Data-Centric Zero Trust Security

Greg Fuji Fortanix
Greg Fujii
Published:Feb 23, 2023
Reading Time:5 mins
How do I explain Zero Trust Data Security

ChatGPT – How do I explain Zero Trust Data Security

"Imagine you have a treasure chest full of special things that you don't want anyone else to see or take. In order to keep those things safe, you lock the treasure chest and only give the key to people you trust. That's like how a zero-trust data security model works - it keeps your important information safe by only letting the right people see it, and it uses special locks and keys to make sure no one else can get in."

What if my treasure chest is under someone else's control and in someone else's house? Some call the cloud “someone else’s computer.”

There is no doubt that people will continue to leverage Cloud Service Providers as they offer agility, scalability, and access to infrastructure/services that were difficult to maintain previously. With the cloud comes more stringent Governance, Risk, and Compliance requirements that enterprises will have to maintain.

Who does this fall on, the cloud providers or the customer? Well, therein lies the notion of a Shared Responsibility model that all Cloud Providers have when it pertains to the different assets and data that reside in the cloud.

A challenge today is finding the best practices to protect their data and assets in the cloud. The cloud providers provide these matrixes of Division of Responsibility but how can I ensure that what services I’m using allow me to do my part as a customer?

Many of these questions are very difficult to answer as well as deploy the correct solutions that puts customers in the best position possible to OWN their portion of the responsibility. There needs to be a clear line in the sand for separation of duties when it comes to security and specifically cryptography of what the cloud providers own and what the customer owns.

The three major cloud providers state that the customer is solely responsible for their data and access. “For all cloud deployment types, you own your data and identities.” – Azure. Easier said than done. Throwing bodies and tools to solve this problem is complex and expensive.

Today you can leverage cloud provider Key Managers and Hardware Security Module functions, but does that go against their core principle that the customer is responsible for their data since the data, keys, and access controls mostly reside in the cloud?

Bring Your Own Key was an answer from the past but like most cryptographers whom I have had the pleasure to speak to know that your Key Material still resides in the cloud. Key material residing in the cloud results in you not owning your encryption.

We firmly believe that there should be a separate control plane for the best security posture when it comes to encryption keys.

As cloud offerings have matured, we have seen Google Cloud and Amazon AWS both develop a way to bring External Key management to the forefront of security. We believe that this is a very strong offering that cloud providers were being asked to support.

External Key Management has given you control over assets that reside in the cloud but as most security folks know we live with a constant paranoia of, if this is enough. Here at Fortanix we believe there is a way to deliver an added layer of security to help customers really own their responsibility for data in the cloud.

How can you go above and beyond the notion of encryption and key management within the cloud provider? What if you could encrypt data upon creation by leveraging Format Preserving Encryption coupled with a Key Management solution to provide granular access controls and tamper proof audit logs for specific cryptographic keys?

That data would now travel encrypted and reside encrypted and you would have the ability to provide strict access controls to who can see data in clear text vs. ciphertext.

As a consumer, I want the companies that I choose to do business with to ensure they are taking care of my data, or I would take my business elsewhere. Enterprises are taking a hard look at their cybersecurity measures to protect data because it has a direct impact on their earnings and brand reputation.

Security within any organization is a shared responsibility for all employees. With the proliferation of remote work, managing access to network and cloud resources has only become more cumbersome. This complexity leads to misconfigurations and increased exposure to bad actors.

Sensitive data is one of the most valuable assets and indeed some argue data is more valuable than gold. Leveraging Deterministic or Format Preserving Encryption within your application allows you to encrypt your sensitive data upon creation. This allows data owners to use real traffic to test against or share data with third parties with strict access controls on who can see the data in clear text if ever.

Data can now flow freely between on-prem and different clouds without the risk of exposing clear-text data that can impact the business negatively. Format Preserving Encryption, coupled with Enterprise Key Management, allows you to follow the core tenets of the NIST 800-207 Zero Trust Framework and apply it at the data layer.

This Zero Trust Data Security model allows you to run analytics and business functions, and share data with third parties, while maintaining complete control of who sees data in the clear, or if they can still perform their function by looking at a substituted version of that data.

Taking a Data- Centric Security approach is the first step in making the transition to the cloud or ensuring that you are truly owning your responsibility as data flows into the cloud service providers.

Encrypting data at the application layer, adding access policies to individuals, teams, or applications on who/what can see clear text or cipher text will give you the best posture for protecting your data and customers.

This significantly reduces the blast radius and risk associated with data getting into the wrong person's hands and if it does, we make it nearly impossible to decrypt.

At the end of the day, I look forward to empowering customers to leverage their data in the most secure fashion without sacrificing performance.

Fortanix Tokenization (aka, Deterministic OR Format Preserving Encryption) is a PCI DSS-certified and ISO 27001-certified technology that allows you to start encrypting data at the application layer and maintain control of keys while relieving you of some of the most stringent Government Compliance Regulations i.e., CCPA, NYCRR500, GDRP/Schrems-II. Fortanix Tokenization provides you with the security separation of duties that all major cloud providers say you must own. If you want to learn more about Fortanix Tokenization join us here. or

Share this post:

Fortanix Free Trial