Enabling data sovereignty with Zero Trust

The zero trust approach centers around the deployment of IT security controls for data in environments where the data owner has limited or no control over the environment’s security.

Consider the following:

• A fund management firm uses an IaaS for storage. The firm controls VPC separation, access controls and key management. However, the firm does not control physical, personnel or hypervisor security and must rely on provider SLAs.
• A hospital participates in a cancer research partnership involving universities, pharmaceutical companies and competitor hospitals. The hospital may limit access to PII or proprietary data it shares to support the research, but usage restrictions are only enforced by agreement with the partners.
• A group of insurance firms uses a shared digital ledger to exchange data, manage claims and ensure data quality. Agreements are enforced by smart contracts. Partners perceive increased confidence in the ledger’s information due to legal agreements implemented as chaincode.

In these cases, the data owner must transmit its data to a security zone that it does not fully control. By transmitting the data to clouds, consortiums or blockchains, the enterprise realizes the value of distributed information, despite limited controls in foreign security zones (those beyond their control). In such a situation, the data owner can choose not to participate and thereby avoid a data breach but market trends, digital transformation and the expansion of distributed data technologies indicate that avoidance is a limited option.

Data sovereignty represents a fourth, yet critical, zero trust business case. Data owners must insist that data custodians apply controls for data collection, processing, transmission and storage with respect to geopolitical borders. In other words, in a digital landscape where offshoring is an available option, transmission can easily expose the data where the owner has limited or no control over security.

The zero trust approach is designed to facilitate risk management, situational awareness, policy enforcement and incident response for data owners operating in the distributed digital landscape. In a cross-border data transmission, it makes sense that this is a recommended consideration for enterprises which engage in routine global transactions.

Digital executives are expected to process data in countries that have weak digital security capabilities or willfully monitor foreign data. Of course, legislation like GDPR is also a concern. Fines are €20 million or 4% of global (not European) revenues for violators. In fact, industry observers[1] forecast that the impact of privacy legislation in the world’s largest economies will significantly expand in 2022. If the digital executive is not careful, it will be very easy to be exposed to data leakage, compromise of proprietary information, fines and cleanup costs.

Fortunately, the zero trust approach has emerged as a framework that is ready to help enterprises prepare for geopolitical threats, legislative pitfalls and the ability to avoid penalties and economic impacts. Below are five zero trust recommendations for enterprises operating in an environment of increased data sovereignty concerns:

• Establish zero trust as a design and acquisition principle. Guidelines for enterprise business line owners should clearly state that their enterprise strategy ensures that data is secure, resilient and useful in any environment where it exists. Guidelines for enterprise technologists should require that in-house and vendor-provided systems are designed in accordance with Zero Trust.
• Actively audit data governance. Collection, classification and use of information must be a matter of planning, training, well-defined processes, technical enforcement and clear definition of use. However, data governance capabilities are moot in the absence of continuous checking of authorized access and enforcement for all data within the scope of data governance.
• Ensure correct encryption deployment. Encryption does not provide true zero trust unless identity management is correctly implemented. For example, your latest vulnerability scans may provide you with medium-level findings about invalid or expired certificates. While your encryption may technically work, it doesn’t necessarily mean that the individual or host is who they claim to be in protected communications.
• Deploy endpoint protection. Planes, Trains, and Automobiles isn’t just a great movie, it’s also how data moves across geopolitical borders. Individuals using corporate-issued assets, individually-owned devices, and other highly mobile media will be subject to local rules and regulations. Endpoint protection provides enforcement and monitoring that travels with the data when it departs enterprise-controlled security zones.
• Train the workforce. Any zero trust program should train all individuals that handle enterprise data. The zero trust program should describe their roles in protecting data, especially as it moves across borders.

These are only five major principles for zero trust for enterprises that offshore data. However, we have recommended additional frameworks and resources at the end of this article for your reference and consideration.

The zero trust approach should be considered as an enterprise policy and practice, especially for organizations with data that is expected to be transmitted to, stored and processed in other countries. Zero trust principles are well suited for data existing in environments where there is limited control over security, including those representing data sovereignty concerns. Readers should also be reminded that zero trust is a framework for protecting data in limited-trust environments that drives an implementation of technology. There is no zero trust appliance, app or product suite. That said, there are solutions that deliver the value of orchestration, automation and enforcement that should be sought by organizations with data profiles distributed across geopolitical boundaries.

Additional reading:

• Atos: On the Road To Zero Trust
• NIST Special Publication 800-207 Zero Trust Architecture
• NIST Special Publication 800-53 Revision 5
• Secure Endpoints with Zero Trust (Microsoft)
• Zero Trust on AWS
• Zero Trust: Putting it all together with policy (Google)
• NIST Post Quantum Cryptography