Zero Trust in Data Privacy Operations

Following the onset of the COVID-19 pandemic, the rapid expansion of remote work created new opportunities for cybercriminals. Critical enterprise systems and data may be exposed by weaknesses in the processes and infrastructure necessary to support increased remote access. Cybersecurity threats such as UNC2452 (the threat actor behind the SolarWinds breach)¹ and the global WannaCry ransomware cryptoworm² have underscored the need to enhance organizational security by adopting a zero trust architecture.

The central idea of a zero trust architecture is to reject trusting a connection by default, even if the connection is to a managed network or trusted enterprise domain. All connections are considered hostile, and each must be verified by formal authentication, authorization and accounting through a network access request. The US National Institute of Standards and Technology (NIST) Special Publication (SP) SP 800-207 Zero Trust Architecture published an introduction to zero trust in August 2020.³ But organizations should not just aim to understand zero trust; it is essential to understand how zero trust can be applied to data privacy as part of an enterprise risk management program to benefit the organization.

Two of the highest priority security goals are privacy and data protection. Trusted digital transactions connect all aspects of business operations—from supply chain inputs and production to the sale of products and services to customers. Because they are the lifeblood of commerce, digital transactions require security-enabled privacy in accordance with management decision-making on risk tolerance levels. Operational privacy must fulfill management requirements for data privacy, data security, compliance and governance. Business security and IT operations teams must achieve a synergy with enough flexibility to accommodate active management input and direction. They must implement efficient protections that work as a front line defense while operating in accordance with enterprise policies regarding incident handling of security threats. These protections enhance value for customers, as they receive greater assurance when trust-based security and privacy are requirements of the enterprises that sell them products and services.

Zero Trust Architecture

John Kindervag, a security analyst at Forrester, originally promoted the zero trust methodology in 2010.⁴ It proposes to protect organizations by moving security away from implicit trust based on devices being located inside the enterprise. Instead, it moves beyond the physical perimeter by considering the Internet services connected to enterprise networks. Zero trust enforces inspection of all digital business connections. It assigns a no trust status to every device, regardless of location, and requires that all digital transactions be treated as untrusted when requesting services (e.g., email, databases, human resources [HR]). At its core is the precept that security, especially cybersecurity, should not be taken for granted.

The zero trust model increases the power of cybersecurity teams and enables them to protect data security and data privacy faster and more authoritatively.

The zero trust model increases the power of cybersecurity teams and enables them to protect data security and data privacy faster and more authoritatively. Conversely, it increases the implementation burden for IT security, operations and management. If zero trust is applied without sufficient research and carefully planned execution, it can slow the speed of business transactions, which can negatively affect margin flows.

Although the perimeterless workings of zero trust do improve security for organizations, a zero trust architecture does not guarantee perfect security at all times. Also, there are operational costs resulting from zero trust implementation due to the need for more IT staffing and equipment to manage the increased scale of network traffic telemetry, storage capacity and intrusion protection.

Business transactions today require higher levels of assurance to meet the security goals enterprises set to enable and improve operations. Further, senior management, executives and boards want simple communications with clear metrics to understand their enterprise security posture.

Privacy Competitive Differentiators

There are seven business benefits that result from effective privacy operations:

1. Meeting compliance and customer privacy contractual requirements
2. Preventing data breaches that could hurt the business and the individuals who are its data subjects
3. Maintaining and improving brand value and customer loyalty
4. Strengthening and growing business innovation
5. Maintaining public, investor and customer trust
6. Gaining a competitive advantage
7. Lowering business transactional costs

Value is built on top of existing business management and production best practices when privacy differentiators help an organization gain a competitive advantage.

Figure 1 shows a privacy vs. security cost model in relation to zero trust architecture. It highlights the associated costs of management control of business security and privacy operations.

Finding the proper balance between centralized vs. decentralized business architectures shapes the flow of production, processes and value streams. The costs and benefits of privacy (trusted sharing of data) and security (data protection) are squarely rooted within the organization’s business architecture. Organizations with decentralized business architectures rely on a team environment at different levels and locations within the business organizational structure (local, national, international). How each business team manages privacy, especially data privacy, varies due to the specialized business functions of each team, processes and perspectives. This contrasts with a more centrally controlled business architecture for matters of security, data protection and privacy. Executive and business operations’ time and resources may scale better for centralized corporations in terms of cost and reduced redundancy.

There is a significant cost as value chains become ever more dependent on modular organizations with dispersed business operations and personnel working remotely from home or satellite offices. Determining whom to trust is a risk-based decision for IT security and management. Risk must be balanced with the fact that trust between an organization and its suppliers, partners and customers requires excellent cybersecurity. A zero trust access model should be a core component of an organization’s security transformation, as benefits are realized due to lower costs for cyberinsurance and improved operational resiliency.

Zero Trust Deployment

The zero trust deployment model flow (figure 2) highlights the business risk management for both the service supply and product supply streams that are an output of the business’s value chain.

Source: National Institute of Standards and Technology (NIST), NIST Special Publication (SP) 800-207 Zero Trust Architecture, USA, August 2020, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf Reprinted with permission.

An initial assessment provides a starting point to determine where responsibility for operational management lies in a zero trust architecture deployment. There must be alignment with executive policies when assessing key risk indicator (KRI) metrics and determining enforcement actions for halting individual transactions. Alignment empowers the zero trust project to operate in a sphere of approval, and enforcement of stricter security measures proportionately increases executive engagement.

Ownership of complex business transactions requires detailed organizational knowledge of customers, business services, production and IT technology. To be trusted, transactions based on business objectives must be explicit and well documented. These are absolute requirements for zero trust implementation. Executive policies must be unambiguous, and security and operations must work together to optimally support them in pursuit of organizational goals.

In addition to affecting decisions on purchasing technology, a zero trust deployment is a process challenge. It is a product of IT operations, IT security and management teams working together.

A risk-based, phased adoption of zero trust entails deep discovery of the key assets that provide operating agility. Discovery, identification and risk-based analytic processes enable protection of the critical resources that generate the majority of an organization’s profits and competitive advantages. A zero trust architecture reduces exposure of an organization’s vulnerable assets to cybertheft and ransomware.

Integrating Zero Trust Architecture

The first step of integration is to identify and catalog the organization’s physical infrastructure of network routers, switches, firewalls, gateways and data storage systems. The second step is to inventory the full scope of computing resources—not only servers, printers, desktop, laptops and smartphones, but also the virtual and logical systems that carry out computing and data analysis and run applications. The third step is to secure access to the organization’s network by identifying remote workers’ enterprise computers, smartphones and other work tools and securing them via multifactor authentication (MFA).

A phased approach to smooth integration of zero trust is best implemented in small stages, with changes beginning in less critical areas to minimize business disruption.

Finally, important assets (e.g., intellectual property, HR data, financial data) must be categorized by risk and prioritized for stronger protections and authentication methods. This requires a phased implementation from most critical to least critical. Microsegmentation processes allow management to implement zero trust as a living tool that increases organizational resilience.⁵

Zero trust architecture permits digital data flows that power the value-add chain for the organization. Production of the goods and services the organization’s profits are based on is protected by the integrated risk assessment, which encompasses active awareness of the business’s complexity.

The product of these deep risk assessments is greater asset and operations visibility. This is matched with the organization’s business strategy and strategic goals to enhance operational trust.

Threat intelligence is merged with business operations analysis to yield optimized results. A phased approach to smooth integration of zero trust is best implemented in small stages, with changes beginning in less critical areas to minimize business disruption. Then the integration moves to the more important areas of operation. It should be guided by the Pareto Principle, also known as the 80/20 rule, which helps to identify which tasks are most important.⁶ Use of this approach can suggest where it would not be beneficial to start the implementation, and, thus, reduce business disruption. This enables the organization to create and deploy a risk management policy in stages, based on threats to high-value assets, for more effective cybersecurity protection.

Data privacy compliance is a necessary cost of doing business that provides positive benefits. Too often a risk analysis of enterprise assets (i.e., computing systems, networks, data storage) is based only on the confidentiality, integrity and availability (CIA) triad, with privacy contained within confidentiality. Because the crucial element of data possession is excluded explicitly from the CIA triad, there is a gap that inhibits full data privacy protection. The data privacy protections within privacy regulations such as the EU General Data Protection Regulation (GDPR)⁷ and the US State of California Consumer Privacy Act (CCPA)⁸ are concerned with data possession, which the zero trust model cannot directly address. Therefore, data possession must be incorporated into the risk assessment and risk remediation of an organization’s cybersecurity program.

Cloud-based and other external Internet-based services illustrate the complexity of managing privacy associated with ownership when outsourced data processing takes place beyond an organization’s walls. Zero trust forces explicit authentication, authorization and accounting for all network connections requested. Trust is not automatic by location or familiarity. The challenges of implementing privacy compliance with zero trust require that the CIA triad and data privacy protection work together in a synergistic way.

Privacy incidents resulting from incomplete security have become far more expensive as the EU GDPR, CCPA and US Health Insurance Portability and Accountability Act (HIPAA))⁹ have increased the costs of noncompliance. However, the fines and negative publicity attached to a security breach can be avoided through implementation of excellent cyberprotection. Organizations that achieve better security protection also protect their business earnings.

Still, many organizations expect their chief information officer (CIO) or chief information security officer (CISO) to treat data security and privacy as cost centers for operations, which often results in negative outcomes. One example of this is the 2016 Uber Technologies Inc. data breach. Uber’s then-chief security officer (CSO) was charged with five felony counts for his role in concealing an attack.¹⁰ The criminal charges filed illustrate the heightened enforcement of user data protections and the coinciding increased risk for enterprise management.

Teams must be able to function within emerging ecosystems and understand the factors that lead to group effectiveness when facilitating change management.

Security engagement is an executive function of the highest order for today’s Internet-enabled organizations. Pervasive computing is changing the norms of business operations for security. Trust and cooperation are top priorities, both for society and business. The speed of business is often tied to the levels of trust between the buyer and seller of a service or product.

Avoiding Simple Vanity Metrics

Enterprise boards want cogent communications with impactful metrics to understand their organization’s security strengths and weaknesses.

Today’s organizations are building increased production capacity into their networks—including hybrid networks that connect cloud-based applications—resulting in increased cybervulnerabilities. Metrics should be used to map security and operational performance for stakeholders within the business organization. A continuously adaptive risk-based program that protects critical assets and aids management decision-making is crucial.

Cybersecurity managers traditionally rely on key performance indicators (KPIs). Some examples of baseline security metrics that should be tracked to ensure the efficiency of security projects include:

• Supply chain (third-party access)

• Number of systems with known vulnerabilities

• Number of communication ports open during a defined period of time
• Percentage of business partners with effective cybersecurity policies •
• Volume and type of data transferred across the corporate/hybrid network (workload tagging)

The need for a comprehensive analysis that separates the signal/noise ratio for business operations is crucial. A deeper investigation of operations and their software complexity reveals the various business silos that hamper effective communications for security and data privacy protection. These competing silos have internal functions optimized for their singular success, which works against coherent enterprise security.

This results in bottlenecks that constrain security and operations management. Executive management should assist operations in reducing friction to increase efficient business practices. Conway’s Law states that organizations design their systems to mirror their own communication hierarchy.¹¹ This is often revealed through analysis of executive policy and hierarchical structure. Executive management must bridge silos, integrating security and data privacy, to build a comprehensive security policy that creates a new enterprise trust algorithm, as figure 3 illustrates.

Source: National Institute of Standards and Technology (NIST), NIST Special Publication (SP) 800-207 Zero Trust Architecture, USA, August 2020, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf Reprinted with permission.

It is crucial to leverage executive policy input to enable smooth operations and security partnerships for zero trust. Removal of bottlenecks that constrain production and service flows allows continuous improvement and respect for each team’s shared success.

Organizations that strive for microsegmentation as a business security goal realize their IT operations and management form a complex adaptive system. Teams must be able to function within emerging ecosystems and understand the factors that lead to group effectiveness when facilitating change management. A successful phased migration to zero trust depends on deep levels of integrated business analysis for effective implementation.

Privacy Value Streams to Ignite New Value Metrics

For more than a century, business management has wrestled with the choice between centralized and decentralized operations, while weighing the transaction costs and benefits of each option. The economist Ronald Coase examined the dilemma in his 1937 article, “The Nature of the Firm.”¹² Technology has progressed since then. In the age of Internet-connected services, in response to the need for modern security and privacy governance, there is a new model for verification and authentication architecture. The zero trust model results in an improved business impact for security and data privacy. Although it creates new verification costs, it also provides a synergistic architecture for implementation. It is not a costly compliance tax on business income. Instead, it is an integral part of production that enhances the products and services delivered to the customer. Secure identity and strong authentication work to improve the signal-to-noise ratio of risk-based security and data privacy management, and transaction costs can be offset by more meaningful business management.

The use of the value stream job-costing mapping model (figure 4) helps organizations visually analyze their current operational security state. It also aids in the design of new processes that incorporate security with data privacy. An organization’s operations-specific processes can be analyzed for continuous improvements to reach customers with higher value-added products and services, resulting in increased profitability and customer satisfaction.

A value stream diagram helps organizations visualize the requirements for integrating privacy and data privacy into a business analysis. It also facilitates improved risk analysis. Operations required for the production of services and products should strongly incorporate security and privacy in a security-by-design framework. Data privacy controls are an inherent property of manufacturing high-quality products and services.

Management and operational teams can use the diagram to aid visual navigation of the key complexities of an organization’s value stream to achieve their objectives. Development of a supply chain perspective that bundles operational and security processes in this new accounting model is ideal.

This privacy model entails more than the simple cost of goods and services sold (COGS) method of accounting. Instead, it considers the demand for a hybrid operations costing system that weighs data security and privacy factors. This approach permits the creation of new KPIs and KRIs that, together, can measure full cost/benefit ratios. These measures are integral to the return on invested capital (ROIC) and decision-making of executive leadership.

The value stream hybrid-costing model should be added to the zero trust architecture. By depicting both job cost (production) and process cost of security and privacy in an integrated analysis, it deepens the view for management and simultaneously increases operational security and privacy benefits. It creates a broad foundation for improving ROIC for the organization and its stakeholders. The value stream hybrid-costing model opens new pathways for executives and operational management teams to collaborate, improve and succeed.

The value stream hybrid-costing model opens new pathways for executives and operational management teams to collaborate, improve and succeed.

Conclusion

“Trust (or the absence of trust) is and always has been the resulting sum of a rules based, information fueled calculation,” as noted in Achieving Digital Trust.¹³

Zero trust, at its heart, is a tool to improve cybersecurity and privacy in the age of cloud computing services, the Internet of Things (IoT) and big data. Privacy protection and compliance are more than just security checkbox items. They are complex domains that must be implemented carefully into an organization.

Zero trust combined with strong data privacy can create an unfair advantage that organizations should embrace. Good governance and compliance should be integral to organizational efforts to meet regulatory requirements while enhancing competitiveness. C-suite executives must actively participate in developing and overseeing the execution of security and privacy policies designed to fully enable trust in all dimensions of an organization’s product portfolio. Adoption of the zero trust model results in a higher value-add for all goods and services produced by the organization and function as a sustainability multiplier that will protect future growth.

Endnotes

¹ FireEye, “Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor,” Mandiant, 13 December 2020, https://www.mandiant.com/resources/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor
² Azzara, M.; “What Is WannaCry Ransomware and How Does It Work?” Mimecast, 5 May 21, https://www.mimecast.com/blog/all-you-need-to-know-about-wannacry-ransomware/
³ Rose, S.; O. Borchert; S. Mitchell; S. Connelly; National Institute of Standards and Technology (NIST) Special Publication (SP) 800-207 Zero Trust Architecture, USA, August 2020, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf
⁴ Kindervag, J.; No More Chewy Centers: Introducing the Zero Trust Model of Information Security, Forrester, USA, 14 September 2010, https://media.paloaltonetworks.com/documents/Forrester-No-More-Chewy-Centers.pdf
⁵ Gregory, J.; “Adopting Microsegmentation Into Your Zero Trust Model, Part 1,” SecurityIntelligence, 27 April 21, https://securityintelligence.com/articles/adopting-microsegmentation-into-zero-trust-part-1/
⁶ Pope, L.; “How to Waste Less Time at Work With the Pareto Principle,” G2, 24 May 21, https://www.g2.com/articles/pareto-principle
⁷ Regulation (EU) 2016/679 of the European Parliament and of the Council, Official Journal of the European Union, 27 April 2016, https://eur-lex.europa.eu/eli/reg/2016/679/oj
⁸ California Consumer Privacy Act of 2018 [1798.100 - 1798.199.100], USA, 2018, https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?%20%20%20%20division=3.&part=4.&lawCode=CIV&title=1.81.5
⁹ Health Insurance Portability and Accountability Act of 1996 (HIPAA), P.L. 104–191, https://www.govinfo.gov/content/pkg/ PLAW-104publ191/html/PLAW-104publ191.htm
¹⁰ Department of Justice, US Attorney’s Office, Northern District of California, “Former Uber Chief Security Officer to Face Wire Fraud Charges,” 22 December 2021, www.justice.gov/usao-ndca/pr/former-chief-security-officer-uber-charged-obstruction-justice
¹¹ Conway, M.; How Do Committees Invent? Datamation, April 1968, www.melconway.com/Home/Committees_Paper.html
¹² Coase, R.; “The Nature of the Firm,” Economica, November 1937, https://onlinelibrary.wiley.com/doi/10.1111/j.1468-0335.1937.tb00002.x
¹³ Ritter, J.; Achieving Digital Trust: The New Rules for Business at the Speed of Light, Original Thought Press, United Kingdom, 2015

Valdez Ladd, CDPSE, CISSP

Is a founder of Privacy Test Driver LLC, which strives to keep organizations safe and productive. He has experience in the telecommunications and healthcare industries and is a member of several security organizations, including ISACA^®, (ISC)² and the Information Security System Association (ISSA). He has provided certification security training reviews to ISACA and ISSA members, and he has presented at multiple ISSA information security conferences.