Data-centric Zero Trust: Why you should implement a Zero Trust architecture at the data layer

Data breaches and cyberattacks are constantly evolving, putting critical infrastructure and sensitive data at risk. But safeguarding data is more complex than merely setting up firewalls or encryption. This is where a Zero Trust architecture comes in—a security framework that assumes no entity, whether inside or outside the corporate network, can be trusted by default.

But here’s the challenge. While many organizations have embraced a Zero Trust architecture at the network layer, very few have considered how to apply these principles where it matters most—the data itself. This brings us to data-centric Zero Trust.

The focus of a data-centric Zero Trust Architecture is to implement Zero Trust principles specifically at the data layer, ensuring that every file or piece of data is protected, no matter where it resides. While having a holistic Zero Trust implementation is still essential for security, focusing on how this architecture applies to data takes it to the next level.

Data-centric Zero Trust goes beyond traditional Zero Trust strategies by placing data security at the heart of the architecture. Instead of focusing solely on securing networks and endpoints, data is treated as a separate asset with an additional layer of protected applied directly to it at the storage layer.

Here’s how it differs from traditional Zero Trust security:

• Traditional Zero Trust: Focuses on controlling access to a networks, applications and endpoints by continually verifying users and devices.
• Data-Centric Zero Trust: Centers on protecting the data itself, ensuring only authorized users can access it and applying multiple layered controls regardless of where the data resides.

For example, imagine you’ve implemented a Zero Trust architecture on your network. Even if a malicious actor breaches the network, Data-Centric Zero Trust still applies and ensures that sensitive files and data remain inaccessible due to automatic and analytics, end to end encryption and granular data access controls.

Treat data as the foundational layer of security
With Data-Centric Zero Trust, data is no longer the last stop in the chain of security. It’s the primary asset that your architecture protects. Every decision about storage, access, and sharing should start with the central question, “How do we secure the data itself?”

For example:

• Prevent a single admin account from destroying critical data using Role-Based Access Control (RBAC) and Multi-admin Verification (MAV)
• Secure automated service accounts with token-based authentication
• A firewall is present at the storage device allowing only secure protocol access
• Encrypt all data, whether it is at rest or in transit

Apply least privilege to data access
Zero Trust emphasizes the principle of least privilege access, meaning users and applications should only have access to data they need to perform their functions—and no more. With data-centric Zero Trust, restricted access doesn’t stop at the application layer. It’s reinforced at the storage layer.

Best practices include:

• Implementing Attribute Based Access Control (ABBAC) using extended attributes (xATTRs) and meta data tagging for granular file access
• Monitoring file shares and auditing to look for incorrect/open permission and eliminate “access creep,” where users inadvertently gain more access through a role change or accidental data spill
• Applying an additional layer of access permissions at the storage layer using Storage Level Access Guard (SLAG)

So even if a user has access to a network resource, these data-centric Zero Trust security measures ensures they’ll need explicit authorization to access individual files or storage buckets.

Implement granular data classification and audit logging
To secure data, you need to understand which data is most important and you need visibility into its usage. Data-Centric Zero Trust requires logging every file access, delete, write, and modification whether that’s made direct or via an API request. However, this auditing can be noisy distracting from real potential threats. That’s why it’s important to classify your data and ensure that any audit alerts are accurate and tied to the most sensitive data. Advanced solutions even provide an automated ability to block the user account when unusual activity is detected, like unauthorized access or data exfiltration.

Use tools that enable:

• Automated data classification and tagging
• File access control logs to trace who accessed what data and when
• Automated anomaly Detection: Identify suspicious user behavior, like abnormal file transfers outside typical working hours, or a massive increase in file access and creation

Keep data protected no matter where it lives
Traditional Zero Trust approach often limits its scope to secure networks, endpoints, and servers, but in today’s modern Hybrid Cloud your data doesn’t always stay within those confines. Whether it’s synced to the cloud, shared externally, out at an edge site, or copied for disaster recovery, the challenge is ensuring that data is always secure no matter where it travels to or ends up.

Data-centric measures include:

• Encrypting files before they leave the storage layer.
• Using ABAC to enforce access restrictions beyond file permissions dynamically with data tags—for example, allowing a document to open only if the end user matches the classification tag on the file.
• Storage layer access controls like MAV, SLAG, and RBAC are present at each data location.

Data-Centric Zero Trust isn’t just an additional security layer; it’s an evolution of how organizations approach protection in a data-driven world:

• Enhanced security against insider threats – restricting data access on a need-to-know basis even for data administrators spares the major expense insider threats cost businesses annually.
• Protection across hybrid cloud environments - applying uniform policies no matter where your data resides reduces the risk of misconfigurations and keeps data secure as it moves between on-premises and cloud storage.
• Simplified Compliance with Regulations – with robust tools to classify and protect sensitive data, you can simplify audits and ensuring adherence to legal requirements.
• Cost-Efficiency in the Long Run - By focusing on protecting the most critical asset—your data—you can avoid overspending on reactive security measures like breach damage control and recovery efforts.

Don’t wait for a breach. Start implementing data-centric Zero Trust architecture today to protect your organization’s most critical asset and build cyber resilience. Whether it’s finding and classifying your most sensitive data, encrypting it end to end, limiting data access with extended attributes, or monitoring autonomously for anomalies, every step you take toward a data-centric approach will save time, money, and provide invaluable peace of mind.

To learn more about data-centric Zero Trust, check out our white paper.