Zero Trust – What is to be con­side­red in legal terms?

The basic con­cept of Zero Trust is to have no trust in users, devices or net­works, but to assu­me that ever­y­thing might alre­a­dy be com­pro­mi­sed. Regard­less of the start­ing point, every acti­vi­ty and every access is the­r­e­fo­re che­cked and aut­ho­ri­sed. Risks from the take­over of user accounts or the misu­se of main­ten­an­ce access by ser­vice pro­vi­ders can thus be effec­tively coun­te­red. From a legal point of view, howe­ver, Zero Trust does not only bring advan­ta­ges, but can also bear risks – espe­ci­al­ly with regard to data protection.

Legal advan­ta­ges of Zero Trust

With the new Euro­pean cyber­se­cu­ri­ty law, com­pa­nies are faced with num­e­rous new legal requi­re­ments for cyber­se­cu­ri­ty. Com­pa­nies fal­ling under the scope of the NIS‑2 Direc­ti­ve will have to take a multi-threat approach to ensu­ring the secu­ri­ty of their infor­ma­ti­on sys­tems, using appro­pria­te con­cepts and solu­ti­ons. Reci­tal 89 of the NIS‑2 Direc­ti­ve even refers to Zero Trust as a basic prac­ti­ce of cyber hygie­ne. It is the­r­e­fo­re no sur­pri­se that Zero Trust can help with the imple­men­ta­ti­on of the NIS‑2 Direc­ti­ve in the fol­lo­wing are­as, among others:

• Net­work secu­ri­ty: Micro-segmentation is a key aspect of Zero Trust, rest­ric­ting access to sys­tems and ser­vices to increase security.
• End­point secu­ri­ty: End­point Detec­tion and Respon­se (EDR) solu­ti­ons moni­tor appli­ca­ti­on and pro­cess beha­viour on end­points for con­ti­nuous attack detection.
• User beha­viour: Modern authen­ti­ca­ti­on sys­tems detect irre­gu­lar log­in acti­vi­ties such as “impos­si­ble” loca­ti­on chan­ges when log­ging in and sup­port dyna­mic authentication.
• Zero Trust Net­work Access (ZTNA): ZTNA pro­ducts are secu­re gate­ways for appli­ca­ti­ons that authen­ti­ca­te users, check secu­ri­ty sta­tus and enable risk-based access.

Zero Trust also brings mul­ti­ple advan­ta­ges in mee­ting the requi­re­ments of the plan­ned Cyber Resi­li­ence Act (CRA) and the cyber­se­cu­ri­ty of pro­ducts with digi­tal ele­ments. One exam­p­le of this is the requi­red con­trol mecha­nisms for pro­tec­tion against unaut­ho­ri­sed access.

Risk: Data pro­tec­tion with Zero Trust

Sin­ce Zero Trust approa­ches invol­ve exten­si­ve ana­ly­sis of net­work traf­fic and user beha­viour, they also often pro­cess lar­ger amounts of per­so­nal data than tra­di­tio­nal cyber­se­cu­ri­ty mea­su­res. At the same time, pro­ces­sing is often more tight­ly mes­hed, which can pose addi­tio­nal data pro­tec­tion risks. To avo­id data pro­tec­tion brea­ches, spe­cial atten­ti­on must be paid to com­pli­ance when using Zero Trust solu­ti­ons. In par­ti­cu­lar, con­trol­lers must ensu­re that the­re is a legal basis for the pro­ces­sing of per­so­nal data. Sin­ce the­re are num­e­rous legal requi­re­ments for cyber­se­cu­ri­ty and cyber­se­cu­ri­ty in gene­ral has a high prio­ri­ty, com­pa­nies can inso­far invo­ke, among other things, a legal obli­ga­ti­on (Art. 6 (1) © GDPR) and a legi­ti­ma­te inte­rest (Art. 6 (1) (f) GDPR). In the case of high risks for data sub­jects, a data pro­tec­tion impact assess­ment must be car­ri­ed out in addi­ti­on to the gene­ral data pro­tec­tion com­pli­ance measures.

Recom­men­da­ti­ons for companies

The use of Zero Trust in the com­pa­ny requi­res a clear stra­tegy, which should in par­ti­cu­lar include the following:

1. Exami­na­ti­on and adapt­a­ti­on of the exis­ting secu­ri­ty archi­tec­tu­re to the prin­ci­ples of Zero Trust;
2. Con­side­ra­ti­on and imple­men­ta­ti­on of the data pro­tec­tion requi­re­ments for Zero Trust;
3. Har­mo­ni­sa­ti­on bet­ween dif­fe­rent secu­ri­ty mea­su­res and pro­ducts used;
4. Trai­ning of employees in the prin­ci­ples of Zero Trust and rai­sing their awa­re­ness of data pro­tec­tion risks;
5. Con­ti­nuous moni­to­ring, ana­ly­sis of thre­ats and adapt­a­ti­on of the secu­ri­ty stra­tegy to respond to new risks and imple­ment new legal requirements.