In late January 2022, the Office of Management and Budget (OMB) released a 28-page strategy memo for implementing Zero Trust cybersecurity in federal organizations. The memo itself was a follow-on to President Biden’s Executive Order on Improving the Nation’s Cybersecurity, released eight months earlier in May 2021 – which sent shockwaves throughout the government by imposing a 60-day deadline for federal agencies to have a plan for implementing a Zero Trust security architecture, as codified by the National Institute of Standards and Technology (NIST).
Collectively, the May 2021 Executive Order, the January 2022 OMB memo, and a series of high profile cyberattacks against government organizations, have made Zero Trust security transformations a top priority for every agency.
A critical component of national security and government work is the ability to easily share sensitive data and collaborate with third-party partners without sacrificing security, privacy, and compliance with regulations. In this modern world, Zero Trust security is much more than just controlling which identities and devices can access which data over a network — it’s about giving people the confidence and digital controls to share sensitive data freely without ever relinquishing ownership and sovereignty.
Thus, the OMB document itself is seminal for three reasons. First, it details specific steps agencies should take to implement Zero Trust. Second, it widens the lens through which organizations should view Zero Trust priorities. Third, it emphasizes the need for agencies to incorporate data-centric policy controls into their Zero Trust security transformation efforts.
Ask anyone who knows, including Gerald Caron, CIO at Health & Human Services, and there are very good reasons to embrace a data-centric approach to zero trust security transformations by taking these four steps:
1. Apply policy control directly to data objects.
Data isn’t always static. It often moves in and out of your organization at high velocity. That means you need to protect data wherever it resides.
Ask yourself: Are you currently protecting data throughout its lifecycle? Do you have a clear picture of how and where it’s being shared? Once it leaves your organization, do you have control over how it can be accessed? Can you guarantee that data shared externally is accessible only by the intended recipient? And if necessary, do you have a way to take the data back? If you can’t answer yes to these questions, then your data is at risk.
The good news is that you can continue to control your data wherever it resides, inside or outside of your organization.
2. Focus less on “attack surface” and more on “protect surface.”
The attack surface of every organization is constantly expanding. It expands as you shift from on-prem data centers to cloud native infrastructure. It expands further as you embrace remote and hybrid workplace strategies. It expands again, again, and again as employees use more and more mobile devices. And so on.
Clearly, organizations need to do the basics to protect their attack surfaces with policy controls aimed at identities, endpoints, and networks. That said, if you’re not careful, attempting to govern the ever expanding attack surface can consume all of your time and attention – and leave precious little time for you to focus on the super sensitive “protect surface”, where data itself resides.
3. Leverage the advantages of the Trusted Data Format (TDF) standard.
TDF is an open standard for protecting sensitive data, regardless of where that data resides. TDF is also the standard of the Office of the Director of National Intelligence (ODNI) and is widely used by the U.S. intelligence community (IC).
TDF applies military-grade encryption to wrap each data object in a layer of security and privacy that stays with the data. The technology gives you complete control of your data at all times. It’s what we call Zero Trust Data Control (ZTDC).
By leveraging data-centric policy control powered by TDF, organizations can:
- Easily implement data centric policy controls without creating friction for frontline workers. Create simple and intuitive controls that anyone can use.
- Attach attribute-based access controls (ABAC) to data. Role-based access controls can result in over-granting of data access. Assigning granular tags to data means that only users who truly need access get access.
- Revoke access when circumstances change. People work on short-term projects, get reassigned, change jobs, and so on. You need the ability to instantly revoke data access at any time.
- Secure data across multi-cloud environments. Whether your teams are using AWS, Microsoft Azure, Google Cloud or any combination of the three, you need data protection that’s cloud-agnostic
4. Shift resources from expensive endeavors and “macro policies” aimed at wrapping the enterprise, to “micro policies” aimed at protecting the data itself.
Protecting your data can give you confidence that even if your network is breached, your data remains safe. A data-centric Zero Trust framework safeguards data across email, files, SaaS applications and cloud:
Email Encryption, Client- and Server-Side
Virtru data protection for Gmail and Microsoft 365 Outlook gives users a simple toggle button to protect data they share. Configurable rules can automatically encrypt sensitive information before it leaves your organization.
Secure File Sharing
Virtru data security for Google Workspace – including Google Drive, Meet, Docs, Sheets and Slides – puts protections in place for data shared across teams and outside your organization.
Protect Data in SaaS Applications
Virtru technology can secure data that flows through Salesforce, Zendesk, Looker, Workday and more.
Secure Cloud Environments
Virtru technology provides cloud-agnostic protections. Virtru is also a leading data security partner for Google Workspace Client-Side Encryption (CSE). CSE gives Google customers direct control of the keys to encrypt their data so that no one – not even Google – can access the data without permission.
Zero Trust is an important step forward for agencies. But it’s crucial that Zero Trust cybersecurity initiatives not be myopically focused on identities, endpoints, networks and applications. Applying policy controls directly to the data flowing through your email, files, SaaS applications and cloud infrastructure is a remarkably affordable and efficient way to advance your Zero Trust journey.
