By Aileen Kara Hudspeth, Technical Director – Braxton-Grant Technologies, Inc. (Broadcom Software Knight) – Symantec Enterprise Blogs

Ensuring only the right people access the right data

The ability to provide secure access to employees, customers, partners and other third parties is essential for any business today. In this blog series, Symantec partner Braxton-Grant will look at why ZTNA is increasingly playing a critical role in providing that access and key factors to consider when selecting and implementing ZTNA solutions. Part 2.

When I talk to companies that are adopting data protection technology, the discussion often leads to a surprising finding. While companies know that they want safeguards for their data, they often haven’t developed a plan for what data to protect.

Consequently, they often default to a regulatory approach to data protection. They focus on Personal Identifiable Information (PII) like customers’ social security numbers. While PII is obviously essential for basic protection of the organization, the regulatory-by-default approach to data protection can create risk to information that is vital to the profit-and-loss of the company.

Take a cooking recipe. That might not be the first piece of essential information most companies would want to safeguard. But if you are a spice company, the recipe could be your key differentiator. And it’s the kind of critical information that can be overlooked in the regulatory-by-default approach. The same is true for a brokerage firm that gains its edge in the market with a custom algorithm that decides when to buy, sell, or short a stock.

As a Broadcom Knight certified on Symantec ZTNA, I spend a lot of time helping companies work through decisions about what data they need to protect, and how they should protect it. Zero Trust Network Access (ZTNA) solutions are a subset of Zero Trust that deals with identity and access management for users who are accessing an organization’s applications. Here are five key steps to effectively use ZTNA as you negotiate the data security needs in a fast-changing business landscape.

Ask the Right Questions: Many companies have not developed a synchronized information governance plan, a data impact assessment, or have performed a privacy impact assessment. These are essential steps to data protection. Broadcom can provide many resources to help you formulate a sound data protection strategy.

This strategy must address traditional security concerns like employees logging in from home or using personal devices. The explosion of generative AI has also brought new considerations. For example, do you have the full permissions for the data an AI algorithm is being trained on?

To ensure your data is protected, you must ask a lot of questions about how employees, customers, partners, and other third parties are using your information. What data is the user accessing? What protections do I need to put around it? When can that data move and when must it not move? What data should be protected more stringently in certain circumstances?

Take a Fresh Look At DLP: Many of these questions bring up fundamental aspects of Data Loss Protection (DLP), technology that keeps your confidential information safe from accidental exposure or malicious breach. DLP sometimes has been depicted as a legacy security technology that is only applicable within the safety of the corporate walls rather than in the new world of hybrid work. This perspective is as short-sighted as only looking at data protection through the regulatory lens. I consider DLP to be a persistent portion of protection. To appreciate why, you need to understand how DLP works in coordination with the emergence of ZTNA solutions.

Extend DLP Protection to ZTNA: Users expect the same level of data protection whether they access corporate resources from their office or on a laptop they borrowed from a friend. As a result, the expectation of DLP governance and DLP requirements goes beyond the traditional use of accessing corporate materials while sitting in the office. The on-premises policies you are already using with Symantec today can be applied in ZTNA. While some adjustments and new policies may be necessary, you won’t face the burden of rebuilding your entire DLP structure for ZTNA.

Protect Managed and Unmanaged Resources: ZTNA can make different policy decisions based on whether a user is on a personal device or a device owned by the corporation. A corporate or managed device might take a more permissive approach, since the organization can lock the device down or require it to have safeguards like endpoint security software. With a personal or unmanaged device, where the organization doesn’t have this stringent control, users might be allowed to look at certain pages but not download material.

Provide the Minimum Privilege: A safe environment provides the least amount of privileged access that people need to get their jobs done. For example, ZTNA can provide temporary access to a customer to a training environment, giving them the roles and applications they need.

Conclusion

The data landscape is ever more complex, and you need to look beyond the regulatory requirements to ensure your critical information remains safe. You need safeguards for traditional concerns, like remote users, as well as the newer challenges around generative AI. A sound data protection strategy must include the old and the new – both in the risks you address and in the technology that you use such as DLP and ZTNA – to ensure only the right people are accessing the right data.