This post is the sixth in a series examining how Zscaler supports the move to zero trust as defined by CISA.
The protection of data is the key driver behind the implementation of a Zero Trust Architecture (ZTA). As such, the protection and handling of data crosses a number of pillars in the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) maturity model. In fact, the model underlines this crossover stating, “Agency data should be protected on devices, in applications, and networks.” While data protection has to happen at rest and when data in motion, the data pillar deals mainly with data at rest. Data in motion activity is covered in the network & environment pillar. Key to the effort to protect data is the inventory, categorization, and labeling – you can only protect what you know you have.
The Federal Zero Trust Strategy begins the process of understanding what data agencies hold with direction to:
- Create a federal zero trust data security guide that provides a comprehensive, accurate approach to categorizing and tagging data to meet the needs of zero trust.
- Automate this categorization and security responses
- Audit access to any data encrypted at rest in the commercial cloud
- Implement comprehensive logging and information-sharing capabilities
These actions provide a new or additional visibility into data and how it is accessed and used. If you do not have visibility into your data and what is happening to it, automation becomes irrelevant . Understanding where your data is and how you can move it is critical for the security orchestration, automation, and response (SOAR) that underpins a zero trust approach. This dependence on data for SOAR creates a chicken and an egg issue as organizations develop strategies for zero trust, making it critical to get the data collection and management piece right.
Understanding data loss
Data Loss Prevention (DLP) is not just about thwarting malicious activity. It also means stopping everyday activity that puts data at risk like an employee downloading sensitive data to a personal device. The Zscaler solution sits between the user (and their device) and the application, providing protection against data moving where it is not supposed to go. Cloud Browser Isolation (CBI) is key to this effort. It provides the capability to isolate web pages and protects data from moving by allowing the user to view file types in isolation without requiring a download of the files to their local machine. The content loaded on the isolation browser is rendered to the user's end browser using pixel streaming.
Follow the user, follow the data
With so many users leaving your network and connecting direct-to-cloud to access mission critical business applications, IT loses sight of where people have been with the data they have access to. This creates a significant blind spot, as users bypass gateway security controls, allowing sensitive information to flow out of the network.
Zscaler enables data protection that follows users and the applications they are accessing, always protecting against data loss. Zscaler inspects traffic inline, encrypted or not, and ensures SaaS and public cloud applications are secure, providing the needed protection and visibility.
Zscaler’s open APIs integrate with data governance solutions to help create automated policy for access. This enables granular control over who can access what data and what they can do with it once they have access.