Watching the Data Itself in a Zero-Trust Network

Zero trust is usually discussed in terms of access: who gets to reach which resource. But access control governs the door, not what happens after someone walks through it. A legitimate account with legitimate access can still be the vehicle for a breach — a compromised credential used to quietly pull data it's technically allowed to touch. Controlling access alone never sees that. Watching the data itself does.

The grant US11470100B1, "Data surveillance in a zero-trust network" (issued October 11, 2022, assigned to Flying Cloud Technologies, Inc.), focuses on that deeper layer. Its CPC classifications — H04L 63/1416, H04L 63/104, H04L 63/1425, H04L 63/20 — sit in the intrusion-detection and policy classes, describing surveillance of data movement rather than just access decisions.

“Data surveillance techniques are presented for the detection of security and/or performance issues on a zero-trust computer network.”— U.S. Patent No. 11,470,100 source

The mechanism worth understanding is that data movement has a normal shape, and breaches distort it. The volume of data a user pulls, the resources they touch, the direction it flows — these follow patterns in normal operation. Exfiltration breaks those patterns: an account suddenly reading far more than usual, data flowing toward an unusual destination. Surveilling data movement catches the breach in the act, even when every access was nominally authorized.

For defenders reconstructing an incident, data surveillance is often where the breach first becomes visible, because the attacker's goal — taking data — necessarily produces abnormal data movement. Access logs show that a door opened; data surveillance shows what walked out and how much.

The tension is privacy and proportionality: surveilling all data movement is powerful and also intrusive, and the design has to distinguish security monitoring from overreach. But the principle the patent embodies is sound and increasingly mainstream — zero trust has to extend past the access decision to the data itself, because that's what attackers are ultimately after.