If your organization is considering implementing a Zero Trust Model, a clear view of the business processes and sensitive data usage is an important first step, according to a recent DarkReading article. IOR Insight makes it possible to implement those first critical steps to model data flow and sensitive data usage in a business context.

About the Zero Trust Model

Originally coined by Forrester, the “Zero Trust” Model of Cybersecurity centers on the belief that both internal and external networks cannot be trusted. “As a data-centric network design, the Zero Trust Model puts micro-perimeters around specific data or assets so that more-granular rules can be enforced. Zero Trust networks solve the "flat network" problem that helps attackers move undetected inside corporate networks so they can find and exfiltrate sensitive data.” [DarkReading]

Technically, a Zero Trust Architecture can be implemented in government, retail, healthcare, finance – really, any industry concerned with data protection - and many are taking notice.

Recent large-scale data breaches have triggered a shift, or arguably, a movement to a Zero Trust mindset, but developing a plan can be daunting. According to Forrester, implementing the Zero Trust Model, assumes your organization is:

  • Ensuring all resources are accessed securely regardless of location;
  • Adopting a least privilege strategy and strictly enforcing access control; and
  • Inspecting and logging all traffic

For organizations of any size, this is a tall order. While the outcome may be desirable, it is easy for experienced leaders to see the potential pitfalls of such a transformation.

Preparing for Zero Trust Model

Because business processes and their data usage are so fundamental to the Zero Trust Model, data flow mapping is the natural and recommended first step by experts. By performing data flow mapping first, an organization considering Zero Trust will be able to:

  1. Determine requirements of communication paths between systems, vendors, and users (what we would refer to as “resources” involved in a data flow)
  2. Determine department level need to know with respective to data types
  3. Build a library of data types and corresponding classification
  4. Understand usage of data types by each “resource”
  5. Report on data handling across your organization at a granular level, such as classification of data or level of sensitivity
  6. Prepare your team with details required to properly scope, plan, and budget a responsible and informed rollout of a Zero Trust Model.

There are many benefits to data flow mapping activities. Though a Zero Trust Model might be considered the planned objective in this case, through the introspection of data flow the organization will also benefit from:

  1. Improved risk posture as reparable risks are uncovered
  2. Include and integrate newly identified “Shadow IT” components into their IT governance and risk management processes
  3. Collaborate with business process owners to drastically improve security awareness and rapport between business and IT leaders

Using IOR Insight in preparation of Zero Trust

 Example of the data flow editor in IOR

Example of the data flow editor in IOR

IOR Insight makes it possible to get significantly more value out of the cost of data flow mapping. The IOR Insight solution is a purpose-built platform designed specifically to facilitate the activities and benefits described above. Our pioneering technology enables your organization to model and then truly make use of extensive amounts of data flows and their respective resources, data types in use, security controls used and other associated meta-data.

IOR gives our customers flexibility through a turn-key solution that includes the collection and maintenance of data flows, associated data, and the operation of each customer’s cloud instance of the IOR platform. We also work with your advisers and business partners making possible many collaborative scenarios with your internal and/or 3rd party teams.

Contact us for more information about how we can assist your team.

References

Forrester Research, Inc. prepared for NIST within the Department of Commerce (Commerce) – Developing a Framework to Improve Critical Infrastructure Cybersecurity

http://csrc.nist.gov/cyberframework/rfi_comments/040813_forrester_research.pdf

'Zero Trust': The Way Forward in Cybersecurity

http://www.darkreading.com/attacks-breaches/zero-trust-the-way-forward-in-cybersecurity/a/d-id/1327827

Forrester Pushes 'Zero Trust' Model For Security

http://www.darkreading.com/attacks-breaches/forrester-pushes-zero-trust-model-for-security/d/d-id/1134373