ability to use solutions that reside outside of traditional network perimeters, lower costs, and overall agility for the business as your processes can be optimized without sacrificing user experience or security posture. 

Architectures with such built-in data protections are poised to help organizations excel with security and also its close cousin: data privacy. In the global business arena, one swiftly-evolving point of distinction is data privacy — specifically, whether corporations respect it or not.  

Not all organizations understand just how serious consumers are on this topic, and of those that do, not all are responding very swiftly or effectively.

KPMG surveyed both business leaders and the general population on the topic last August and the results puts that point in sharp relief.  Among the business leaders, KPMG found that:

  • 70% say their companies had recently increased personal data collection
  • 62% say their organization should be doing more to protect personal data
  • 33% say consumers should be worried about how their data is used and,
  • 29% — nearly a third — say their firms sometimes used unethical data collection methods

The close relationship between the last two results seems to explain KPMG’s troubling findings from respondents from the general population. Among others:

  • 86% say data privacy is a growing concern
  • 40% don’t trust businesses to use that data ethically, and
  • 30% — again, nearly a third — aren’t willing to share their personal data at all

Given such strong numbers, if you go the extra mile to ethically collect and manage user data, you stand to reap competitive benefits.  And those who fail to improve — especially those whose failures are exposed — stand to lose market share.

Increasing consumer scrutiny over digital surveillance and the emergence of alternative privacy-conscious services like search site DuckDuckGo provide ample evidence that data privacy will reign as a top concern for the C-suite.  Legislators, well aware of voter sentiment on these topics, are quickly responding. While the California Consumer Privacy Act (CCPA) is probably still the best-known instance, there are now other similar acts in other states. The Consumer Data Protection Act (CDPA) in Virginia and the Colorado Privacy Act (CPA) in Colorado are both now in force, and it seems only a matter of time until such legislation — broadly popular across the political spectrum — is ubiquitous.

Such newer laws, developed with earlier instances in mind, are increasingly designed to protect consumer rights, making it more difficult for corporations to evade their responsibilities. They typically incorporate ideas from international regulations such as the EU’s General Data Protection Regulation (GDPR), intended to deliver privacy through measures like data minimization and purpose limitation. There are even recent examples where governments are fining tech companies millions of dollars for not protecting data or giving users an easy option to make sure their data is not tracked in the first place (E.g., France fined Google $169M and Facebook $67M).  

Given the swiftly-shifting political climate and the enormous supermajority of consumers who are concerned about this topic, what steps can you take to extend your data protection so that you improve your data privacy practices?

The simplest and most obvious, of course, is to achieve full compliance with every applicable state and federal regulation (as well as international laws as the GDPR that may apply depending on the business model). Notifying the public that you've taken such measures can also improve your company’s reputation.

These state, federal, and international data regulations impact what companies are deliberately doing internally with sensitive consumer data. But there’s also the question of whether organizations are safeguarding consumer data adequately from external threats such as increasingly adept criminal organizations, state-sponsored in some cases, as well as individual hackers and malware.

A company whose IT infrastructure is breached, resulting in a loss of tens of millions of users’ data, is now so frequent an event as to occur almost weekly.  Yet however common such stories are, we can be sure consumers are not growing numb to them. Indeed, it’s likely that breaches of this type fuel the KPMG numbers just as much as unethical abuse.

Fortunately, data security isn't just about business leaders facing a range of formidable threats, but a range of formidable solutions as well. One of the best solutions available, for instance, lies in partnering with a trusted security specialist to secure all network transactions via a Zero Trust Network Architecture (ZTNA) that incorporates anti-malware, intrusion protection/prevention technologies, and integrated identity management/authentication/validation to ultimately stop any unauthorized channels of data leakage.  

Such a design makes it far more difficult for threat actors to acquire a foothold by which to infiltrate company networks and from there proceed to core databases (the crown jewels for any criminal).  

A sufficiently advanced architecture can apply the design to all the IT assets across an entire organization — local offices, data centers, remote workers, and even transactions with cloud-based services executing in an infrastructure the company doesn’t even own.

In all of these cases, the security partner serves as a logical buffer, ensuring that only the right parties obtain access to key data, and then only with the right access privileges. And while no security architecture is perfect, such a partner can dramatically reduce the odds of a breach and subsequent privacy violation, while also empowering the organization to grow in all the ways required by business purposes.

What to read next 

Regulatory compliance considerations for cybersecurity management

Cybersecurity, governance, and the implications of oversight: How your board of directors could be at risk


Disclaimer: This article has been created by Zscaler for informational purposes only and may not be relied upon as legal advice. We encourage you to consult with your own legal advisor with respect to how the contents of this document may apply specifically to your organization, including your unique obligations under applicable law and regulations. ZSCALER MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT AND IT IS PROVIDED “AS-IS”.  Information and views expressed in this document, including URL and other internet website references, may change without notice.