Building Trust in Zero Trust with Data Discovery and Data Governance

Trust has become a central feature of cybersecurity due to the psychological nature of today’s cyberthreats that often bypass security controls. Despite becoming a bit of a buzzword, Zero Trust is the security strategy that the U.S. government and most organizations are moving towards, and it specifically targets how human thinking, mistakes, and behaviors expose data assets.

Zero Trust is a significant shift in modern cybersecurity involving a data-centric approach that secures an organization by removing implicit trust in perimeter-based tools, and instead authenticates each digital interaction before providing access to assets.

However, Zero Trust is not a solution you can just buy from one vendor. Properly implementing Zero Trust architecture requires thoughtful leadership including risk management, a comprehensive inventory of assets, data discovery and classification, data governance policies, an evaluation of existing human resources, and other planning steps.

Accurate inventory and classification are essential because risk assessment, governance policies, and user access are based on this information. If the inventory is incomplete or inaccurate, then there may be potential holes in your dam of security tools and some data may not fall under adequate user controls because it was not identified and classified.

The NIST risk management guide – NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM) – highlights the problems of insufficient asset information, as well as human bias and assumptions that may impact proper data governance. The guide and its supplements emphasize the need for automation and tools to help with continuous risk identification so that organizations have up-to-date data on threats. See our recent articles that discuss the NIST guide:

 
For most organizations, the shift to Zero Trust will require investment in intelligent automation, as well as clear communication and training of staff at all levels. Zero Trust proceeds in stages of implementation, and Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs) involved in the process will need to collaborate effectively with many different people and partners to build trust in this process and keep projects moving forward.

With data growing exponentially, automation and artificial intelligence innovation can help in processing and flagging potential risks and threats to aid limited security staff who must also focus on strategic activities. However, cybercriminals are also taking advantage of automation to target vulnerabilities and employees who often fall victim to data breach due to habits and conditioning when performing familiar daily tasks.

Managing the overlooked issue of human psychological risks requires accurate information on past and current user behavior with organizational assets like data. Inventory, risk assessment, and automation help address those risks as the following articles discuss:

 
The creativity of human hackers has evolved by using sophisticated, automated tools and by relying on human vulnerabilities. These threats and technologies will continue to morph, and it’s essential to start with a foundation of knowing what data needs protection. Tools alone cannot be depended on to protect data because of the fast pace of emerging technologies and the growth of data.

OpenAI just released its new AI-powered chatbot, called ChatGPT, to the public to try out and it has created quite a buzz as users test it out and are astonished with its knowledgeable and creatively worded answers to a wide variety of questions. However, some technologists are also concerned that the new AI tool might potentially be used for criminal or unethical purposes, including cyberattacks.

An SC Magazine article, “How ChatGPT is changing the way cybersecurity practitioners look at the potential of AI,” noted that many security researchers are simultaneously impressed and worried with the potential of how ChatGPT might be used for offensive and defensive cybersecurity tasks.

Dr. Suleyman Ozarslan, a security researcher and co-founder of Picus Security, said he was able to get the program create “a World Cup-themed email in ‘perfect English’ as well as generate both Sigma detection rules to spot cybersecurity anomalies and evasion code that can bypass detection rules.” Ozarslan was also able to trick the program into writing ransomware code for Mac operating systems, even though ChatGPT is supposed to be prohibited from these types of activities.

There are also concerns that the chatbot may sometimes present misinformation in a way that appears accurate. However, despite these challenges, ChatGPT’s advice can be well-phrased, and when asked by Bob Gourley, the co-founder and CTO of OODA LLC, about the top five leadership qualities, the chatbot thoughtfully responded with five traits and descriptions including: Vision, Communication, Emotional Intelligence, Decision-Making, and Integrity.

CISOs today face challenging tasks in cybersecurity and will need to rely on these qualities of trustworthy leadership to help inspire cultural changes internally at organizations that must improve data protection. The Cybersecurity & Infrastructure Security Agency (CISA) also emphasizes similar human traits and behaviors in the core values it promotes on its website.

Data Privacy Requires Trustworthy Data Governance

Trust in data protection isn’t possible at scale without implementing tools that can efficiently “see inside” data stores to identify existing and potential risks. Without past effective data governance, the reality is many users have likely unintentionally mishandled data. Turning a blind eye to this problem opens an organization up to risk. Instead, organizations should embrace Zero Trust as an opportunity to better understand data management challenges and institute improved policies through data discovery and classification.

With the new California Privacy Rights Act (CPRA) going into effect January 1, 2023, and other states passing or proposing similar legislation, privacy regulation and data protection is in the spotlight. The American Data Privacy Protection Act (ADPPA) may also eventually pass, and organizations must proactively assess risks to data and implement effective data governance policies and controls. The U.S. is also working with the European Union on transatlantic data transfers to take into account the stringent General Data Protection Regulation (GDPR) requirements.

Modern data privacy risks come in many forms including social media. States – including Texas, South Dakota, and Utah – are starting to ban the use of social media app TikTok on government devices  due to concerns over how China may be potentially violating American users’ data privacy and how those risks might threaten government cybersecurity. A bipartisan group of lawmakers has also introduced legislation that would prohibit the use of TikTok in the U.S.  The bill cites the FBI’s and FCC’s latest concerns about the social media platform being used to spy on Americans. TikTok has more than 100 million users in the United States.

The public is increasingly concerned how their data is stored at organizations without proper data governance and security. New research in a Dark Reading article finds that 48% of U.S. consumers report being victims of a data breach, however one in 20 victims reported first hearing of the breach on the news and 11% of companies took up to six months to inform consumers about a breach affecting them.

Healthcare cybersecurity and data protection is also becoming a serious topic as Senator Mark Warner, D-VA, continues to address the sector’s security as a patient safety issue. November was the second busiest month for ransomware attacks in 2022, and healthcare saw a big year-over-year increase of 26% according to a new report. Patient records continue to be a target and must receive a higher degree of data protection due to the Health Insurance Portability and Accountability Act (HIPAA).

A Deloitte report on technology trends that appeared in a VentureBeat article discussed how trust is a key factor in the resulting adoption and usability of technology. The report discussed collaboration with users, but with data privacy becoming a bigger consumer issue, the idea of trust is truly integral to modern cybersecurity. In this case, we’re not referring to Zero Trust, which is about removing implicit trust and continuously validating, but actually gaining trust in cybersecurity efforts from both the public and also internal employee users.

Trust is central to cybersecurity communication and implementation, from Zero Trust controls identifying and validating access to assets, employees trusting that communications are not phishing attacks, and the public trusting in responsible data governance. Organizational trust is also essential to motivating an internal workforce to implement Zero Trust policies and tools properly

The new OpenAI ChatGPT chatbot is correct in emphasizing that responsible leadership, which includes data stewardship, requires vision, communication, emotional intelligence, decision-making, and integrity. Transparency and authenticity is increasingly being demanded by regulators and the general public who are judging organizations based on how they are prioritizing data protection.

CISA Director, Jen Easterly, recently discussed that she wants the agency’s Cybersecurity Advisory Committee (CSAC) to stand up a new  subcommittee focused on corporate cyber responsibility as part of a move to build a cyber “civil defense” capability to promote a sustainable cybersecurity ecosystem.

New and older vulnerabilities and ransomware threats continue to pose dangers to data. Collaboration and transparency are vital to leverage the cybersecurity knowledge base for national security. A recent CISA and FBI advisory on Cuba Ransomware stated that this variant has compromised over 100 entities worldwide since August. The holiday season is around the corner, and like a ghost from Christmas’ past, new Tenable research reported in CPO Magazine found that 72% of organizations may still be exposed to Log4Shell, the widespread vulnerability that made its unwelcome appearance known shortly before the holiday a year ago.

Beyond Log4Shell, a recent analysis by Cyberpion cited by eSecurity Planet found that 98% of Fortune 500 companies have critically vulnerable internal assets with an average of 476 critical vulnerabilities per company.

Trust is essential to solving these difficult data protection challenges. Partnership and collaboration are needed, especially for the Department of Defense who has a goal of implementing department-wide Zero Trust by fiscal year 2027. Check out our article “Elevating Data Protection with the Department of Defense Zero Trust Strategy.” 

Data Discovery Enables Safer Digital Transformation

The shift to Zero Trust also holds the promise of improving the customer experience (CX) for public-facing organizations because Zero Trust and CX are “mutually supportive of one another.” Modern security can improve the efficiency of data access by removing controls that inhibit user access like excessive passwords. However, data assets must be identified in order to implement access controls.

A granular focus on comprehensive data identification, governance, and protection can drive organizational and business productivity because ultimately these changes can validate data and improve safe data access without intrusive controls. Data accuracy and accessibility are necessary for safe digital transformation.

Decision-making is ultimately enhanced or diminished by the quality and the accuracy of the data being used. By prioritizing the inventory and protection of data using modern Zero Trust controls and automation, organizations can comprehensively assess data and efficiently incorporate that data into projects. Zero Trust can provide seamless data usability by automating authentication of users with different levels of authority.

As part of the data discovery process, over-retained data can be identified and removed to reduce data risk, storage costs, and the IT resources needed to manage all that data. Although there may be some growing pains with adoption, ultimately Zero Trust can deliver a simplified user experience, streamline data access, and support safer productivity.

Data discovery, classification, and risk assessment of data assets are now foundational to Zero Trust as a data-centric strategy that optimizes data security, visibility, and usability. Without gaining control and understanding of data and potential threats, organizations will not be able to properly prioritize and put in place the controls needed to protect critical assets and infrastructure – or ensure that decision-making is based on accurate and comprehensive information.

Anacomp’s data discovery and intelligent document processing solutions provide continuous data asset visibility and risk management to help improve data-based decision-making and analytics. Our solutions automate multiple data inventory, risk assessment, digital transformation, and processing functions for cybersecurity, risk management, compliance, cloud and data migrations, and analytics projects.

Data Discovery and Distillation (D3) provides a single pane view of both structured and unstructured data stores for over 950 file types with visualization of all file properties and customizable metadata. D3 crawls your entire data estate and uses artificial intelligence and machine learning to see risks hidden in actual file content – not just file attributes. 

Risk filters, workflows, data tagging, and federated search help to identify, manage, clean, and protect data and keep it that way with ongoing, automated monitoring. 

You can also quickly and easily perform Data Subject Access Requests (DSARs), as well as intellectual property or other sensitive data requests, using advanced queries. D3 is unique in that it provides actionable visibility and filters for many data types down to the content-level.

High-Speed Intelligent Document Processing uses technologies like Artificial Intelligence, Machine Learning, and Natural Language Processing to process and ingest many types of data including handwriting and poor-quality documents, as well as images, enabling you to incorporate more data into your projects. You can also flag any data privacy or other data risk concerns.

These solutions can be combined and customized to validate and improve data quality for security, data privacy, compliance, and analytics projects. 

You can test out data discovery on your own data with a free 1 TB Test Drive of Anacomp’s D3 AI/ML Data Discovery Solution.

This article is an updated version of a story that appeared in Anacomp’s weekly Cybersecurity & Zero Trust Newsletter. Subscribe today to stay on top of all the latest industry news including cyberthreats and breaches, security stories and statistics, data privacy and compliance regulation, Zero Trust best practices, and insights from cyber expert and Anacomp Advisory Board member Chuck Brooks.

Anacomp has proudly served the U.S. government, military, and Fortune 500 companies with data visibility, digital transformation, and OCR intelligent document processing projects for over 50 years.