Zero Trust Security in Demand for the New Year

By Karthik Krishnan, CEO of Concentric.ai

Over the last decade, authority for every productivity-related technology decision has moved from IT professionals to users and businesses closest to those decisions. BYOD, the first phase of this trend, is basically over.

In 2020, work-from-home (WFH) practices increasingly put line employees in charge of data access and management decisions. Cloud storage and productivity applications maximized online productivity by making collaboration easy from anywhere.

While link sharing may be liberating, data security issues lean toward a darker edge that is difficult for most security professionals to control.

This year, we do believe the BYO trend will continue as businesses should embrace  the authority to choose ‘as-a-service' solutions without IT involvement. Functionally, specialized online services are now as capable as their on-premises predecessors, they're easier to stand up, and they're cheaper to own.

Think of it as "bring your own SaaS" - but you can expect, for example, an accounting department to select and possibly implement an online invoicing solution they like without much consultation their IT team.

How the pandemic plays out this year will have a huge impact on tactical questions ranging from budget to manpower to project priorities - but we believe these long-term strategic trends will impact IT organizations well beyond this year.

Get Strategic with your Data Security Plan

There's no way to predict every 2021 eventuality. But we can forecast at least two key trends:

• End users and business stakeholders will assert the right to choose and use technology as they see fit. IT leaders need to find ways to support security even in the absence of control.
• Comprehensive privacy and data protection are the fundamental IT imperatives for the foreseeable future. Regardless of the regulatory environment, taking steps to understand and secure data will pay off.

What's the right path forward? Your strategic data security plan in 2021 (and beyond) should follow this simple guiding principal: apply zero-trust security principles to data wherever it's stored and used. In an uncertain regulatory and threat environment, zero trust security (which protects data by limiting access to only those with a need) is the ideal policy approach. The devil is, as they say, in the details.

In 2021, those details will increasingly be met by AI-enabled data discovery and risk assessment tools that can automate zero-trust security. Vendors commercializing some of the most promising deep learning research can now autonomously categorize data, assess business criticality, and even deduce appropriate data management policies - all without extra IT overhead, rule development or end user help.

Unexpected directions with Data Privacy

Today, most practitioners focus on risks from external threat actors. But with a bracing action in October 2020, the GDPR authority showed they're equally concerned with human resources data when they slapped clothing retailer H&M with a €35 million fine for illegal employee surveillance.

After a few years of relative predictability, data privacy promises to get more "interesting" in 2021. The GDPR and CCPA regulatory regimes each notched milestones in 2020.

The GDPR (as of this writing) had assessed a record level of fines totaling €220 million. California's CCPA enforcement kicked in on July 1st, and voters in that state passed additional privacy restrictions via a November ballot initiative (the California Privacy Rights Act or CRPA). The CRPA extends and modifies the CCPA, with new mandates taking effect at the end of 2022.

Here's where things are going to get interesting. Optimistically, effective COVID-19 vaccines will facilitate the ability for in-person work by mid-year 2021. But it's just as likely delays in distribution, reluctance to inoculate and lingering stress on the healthcare system will extend work-from-home practices for many through the end of the year. Most likely, organizations will face obligations to collect more data on their employees than previously done, about their immunization status, health situation, work habits, even their social interaction patterns.

Regulations governing employee data management are currently more forgiving in the US. The CCPA, for example, includes a so-called HR exception (which exempts internal employee information from the regulation) that's set to expire at the end of 2023. But regardless of the go-live date, privacy protections for employee data are clearly in the cards.

Planning matters. A hefty dose of uncertainty is certain to await us in 2021. And whatever may be in store for us we can and should take steps now to anticipate the data security trends that'll shape IT in 2021 and beyond.

##

About the Author

Karthik Krishnan, Founder & CEO, Concentric

Karthik Krishnan is Founder/ CEO, Concentric. Prior to Concentric, he was VP, Security Products at Aruba/HPE where he managed their security portfolio. He was VP, Products at Niara, a security analytics company focused on user and entity behavior analytics. Niara was acquired by Aruba/HPE. He has more than 20 years of experience in engineering and marketing at various hardware, software and systems such as Intel, Microsoft, Juniper Networks, PGP Corporation, Symantec and Embrane. He has a Bachelors in engineering from Indian Institute of Technology, Madras, India and an MBA with distinction from the Kellogg School of Management, where he was an F.C. Austin Scholar.