Implementing the National Security Memorandum on Zero Trust? Start with the Data.
Zero Trust data protection is gaining momentum in federal organizations — across civilian agencies and the intelligence community. The latest National Security Memorandum builds on the foundation of last year’s Cybersecurity Executive Order, and further affirms that Zero Trust security is essential for federal organizations to adopt moving forward. Specifically, from Virtru’s perspective, the National Security memo is beneficial for several reasons:
- It supports the alignment between civilian and intelligence organizations.
- It empowers leaders to prioritize and execute on their Zero Trust strategies.
- It provides some much-needed clarity on the best path forward to achieve a mature Zero Trust implementation.
- It demonstrates the value of open standards for maximizing efficiency and flexibility.
The memo also highlights the urgency of Zero Trust, with Zero Trust plans due 60 days from the memo’s release, and 180 days to implement.
The concept of a mature Zero Trust implementation, that this memo and the previous EO highlighted, has been evolving for years, starting with John Kindervag, who coined the term and concept of Zero Trust back in 2010.
Kindervag predicted that data-centric security would eclipse perimeter-focused network security, and that, with the increase in user endpoints and networks, the perimeter would become increasingly amorphous and difficult to define. Kindervag’s prediction has proven to be true: The perimeter is evaporating, and it’s no longer enough to protect the castle walls. We have to protect the most important assets within those walls to ensure they remain safe at all times: We have to protect the data.
Focus on Data First, Applications Second, Network Third.
Network-focused security attempts to solve the wrong problem: It’s not the network you really need to protect, it’s the data that resides within that network. And that data needs to be shared with the right people in order to be effective.
National Security Systems (NSS) store some of the most sensitive data in government, and appropriate protection of that data should be front and center:
- Verify the People: Adopt a federated identity by establishing a public key infrastructure (PKI) that federates across environments, leveraging open standards like Security Assertion Markup Language (SAML) for credentialing and OpenID Connect (OIDC) for authentication that verifies the identity of a user.
- Tag the People: “Need to know” can vary based on the projects and assignments that individuals are tasked with. Ensure federated entitlement (again with open standards like SAML and OIDC), so that the right people are assigned the right privileges to access the right data at the right time.
- Tag the Data: The open, ODNI-standard Trusted Data Format (TDF) adds a layer of encryption to sensitive data, with access controls that are highly configurable and that grant the original data owner with persistent control. TDF allows “need to know” tags and controls to be applied directly to the data, and access to the data can be enforced through encryption wherever the data travels. Should access needs change, or should a file be shared with the wrong individual, access can be immediately revoked, even after the data has been shared. With TDF, the data itself remains safeguarded, regardless of where it’s located or where it moves. It is self-protecting, even if it encounters an environment that has been compromised.
- Verify the Data: TDF leverages modern cryptography to allow data source provenance, authenticity, and integrity.
Benefits of a Data-Centric Zero Trust Framework
When you take a data-centric approach to Zero Trust security, the benefits cascade across your organization:
- As Kindervag noted in his 2010 paper, “no more chewy centers” means that you can invite untrusted parties into your network while remaining confident that sensitive data remains secure and cannot be accessed by those parties.
- As critical as they are, cross-domain solutions, like firewalls, can become less of a single-point-of-failure risk when the right data-centric protections are in place. With a data-centric approach to Zero Trust, the data itself remains safeguarded, even in the scenario of a network breach.
- Data sharing can become automated, instant, and secure instead of getting stuck in burdensome, time-consuming processes.
- Data can be shared across classification levels and even across coalition partners without having to circumvent established processes.
- This data-centric approach is a foundation for confidence in completeness of reporting, as it ensures the complete audit of data access as data moves across federated enterprises.
In short, data can be shared with the people who need it, without friction, with persistent control, and with full confidence in its security. When we do this well, we create much higher-fidelity communication across government, private-sector partners, and coalition partners we trust on a human-to-human basis but don’t necessarily have the infrastructure to share with. Our community can connect in a more meaningful and secure way than ever before.
If your organization is unsure of where to start, the good news is that this is not uncharted territory: Virtru has partnered with numerous federal agencies to implement data-centric, best-in-breed Zero Trust architectures that accelerate data sharing and efficiency — particularly for agencies working with coalition partners. The common thread across our federal partnerships is to accelerate the secure sharing of data so that the right people have access to the right information, at the right time. To start the conversation, reach out to our federal team.