Editor’s note: Dr. Lisa McKee recently presented on zero trust privacy at ISACA Conference North America 2023: Digital Trust World in Boston, Massachusetts, USA – see some of her thoughts on zero trust strategies, benefits, challenges, implementation and stakeholder discussions below. For additional zero trust insights, download ISACA’s “Mastering a Zero Trust Security Strategy” resource.
The foundation of zero trust privacy must be data, and for good reason. An organization with visibility to data and related activities is better prepared to implement a successful privacy program using zero trust privacy principles. Personal data are the heart of privacy. Most privacy obligations require knowledge of what personal data the organization has collected, stored, processed, shared or transmitted. Complete and accurate responses to data subject requests, privacy notices and records of processing activities all require knowledge of personal data and the movements of personal data inside and outside the network.
There are other benefits of zero trust privacy:
- It can identify privacy risk across the organization.
- Reduced privacy risk can lead to increased customer trust and revenue.
- Zero trust privacy supports the financial posture of the organization.
- Data as the foundation will minimize rework and changes to infrastructure that often lead to unplanned costs and investment of time.
- It also strengthens security protections of all personal data and thus limits the potential for breaches or fines.
When data is the foundation of zero trust projects, it supports compliance with privacy obligations and reduces time and cost on network changes. Zero trust privacy principles enable the right access to the right resources for the right people at the right times, locations, devices, services and buildings, often referred to as “just in time access.” This supports privacy compliance obligations for role-based access controls and least privilege access. The role of the individual in the organization becomes the focus to determine the appropriate permissions for access to personal data. “Just in time access” and authorization for minimal duration necessary will lower the risk and opportunity for an adversary to compromise data. Zero trust privacy supports privacy compliance obligations such as, but not limited to, ensuring organizations have a legal basis for processing, accurate privacy notices, and complete data subject responses; restricting the flow of data beyond the country of origin to only that which is necessary; and helping organizations document their record of processing activities.
A primary challenge that occurs with the implementation of zero trust privacy is the lack of a compliance footprint. A compliance footprint is a list of all the laws, regulations and standards the organization must adhere to. Often, companies do not have a team or individual responsible to monitor changes in the compliance landscape. Failure to do this impacts privacy compliance and the ability to implement zero trust privacy. Organizations cannot guarantee that the system architecture restricts the flow of data beyond that which is legal because they do not know their obligations. We see this today with the increase in privacy fines that have been issued for inappropriate collection and transmission of personal data. Another challenge is that organizations often start with identity and access management. When users’ access and authorization permissions are enabled for an unknown set of data elements, organizations cannot guarantee compliance with least privilege requirements.
While most privacy laws require disclosure of personal data at the category level, some require disclosure at the data element level. This is a layer deeper and more difficult to identify and document compared to categories of personal data and traditional asset inventories. It is easy to say an organization has medical information, which is a category of personal data. It takes more time and effort to know exactly what data elements an organization has collected, stored, processed, transmitted or shared—for example, blood pressure, cholesterol, height and weight. Then, all processing activities for the data element across the organization must be identified, as this is necessary to ensure compliance with the requirements for legal basis. The organization may have a legal basis to collect and store height and weight but not blood pressure. This results in over-collection of personal data, which is a potential violation of an individual’s right to opt into sensitive data processing, as required in privacy laws.
Organizations can successfully implement zero trust privacy with a top-down, bottom-up, meet in the middle approach. Support is necessary from the top executives and potentially the board. The top communicates this down to middle management. The first line of defense is responsible for day-to-day operations and implementations. They communicate up to their managers in the middle. Managers in the middle are responsible for communicating both up and down—reporting progress to the top and driving execution at the bottom. Each person must have the support to report issues, challenges or concerns in a transparent, non-confrontational environment. Give each person the opportunity to share their input and, where appropriate, take actions to rectify situations. This top-down, bottom-up, meet in the middle approach ensures coordination and successful implementation of zero trust privacy at all levels of the organization. Successful projects value each member and provide each person with equal opportunity to share in the solution.
Zero trust privacy requires input from all departments across the organization. Personal data reside in countless locations that are often forgotten or overlooked. It is common to include technology and security, but personal data are not always considered in corporate departments of the organization, such as finance, accounting, marketing, human resources or legal systems. Each department may have different personal data elements in reports, emails, applications, contracts, etc. documented as part of the zero trust privacy implementation. Identify and document each data element across the organization, then evaluate if each element is still in use and necessary. It is often determined that organizations have collected data elements that are no longer used or required. Where needed, remove unnecessary information of which there is no legal basis to have. This requires coordination across the organization and may warrant the initiation of a change control.
One critical consideration with software development is APIs. When an organization procures a new tool or solution, it is common to integrate it with existing tools through APIs. However, rarely are the data elements transmitted through APIs evaluated and documented. It is necessary to ensure API connections are appropriate and that there are limitations on the transmission of personal data to only what is necessary and there is a legal basis. APIs are another place that may impact cross-border data transfer compliance requirements.
There are a couple approaches to initiate discussion on zero trust privacy:
- Be direct and present the idea to a steering committee or other internal team responsible for organizational direction and strategy.
- Be passive and socialize the idea with colleagues, management and business representatives. Initial discussions provide insight on the understanding others have of what zero trust privacy is and the value it provides the organization.
- Seek to understand what concerns or challenges they may express.
- Educate and share information with others on zero trust privacy and the benefit to the organization, employees and customers.
- Listen with an open mind as each person has different experiences and knowledge to share that will lead to a successful project.
- Once there is informal approval from key stakeholders, present a business case to executive leadership and the board. Regardless, support from the top-down is a critical success factor for zero trust privacy.
Zero trust privacy implementation duration will vary from organization to organization. Size, complexity, volume of data, privacy obligations, staff and funding all fluctuate by organization, and so does establishing the timeline for the implementation of zero trust privacy. While zero trust privacy is an investment of time, resources and funding, it is also a commitment to customer trust and safety. There is no defined length of time to implement zero trust privacy. On average, the organizations I have worked with have reported spending 18+ months to implement zero trust privacy and reach the monitor and maintain phase. However, it is common for large or complex organizations to exceed 24+ months.
Be innovative—a one size fits all or single solution to implement zero trust privacy does not exist. Stay focused on the data, because data are the foundation and are necessary for successful implementation of zero trust privacy. A detailed implementation plan and strategy is located at http://www.rsaconference.com/experts/lisa-mckee.