Because stored data is one of a company’s most critical assets, enterprises should consider implementing a zero-trust architecture for their storage systems and their entire technology infrastructure.
The zero-trust approach to enterprise IT infrastructure does not assume trust or good motives from anyone on a network. Unlike previous approaches to technology, which allow users to move between applications on the network once they’ve gained initial access, it doesn’t assume that a user is trustworthy just because they passed the initial verification. Rather than being an overly suspicious approach for an organization to take, however, it’s a practice that improves team-wide access control and accountability.
Zero trust uses technology like microsegmentation to achieve granularity within infrastructure: individual applications, including storage software, are separated by walls. Such a wall can include traditional security technology, like a firewall, or more advanced requirements, like multi-factor authentication (MFA).
This guide to implementing zero trust within an entire corporate storage infrastructure provides guidelines for enterprises that want to take inventory of their data and access controls:
How to implement a zero-trust approach to storage
As the major data repositories within the organization, storage solutions in particular require intensive protection. A zero-trust approach to all storage systems will help your enterprise restrict data access to those who need it and are authorized to have it. Zero trust also engenders more accountability within the organization: all personnel, regardless of rank or position, are required to authenticate themselves. If someone accesses a system that they aren’t authorized to enter, that then leads to questions, like:
- How did this user enter the network?
- Did the request for authentication work properly? If not, why?
- How can our organization ensure that this system is protected moving forward?
Zero trust network access is a good starting point for enterprise storage systems. To enter the network on which the storage solution sits, all authorized employees should be required to present at least one means of authentication. From there, they should be asked for credentials for each new application session on the network.
Although zero trust is not a perfect security practice, it is helpful for gating networks and systems and for continuing to improve company accountability around application access. If your enterprise is considering implementing a zero-trust architecture for its storage systems, it’s best to clearly identify all storage systems, manage all employee access, and keep the entire organization apprised of your approach to security.
Identify all stored data and all entry points
To develop an infrastructure based on zero trust, your storage team should know each location business data is stored as well as all the entry points to that data. Storage locations include cloud storage, like AWS or Google Cloud, but they can also be as simple as a Google Sheet or Excel spreadsheet. Don’t forget about key data, especially if it’s sensitive. If that Google sheet contains confidential sales data, it needs to be protected, too.
Identifying entry points can be a little more difficult. Storage personnel only have access to cloud storage buckets through a login, and a storage software solution would also require a login. But data stored in sheets, documents, and folders throughout the organization can be more challenging to gate. If the sales team member who originally created the aforementioned Google sheet selected a sharing permission like “Everyone who has access to this link can view,” anyone who can see the sheet in their Google Drive is able to see the data. Anyone with edit permissions could also share it outside the organization. In a zero-trust architecture, people should verify their right to access rather than be blindly trusted.
Identifying entry points to data is challenging, but it’s one of the most critical first steps for enterprises if they want a true zero-trust infrastructure. If entry points aren’t properly identified, an unauthorized user or even threat actor could find a back door — or have the door thrown wide open — for them to access the data.
Know your storage systems
Similarly, all storage personnel should be intimately familiar with each storage system in the organization. These include:
- Storage hardware (all-flash arrays, old tape systems, external offline drives)
- Storage software (management consoles for hardware, software-defined systems, cloud object storage)
- Storage networks (NAS, SAN)
New and legacy systems alike should be accounted for. If storage teams are familiar with the way their systems work, they’ll better know who absolutely needs access and how to protect them.
Track and manage all employee access to stored data
If a bird’s eye view of zero trust is to “trust nothing, verify everything,” then every point at which employees can access stored data should require verification. Examples of verification include a simple username and password, two-factor authentication (2FA), or single sign-on (SSO). Password managers are helpful tools for managing access, too: they use encryption keys to shield login information, including the vendors that created the software.
All teams should be subject to these access requirements, including storage, IT, data management, and data science teams. No one should be exempt, even executives. All users should be required to verify themselves when accessing a storage solution, whether that’s simply through using a password manager or by presenting biometric data.
Implement the principle of least privilege within your organization. Traditionally, businesses have given multiple employees access to networks, applications, and storage systems, even if they didn’t strictly need that access to complete their job. But this approach leads to confusion, and it’s also difficult to comply with regulatory standards, like the GDPR, when the business doesn’t know who is accessing stored data. Limiting storage access to users who absolutely require it to do their job limits the potential for breaches, but it also improves an organization’s compliance stance.
Learn more about authentication from Enterprise Networking Planet: Using Authentication for Network Security
Inform the entire company, especially storage and security personnel
If the shift to zero trust is a new move within the organization, ensure that the lead teams heading the operation keep the entire company informed. Even if your other teams, like marketing and HR, will never touch an AWS bucket or configure a Fortinet firewall, they should at least be aware of zero trust. It’s not a bad idea to use this information as a leading point to host full company training sessions. The more the rest of the organization knows about vulnerabilities and the ways a zero-trust architecture mitigates them, the better prepared the other employees will be to support the storage and security teams’ efforts.
Adapt a culture of transparency within storage teams
At first glance, this might sound contradictory: Transparency? I thought we were supposed to trust no one. Even though the principle of zero trust is indeed to trust no user until they’ve verified their right to access, it’s still best for employees to become accustomed to talking openly about security, phishing, or insider threats. Transparency is different from blindly handing passwords to all your colleagues. Transparency looks like:
- Having open discussions with storage personnel, even the most junior, about new expectations
- Laying out the entire detailed plan for zero-trust implementation and giving employees plenty of time for questions
- Cultivating an environment where people feel comfortable to ask questions like, “I’ve seen people doing this in my department. Is this a wise or safe idea?”
Transparency leads to visibility. It reveals the areas within the storage and security teams that need more work, and it may even empower employees to uncover areas within the network that aren’t secure yet. If transparency is praised, people are more likely to prioritize it.
Continue to monitor and improve the architecture
Any security infrastructure isn’t a one-and-done endeavor: it needs to be continually analyzed, so an organization knows whether it really works as well as areas it must improve. Zero trust, as a modern method of cybersecurity, particularly needs to be analyzed for success and failure. In the early stages of implementation and use, storage and security teams should work together to examine whether authentication procedures for devices, networks, and storage systems are providing a working gateway.
Zero-trust tools for enterprises
If your enterprise is able to invest in a high-quality zero-trust vendor that can cover the entire infrastructure, make that long-term investment. Additionally, verify that the vendor you select truly uses zero-trust technology. Zero trust is a popular phrase, and it’s an easy one for security providers to throw around. But that doesn’t necessarily mean that a solution will truly cultivate a zero-trust architecture.
The following security vendors are highly respected providers and offer solutions for protecting access to enterprise systems that store data.
Palo Alto Network’s zero-trust solutions encompass its portfolio of security services, which include enterprise identity and access management (IAM), extended detection and response (XDR), and cloud-delivered security services.
Check Point Software Technologies offers Infinity, a solution that helps enterprises implement zero-trust security. Technologies include least privilege access policies on security gateways and ZTNA as a service.
Deploying CrowdStrike’s zero-trust solution requires only one agent. CrowdStrike zero trust protects identity storage applications, like Microsoft Active Directory, and it helps businesses identify both managed and unmanaged endpoints.
Forcepoint zero trust offers ZTNA, distinction between managed and unmanaged devices, and application segmentation. Forcepoint allows businesses to dynamically restrict users’ data transfer rights based on their own behavior on the company network.
To learn more about zero-trust solutions, look at this comprehensive guide from eSecurity Planet.