DSPM: The Cornerstone of Zero Trust Architecture

Zero trust represents a fundamental shift in how organizations approach cybersecurity, moving from perimeter-based protection to more comprehensive, granular data security that extends to cloud and private applications, among other IT resources. Building a resilient, scalable, and cost-effective zero trust architecture that grows with your business and adapts to evolving threats is more important than it’s ever been before, but it’s also common for organizations to be unsure where to start.

Because of that uncertainty, along with lingering misconceptions of what zero trust means, the conversation understandably tends to gravitate toward Zero Trust Network Access (ZTNA). The value proposition of ZTNA is straightforward, its connection to the broader concept of zero trust is obvious, and its implementation path is relatively clear. But a ZTNA-first, and especially a ZTNA-only, approach to zero trust represents a fundamental misunderstanding of how organizations should approach the real-world application of zero trust principles.

While moving from a single network perimeter to a model of secure access to individual IT resources is typical in the context of a zero trust strategy, the ultimate goal of such a model remains the same as the old perimeter-based approach to security: to protect your organization’s sensitive data. With that in mind, if your organization has data visibility gaps and your zero trust strategy doesn't begin by addressing them, your newly-deployed ZTNA tool may not live up to its full data protection potential.

The Limits of a ZTNA-Focused Approach

ZTNA excels at what it's designed to do: verify user identity, enforce least-privilege access, secure connections to IT resources, and centralize application management. These capabilities are valuable and necessary components of any zero trust architecture. However, ZTNA operates under a critical assumption: You already know what data exists, how it’s used and by whom, where it's stored, and how it should be protected. So, for organizations that already have a deep understanding of their data landscape, Fortra ZTNA on its own could be a good starting point for zero trust implementation.

In reality, however, many modern organizations now store and move data across hybrid and multi-cloud environments, often without comprehensive visibility into what sensitive information exists, who has access to it, and/or how it's being handled. So, while ZTNA is perfectly effective in protecting the sensitive data that’s already visible to your organization, its application-level controls can't protect sensitive data it doesn’t know exists.

Consider the following scenario: Your ZTNA solution successfully authenticates a user and grants them access to a cloud storage repository based on their role. The connection is secure, the user's identity is verified, and access controls are enforced based on the user’s role. But if that repository contains unclassified sensitive data that wasn't properly categorized, your ZTNA tool wouldn’t be able to protect those critical assets without the help of other solutions.

Why To Consider Starting With DSPM

For organizations that need to gain a more thorough understanding of their architecture and greater data landscape, rather than starting with an application-level tool like ZTNA, it’s often far more worthwhile to begin with a solution capable of mapping an organization’s tools and data, and giving their adjacent application- and network-level solutions the context they need for peak performance. This is where data security posture management (DSPM) comes into the fold.

You Can't Secure What You Can't See

Solutions that facilitate network segmentation and constant user verification are undoubtedly foundational components of an effective zero trust architecture, but comprehensive data visibility is the cornerstone of such a foundation.

Before you can determine which users should have access to what IT resources, you need to understand what data exists, how sensitive it is, and what compliance requirements it carries. DSPM provides the comprehensive data discovery, classification, and risk assessment capabilities that inform every other downstream solution. In this way, DSPM is often a reliable and equally, if not more effective starting point for zero trust implementation in comparison to ZTNA.

This data-centric, DSPM-first approach to zero trust architecture offers several strategic advantages:

Informed Access Decisions: Rather than granting access purely based on job titles or departmental affiliations, DSPM enables contextual, dynamic access controls based on data sensitivity and unique business requirements in addition to user role. Application-level tools like ZTNA and CASB can then use the context delivered by DSPM for more granular access controls and policy enforcement.

Compliance Alignment: Many regulatory frameworks already require organizations to understand and map their respective data landscapes, whether it’s for the purpose of restricting access to certain data, tracking data processing activities, managing data subject requests, and more. DSPM establishes a foundation of data visibility that facilitates alignment with these requirements (among others) and only becomes more effective as complementary compliance solutions are added to your tech stack.

Scalable Data Protection: As organizations expand their cloud footprint and adopt new technologies, scaling zero trust solutions can prove to be a challenge, especially without the data intelligence inherent to DSPM’s discovery and classification capabilities. With DSPM already in place, however, adjacent zero trust solutions like Vulnerability Management (VM), Security Configuration Management (SCM), CASB, and ZTNA can immediately make use of DSPM’s insights, often making deployment easier and less disruptive to business processes.

DSPM as the Strategic Center of Zero Trust Architecture

When interpreted as the centerpiece of zero trust architecture, DSPM doesn't operate in isolation. Instead, it becomes the hub that enhances and is enhanced by other security solutions, creating a synergistic, zero-trust-aligned cybersecurity ecosystem.

How Other Cybersecurity Tools Benefit from DSPM

An organization’s adjacent cybersecurity tools like VM, Data Loss Prevention (DLP), CASB, and ZTNA all benefit from the contextual intelligence and insights gathered by DSPM, including:

• Which IT resource(s) is overly permissive
• Which of those IT resources hold or process the organization’s most sensitive data
• Which specific user(s) has excessive access to IT resources
• Where the organization’s biggest data exposure risks lie

Using this intelligence, VM tools, for example, can provide prioritized vulnerability remediation recommendations based on where an organization’s most sensitive data lies or where users have excessive access privileges. Meanwhile, DLP can focus its monitoring and policy enforcement capabilities on the highest-risk IT resources and highest-fidelity data events, respectively. A CASB tool will reap similar policy enforcement benefits and can extend that enforcement to users sharing or accessing data with unsanctioned shadow IT. Lastly, ZTNA can use these insights to tighten access controls and enforce micro-segments based on risk and data sensitivity.

How DSPM Benefits from Adjacent Tools

Just as DSPM is beneficial to adjacent cybersecurity tools, the reverse can be true as well. DSPM can make use of insights and context from adjacent cybersecurity solutions to improve performance, including:

• Vulnerability Management—Provides infrastructure risk scores that help DSPM prioritize data protection efforts based on the security posture of IT resources storing and/or processing sensitive data
• Data Classification—Supplies more granular labeling schemas and metadata that enhance DSPM's ability to accurately identify and categorize sensitive data
• Data Loss Prevention—Shares real-world data movement patterns and policy violations that help DSPM refine risk assessments and identify previously unknown sensitive data flows