Want to democratize your analytics? Then stay away from Zero Trust security

Profile picture for user Neil Raden By Neil Raden July 30, 2021
Summary:
Zero Trust security is often hyped as the solution to enterprise data breaches. But if your corporate goal is the democratization of analytics, Zero Trust security is a flawed approach. Here's my rebuttal to Zero Trust advocates.

phone-security

It's been a long-running dream that people have access to data and analyze it themselves, easily. We referred to this as "User-Friendly," which was only friendly to those who designed the software in the distant past. Also, "End-User Computing" (there is an old joke that only two businesses refer to their clients as users).

Over time, "end-user" software employed the GUI and mouse of interfaces of the PC. The misconception was that a graphical interface and a mouse would solve the usability problems. Still, it didn't because it was the underlying complexity of the data and the models that defied understanding. Nevertheless, the industry unleashed the dream of "Pervasive BI," "Self-Service," and DIY (Do It Yourself).

After decades, we may be getting closer to that hope. Newer technology provides data discovery, "prep" tools that allow for easy combining, cleaning, profiling, and locating data, all with "no-code." The emergence of catalogs that provide the location, connection protocol, collaboration, security, and semantic metadata virtually takes IT and Data Engineers out of the loop. 

As AI works its way into these tools, the process of identifying data and developing advanced analytical models, it is likely that organizations will find, if not pervasive, use of these tools, much greater penetration into the community. NLP (Natural Language Processing) is already capable of processing a query like, "Give me the latest shipments of three closest competitors. and analyze if that will have an impact on our supply chain members." That, of course, assumes the data architecture for the firm can support that analysis. 

Of course, the unleashing of analytical activity requires governance. A common misconception is confusing governance with security. Security is part of governance, and governance is not synonymous with security. Data governance is composed of defined policies and procedures for data and processes. Data security consists of protection from unauthorized access or corruption. For example, a bank may have security to prevent intruders from getting past their firewall.

On the other hand, a bank regulator may require model governance to complete documentation of the steps taken to create a risk score. In a way, governance opens up access so that the right things happen. Security, if misapplied, can interfere with something happening. 

That's where Zero Trust comes in.

As companies and government institutions find themselves victims of hacking and ransoms, there is an increased awareness of vulnerability, and some advocate a concept of Zero Trust:

Zero Trust Security is the approach that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access.

Charlie Gero, CTO of Enterprise and Advanced Projects Group at Akamai Technologies defines defines Zero Trust as:

The strategy around Zero Trust boils down to don't trust anyone. We're talking about, ‘Let's cut off all access until the network knows who you are. Don't allow access to IP addresses, machines, etc., until you know who that user is and whether they're authorized.'

Knee-jerk reactions tend to generate knee-jerk, intrusive solutions. But organizations are spending billions on security, If you think Zero Trust has an ominous feel to it, you're correct. While at the same time, organizations have implemented knowledge graphs and catalogs, and even models to enable everyone to locate the data that they need, Zero Trust is lurking. Imagine micro-segmentation (you know, like Facebook uses) that gathers the most intimate information about you, applying the most granular perimeter enforcement. That's right, about the "users" themselves, incorporating even their locations to determine if you can be trusted or a machine. Monitoring every application accessing to a part of the organization 

Zero Trust makes every employee or external customer a criminal. IT organizations are laboring under the misconception that they can trust their environment and that their firewalls keep out the bad actors. They even tend to be more open and collaborative, but the bad actors are already inside. Every time there is a breach or hack nearby, or even to their environment, they become defensive, and a concept like Zero Trust becomes attractive. 

This raises two issues about "data democratization." First, democratization does not imply that every person in an organization will transpose into an analytically inclined "user." Instead, the idea is that those who are inclined but have been frustrated with the technology and the complexity of the organizations will transition to analytically-oriented work.

The second issue is that democratization implies a certain degree of non-uniformity. In other words, analysts will follow their ideas about things and not follow the same analytical path all the time. This will frustrate security-at-the-person level

If the newly "democratized" analysts find that Zero Trust drags them through multi-factor authentication, IAM, orchestration, analytics, encryption, scoring and file system permissions each time they interact, how long will it be before they give up? Zero Trust policies assign to users extremely constrained access that they need to data. That raises two issues. They won't like it, and two, are there enough security managers in the world to develop and MAINTAIN the granular access? Current security approaches that apply role-based security have a difficult enough time as people come and go and. More importantly, their roles change, sometimes for only hours, or they inhabit multiple roles.

My take

In an attempt to insulate themselves from hacking, the application of Zero Trust may alienate analysts and every other participant to the point that the organization loses insight into their operations, supply chains, strategy and even vision. We have all experienced in the past IT covering data with excessively broad, crude and ineffective security based on a simplified concept of roles. In other situations, they attempted to apply security by the individual. In our practice, our client insisted we create views for 3500 people. Before we even finished, a significant number of them were gone. And there was no one in the organization to maintain the views daily. I recently learned that a large organization did not delete departing employees for four or five days.

These simplified approaches to security are obsolete. Organizations should build the most comprehensive security without clobbering employees, using off-the-shelf decision models and AI. Zero Trust is intrusive and goes too far.