Zero Trust requires unified data

A truly effective Zero Trust approach is only possible when all components and processes are working together and can communicate in a shared data environment that can scale and support decisions at network speeds. The CISA Zero Trust Maturity Model states: “... cross-pillar coordination is required. However, this coordination can only be achieved with capabilities and dependencies compatible with one another and the enterprise-wide environment.” This indicates that the intention and the requirement is to be able to observe all of these systems, users, and interactions collectively and correlate activities across them all. 

Because there is currently no Zero Trust interface standard for different portions of the IT landscape to conform to, the only viable option for achieving that level of cross platform/application/network/boundary communication is to integrate them all at the data layer — the one commonality that all components and layers of the organization share is that they all generate data. In order for Zero Trust to work, all of this data needs to be observable, available, and correlatable within a unified data plane. In other words, it needs to be integrated at the data layer. 

The defining principle of Zero Trust is "never trust, always verify," and all pillars are connected to the architecture by the data they share. That data is the foundation for the ZT decisions being made at any given time. Speed is a huge factor in making Zero Trust practical: ZT operations rely on fast and comprehensive access to all relevant data not only to make good policy-based decisions about trust in a timely manner, but also to validate that the decided-upon action was actually performed (the "always verify" part of the equation).

Zero Trust operations can't use a “fire and forget” mentality: every portion of the transaction chain needs to be monitored and analyzed to ensure the ZT policy was followed. It’s not good enough to passively collect logs to “check the box” on the security requirements. 

For organizations, such as defense and intelligence agencies that need strong security beyond traditional enterprise environments, Zero Trust must operate at the edge and without internet connections. In these cases, the only viable ZT model is one that works in disrupted, disconnected, intermittent, and low-bandwidth (DDIL) environments as well as it does in fully connected environments.

Elastic shines when used as the unifying data foundation for Zero Trust operations. While the Elasticsearch Platform has features, capabilities, and components that can directly support Zero Trust activities, the primary and unique value that Elastic provides for ZT is the ability to ingest data from any systems across all parts of the Zero Trust pillars (ZTA and ZTNA) into a shared data environment that operates at the speed of search. 

A recent NSA white paper specifically highlights the value and importance of the data layer in a ZT architecture. Elastic can become the foundation of the Data pillar, enabling a single, unified data layer for:

• Identifying and tracking valuable data throughout the organization

• Identifying and adapting risk scoring to data sources and user interactions with valuable data

• Labeling, tagging, cataloging, and governing data in a comprehensive way

• Encrypting, protecting, and monitoring data

• Providing a single data security layer for access control

• Powering Zero Trust decision-making with access to all data at once

IT and security teams are often asked to “do more with less,” including fewer security resources and training. As the cyber landscape evolves and becomes increasingly more complex, speed and agility are the foundation of success. We need to move away from limping through the daily review of thousands of simple alerts; we need our operators and analysts to focus on what matters and to be able to do so with agility and speed. Elastic provides integrated machine learning (unsupervised, supervised, and third-party model integration) to automate anomaly and pattern detection (like behavioral, categorization, and temporal) and alerting on all ingested data. The idea isn’t to replace people; it’s to make existing teams more efficient and better focused on what matters most.

One of the core Zero Trust implementation principles is that you should start where you are. Elastic can be integrated to the different ZTA and ZTNA systems in a phased approach that makes use of existing investments, while steadily moving toward a unified data layer. Over time, Elastic’s search analytics platform allows those integrated systems to become the distributed data speed layer that integrates all components of the ecosystem and to power successful Zero Trust operations and decisions.

Eventually, the Zero Trust design will encompass all types of data, not just events, logs, and metrics. It will have to make ZT decisions based on the human data living within our office documents and data repositories as well. 

Elasticsearch is also a market-leading vector database with integrated and ever-expanding capabilities in combining semantic search modalities (vector search, NLP, NER, classification) with traditional lexical search, aggregations, and filtering operations. Lexical search is traditional keyword-based retrieval, whereas vector search enables finding information based on semantics or the meaning of the question. The combination of those two fundamental types of search (hybrid search) with the ability to aggregate and action data is extremely powerful. Elastic’s unique approach of providing an open, scalable, and general-purpose search analytics platform — with the full spectrum of data query, machine learning and AI model integrations, analysis, detection, alerting, and integration capabilities — enables organizations to future-proof all data operations and adapt easily to new sources and use cases.

Zero Trust as a practical methodology is still relatively new and evolving. The vast array of technologies waiting to be integrated into the Zero Trust framework varies widely and is unique to each organization. As noted in the CISA Zero Trust Maturity Model, “the path to zero trust is an incremental process that may take years to implement,” so it’s very likely that there will be an initial and ongoing investment required to implement the principles and maxims of Zero Trust.

The path to ZT success, given the evolving landscape and processes, requires agility. Realizing these goals is only possible if all Zero Trust operations are built upon a unified data layer providing the scalability, speed, and flexibility to adapt to the changing requirements. That is how we protect our vital information assets and operations in a rapidly changing security environment.