Zero trust is increasingly promoted as a must-have for modern security, but is it really a top priority for security teams adapting to new compliance requirements and data protection laws? In the midst of increased data privacy regulation, a larger and more complex attack surface, and rising attacks, adopting a new security framework may seem like an overwhelming task. But in addition to strengthening security, zero trust can actually ease many of the complications that security teams are facing by providing a scalable approach that is well-suited to complex modern applications and a patchwork of geographically specific data privacy laws.
This blog post will dive into the compliance problems with traditional security programs, explain how zero trust eases compliance by reducing risk and simplifying audits, and explain how to get started with zero trust security.
Compliance problems with traditional security
Controls are based on networks, not users and data
With the rise of remote work, cloud adoption, and the widespread use of APIs and other third-party services, security models designed around a secure corporate perimeter have become increasingly outdated. According to a 2021 report on business practices, the average enterprise leverages 175 cloud apps, which often reside outside the corporate firewall.  And as remote work becomes increasingly common, employers have less control over whether employees are accessing their company’s data from secure devices.
In other words, network perimeters are no longer monolithic, but fragmented, with many users, devices, and application components accessing it from locations that extend beyond the corporate perimeter. Legacy firewalls that give all users within a VPN or on-premises network full access to corporate systems and data enable insider threats and expose huge amounts of sensitive data to attack.
Unequal data is treated equally
Legacy networks that use a perimeter-based approach to securing all users, devices, and application components not only risk security breaches through vulnerable endpoints, they fail to comply with data privacy laws that require data to be treated differently based on where it is collected, who it belongs to, and how sensitive it is. In legacy systems, personally identifiable data, payment credentials, and health records are treated with the same controls as marketing materials and other low-sensitivity content.
In addition, compliance with laws that restrict cross-border data transfer necessitate geo-specific policies that control when and how personal or sensitive data can be transferred to other locations–making policies that treat all data equally not only infeasible, but impossible.
Security breaches expose the entire system to attack
When wide permissions are extended to everyone inside a corporate network, attackers can easily move through systems, extracting a larger amount of data and enacting more severe attacks like account takeover and remote code execution. An MIT study of recent high-profile cybersecurity incidents found that most were not due to zero-day exploitations, but “the gaining of individuals’ credentials, and the movement within a well-connected network that allows users to gather a significant amount of information or have very widespread effects.” 
And with increasingly stringent data privacy laws being enacted, widespread data breaches can amplify the financial and legal consequences businesses face from different industry- and geo-specific regulations.
How zero trust simplifies and strengthens compliance
As defined by NIST, “zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network- based perimeters to focus on users, assets, and resources”.  It replaces a network-based approach to security that gives trusted users and programs wide permissions with one with narrow, granular permissions granted on a case-by-case and session-by-session basis, using continuous monitoring and automation to quickly detect and respond to attacks.
This enables different types of data to be treated differently based on its specific regulations and associated risks, simplifying compliance by significantly limiting the scope of data usage restrictions. As a result, businesses gain visibility into the users and third-party components that are accessing their data that can be easily documented for record-keeping and audits. In addition, they can take a risk-based approach to mitigating threats, ensuring that resources are focused on securing their most important assets.
Getting started with zero trust
The first steps for businesses interested in implementing zero trust security are to classify and map the flow of data across their entire system. From there, they can begin to develop granular identity and access management based on how specific assets must be secured and which users and systems require access to it.
To do so, businesses should choose a strong security partner that enables granular permissions, network segmentation, and strong visibility and analytics. Azion’s platform enables this through a variety of products including Real-Time Metrics, Network Layer Protection, and Data Streaming. And as a serverless edge provider, you can leverage our global edge network to process data locally in compliance with geo-specific data privacy laws, and simplify security tasks through a serverless platform that takes care of infrastructure security so you can focus on securing your data and applications.
 Okta, Businesses at Work 2021
 NIST, Zero Trust Architecture