Let’s start by agreeing that Zero Trust is an essential step beyond today’s perimeter-based defenses. The idea of having a moat (with rings of firewalls with IPS and other protection) to protect the castle (the corporate network and data centers) became moot during the pandemic.

With many employees working remotely and in the cloud, the threat surface expanded quickly like someone blowing a balloon enthusiastically, which could pop and allow a threat actor to penetrate. Sadly, for many companies, the “pop” came too loudly and too quickly.

So, the idea of trusting no user and no application by default and verifying everything that your systems or employees come in contact with, touch, or link to makes perfect sense. But the concept, born to offer a more sensible way to protect networks, has an Achilles heel that often gets glossed over. If your Zero Trust architecture does not consider the role of data in an enterprise's overall security and privacy posture, it misses the whole point.

If your Zero Trust architecture does not consider the role of data in an enterprise's overall security and privacy posture, it misses the whole point.

The gaping data privacy hole

Data privacy is becoming a heated topic and one that no Zero Trust enthusiast should ignore. The reason: consumers worldwide are waking up to data privacy.

Consider this — a staggering 84% of respondents in a survey conducted by Cisco indicated that they care about the privacy of their data and that of other members of society and want more control over how organizations use their data. In just the first year of the California Consumer Privacy Act (CCPA), B2C companies received 137 data subject access requests per million identities. This is before all consumers became fully aware of their privacy rights, and this number is only increasing.

In its current form, the Zero Trust concept fails to address modern enterprises' data privacy protection needs. It is little surprise that 91% of companies across all verticals, states, and business size that must comply with CCPA are not prepared to meet the CCPA privacy rights compliance requirements, according to CYTRIO’s CCPA and GDPR Research Report Q2 2022.

Worse, Zero Trust often means heavy financial investment from enterprises. Yet, despite this additional and often significant overhead, data continues to be vulnerable with the minimal context within the organization on what is its legitimate purpose and usage.

Data privacy is becoming a heated topic and one that no Zero Trust enthusiast should ignore. The reason: consumers worldwide are waking up to data privacy.

Why data privacy is important to Zero Trust

Enterprises and their security stack partners need to adopt a new mindset that puts data at the core of security and privacy policies. Zero Trust models must move the needle beyond identity, application, and device, incorporating a keen understanding of data to realize the full value of their Zero Trust investment.

But what do we mean by understanding data?

Traditionally, even the sharpest CISOs perceive data protection as network protection. It sounds simple — you protect the network, and naturally, all your data within the network remains safe and protected.

In modern organizations, data storage is far more complex and democratized. There is no single repository that you can guardrail to achieve 100% data protection. There is data in CRMs, cloud and SaaS environments, on-premises and in the cloud, personal drives, and even personal devices. Employees are accessing and using business data from cafés worldwide and their unprotected home networks and devices.

In such complex setups, your security stack needs to be able to classify and differentiate privacy data, associate purpose with each such data set, and then create a Zero Trust policy to protect that data. It also needs to do this on the fly, in real-time, and with automation tools. This evolved approach to enterprise data can transform how organizations perceive security and privacy and how effective their Zero Trust architecture is in protecting consumers' rights and adhering to privacy regulations.

More importantly, coding automation into the system is the way to remove the operational burden of managing Zero Trust architecture and policies in sentient organizations.

In modern organizations, data storage is far more complex and democratized. There is no single repository that you can guardrail to achieve 100% data protection.

Face it, you can’t do it alone

Traditionally, the CISO has been responsible for data security, and legal teams have focused on privacy. But interestingly, data now spans across the organization with different teams accessing and using data for diverse use cases. Therefore, these teams must work together on developing sound privacy policies and implement them within their workstreams.

As organizations incorporate modern technologies like IoT, AI, and ML into their workstreams, data generation, collection, and access will become further democratized to include not just humans but also machines. As a result, now is the right time for organizations to consider more holistic approaches to data privacy and not assume that they have done their bit with a Zero Trust policy that simply protects their network.

As enterprises look to incorporate data into their Zero Trust policies, CXOs and teams spanning business, marketing, sales, and engineering, among others, must work together. Building a privacy-first mindset and culture across the organization is essential. Holistic data security and privacy policies will follow naturally.