Strategical approaches to Zero Trust mandates in a digital age

Jan. 18, 2023
For Zero Trust and digital transformation, knowing and protecting data Is fundamental for cybersecurity success

Recently I was fortunate to participate in a roundtable discussion with several leading federal CIOs and CISOs. The discussion centered on how to best prepare agencies for coming Zero Trust cybersecurity mandates. They recognized that the new digital era of both industry and government is being impacted by profound technological innovation driven by information sharing, analysis, and productivity. They all agreed that in the transforming digital landscape of government, identifying, indexing and protecting data needs to be a top priority because of growing risks.

We are in the initial stages of digital transformation where data has become the currency of every industry, business, and federal government agency. Bringing meaning to data is a science. Data is everywhere, flowing from the sensor networks that surround us through our networked devices and is the root of analytics that help decision-makers formulate intelligent, and strategic decisions.

It was unanimous in the federal leader’s discussion that Zero Trust is a necessary strategy for cybersecurity in our digital age. A consensus in government for both Zero Trust and digital transformation is that knowing and protecting data is fundamental to success. There are challenges and any strategy takes time to fully implement, as it is an evolving process. And one of the biggest challenges mentioned in the Zero trust process was the tasks of tagging, classifying, and especially protecting data.

Government Calls Attention to the Role of Data and Zero Trust

See -- WP-How-to-Meet-DHS-and-CISA-Guidelines-ZeroTrust-2022-4.pdf (anacomp.com)

A Zero Trust cybersecurity strategy aligns perfectly with digital transformation as it is really a change in thinking in cyber defense strategy away from trust in perimeter-based network security, to a new “Zero-Trust” approach that is data-centric.

According to NIST and as described in their National Cybersecurity Center of Excellence (NCCoE) project, “a zero trust approach data-centric security management aims to enhance protection of information (data) regardless of where the data resides or with whom it is shared. Data-centric security management necessarily depends on organizations knowing what data they have, what its characteristics are, and what security and privacy requirements it needs to meet so the necessary protections can be achieved. Standardized mechanisms for communicating data characteristics and protection requirements across systems and organizations are needed to make data-centric security management feasible at scale. The desired approach for this is to define and use data classifications, and this project will examine that approach. “

See -- Data Classification Practices: Facilitating Data-Centric Security Management (nist.gov)

DHS’s CISA summarized zero trust mission and goals. The Zero Trust Maturity Model focuses on an evolution of implementation across five pillars, heading towards continuous monitoring and optimization over time. The pillars include Identity, Device, Network, Application Workload, and Data.

And regarding the pillar of data, CISA cites the need to “Create a clear, shared path to deploy protections that make use of thorough data categorization and security responses, focusing on tagging and managing access to sensitive structured, unstructured, and semi-structured documents.” 

CISA sees Zero Trust as a shift from a location-centric model to a more data-centric approach for fine-grained security controls between users, systems, data, and assets that change over time. This provides the visibility needed to support the development, implementation, enforcement, and evolution of security policies. “More fundamentally, Zero Trust may require a change in an organization’s philosophy and culture around cybersecurity.”  

The Data Pillar of CISA’s Zero Trust Model states that “Agency data should be protected on devices, in applications, and networks. Agencies should inventory, categorize, and label data, protect data at rest and in transit, and deploy mechanisms for the detection of data exfiltration.

 See -- www.cisa.gov/zero-trust-maturity-model

The Department of Defense (DOD) recently released a road map for Zero Trust, and it puts data at the center of its reference architecture in collaboration with the National Security Agency, the Defense Information Systems Agency, the Defense Manpower Data Center, U.S. Cyber Command, and the military services.

See -- Department of Defense Releases Zero Trust Strategy and Roadmap > U.S. Department of Defense > Release

Keeping Up With the Enormity and Velocity of Data Creation

Government and industry are both building larger data repositories and sharing data centers to keep up with storage and analytic needs. Consider that there are more than 2.5 quintillion bytes of data created each day. The velocity of data production has become exponential and the ability to securely store, prioritize, analyze and share (and scale) that data is fundamental to operations, and security.

The U.S. government maintains one of the largest repositories of data in the world. Millions of supporting documents are compiled and stored every year by a multitude of government agencies, which have a responsibility to preserve, secure and retrieve vital information when needed.

Data is often referred to by CIOs and CISOs as the Crown Jewels, or gold. But not all data is the same. It can be both unstructured and structured. It can also be classified, and/or sensitive. However, in most cases, most data does not require security protection capabilities to align with data as it is not vital and does not require security clearances to access.

When you do not know what data you have in your networks, you cannot readily use it and protect it. The corollary to that statement is that in order to harness and manage data, there needs to be a viable technological solution in place that can tier and classify data.

Data Discovery, Tagging and Classification – An Early Step in the Zero Trust Process

Tagging and classifying data needs to be an early priority for a viable Zero Trust strategy. I explained in a recent white paper on Zero Trust by Anacomp, planning for Zero Trust must start with a strong risk management framework, including a complete inventory of all assets such as data that is at risk. You cannot protect what you do not know you have. Download Zero Trust White Paper – Anacomp Inc.

With the advances in computing technology and algorithms, incorporating levels of data security analytics to unattached and unstructured data sources and building a strong automation capability have become fundamental to the process. Bringing meaning to the data is a science and requires an ability to synthesize high-speed data streams of both “structured data” (residing in a predetermined field) and “unstructured data” (not organized in a pre-defined manner) in real-time and securely. Eighty percent of data is unstructured. That means specialized optic technologies, software algorithms and innovative processes are necessary to tag and de-clutter data, index it, and allow for distillation and sophisticated assessment.

Securing The Data

In the Zero Trust risk management strategy, securing data necessitates a hyper-security focus. At its core, the practice encompasses identifying gaps, assessing vulnerabilities, and mitigating threats. Data security and cyber risk management are an integral part of the overall enterprise risk management (ERM) framework to stay ahead of the threats.

Every comprehensive risk management approach should protect core applications and ensure the privacy of the data. This requires transparency; knowing exactly where the data is, who is trying to access it, and what they are doing. Once you know what data needs to be secure, federal agencies need to build defenses around it. Protecting user data in any security approach needs to be dynamic and not static.

Unfortunately, an expanding internet attack surface has led to many data exfiltration vulnerabilities. The growing availability of ready-made attack kits, a commercialized and illicit market for stolen data, and intensifying activity of organized crime and state actors have heightened the challenge of protecting data.

Greater internet interface and emerging automation technologies like machine learning and artificial intelligence have provided new tools and access for hackers and Zero Trust requires that an agency assume they have been breached and validate and authenticate every device and person connected.

Data encryption (now required by the government to be quantum-proof) is a key algorithmic component of security risk management. A general definition of encryption is the process of applying a mathematical function to a file that renders its contents unreadable and inaccessible—unless you have the decryption key. Encrypting data protects the users from compromised file records, and it gives additional protection to the point of data in use.

Encryption protects against most cybercriminals and hacktivists because it creates a formidable time/effort barrier for them to breach. Also, data masking can also be used to help protect sensitive data once you have identified it.

Government-Ready Solutions for Data and Zero Trust

There are an increasing number of solutions readily available to meet the classification and indexing challenges of data. According to Tom Cunningham, the CEO of Anacomp, a company that specializes in data governance, discovery, tagging, visualization, and analytics via an artificial intelligence engine, “Anacomp’s D3 Data Discovery solution can aid organizations by automating identification and mitigation of high-value and high-risk unstructured and structured data before damaging data breaches occur. ”

Anacomp’s Data Discovery and Distillation solution (D3) is uniquely positioned to help identify, manage, and protect data in accordance with CISA Guidelines supporting EO 14028 on Cybersecurity. Specifically, NIST and CISA guidelines call for an inventory of all data assets as foundational to implementing a Zero Trust Architecture.

Anacomp’s Data Discovery & Distillation (D3) Solution is a fast, automated, highly accurate data discovery and indexing solution that reduces data cybersecurity risks and costs for storage and compliance.

D3’s AI/ML discovery engine will crawl, identify, and index all data assets within all data stores. D3 Data Discovery ingests every structured and unstructured file type and creates an “index of everything” using AI/ML technology for unsupervised metadata tagging. All file properties are analyzed (author, file type, creation date, etc.), encryption status is identified, and lineage is mapped. Risk filters enable monitoring of high, medium, and low-risk data to aid in prioritizing data protection actions. What makes D3 unique is that it can identify and filter risks for over 950 file types down to the content level, not just file attributes.

Typically, within days an entire data estate will be inventoried with a low burden of resources. This actionable inventory enables data tagging and segmentation for ongoing, real-time, workflow protection of at-risk data and reduction of Redundant, Obsolete, and Trivial (ROT) data storage costs. Data remains in place and alerts can be set up to automatically monitor for changes to data.

See D3 Data Discovery – Anacomp Inc.

Data has become more than a commodity; it is a driving force that determines our future. Via its Zero Trust cyber-risk management strategy, the government has recognized the veracity of data’s importance to national security and why it needs to be a core element of focus in any Zero Trust strategy. Tagging, classifying, and especially protecting data must be at the forefront of a successful strategy.

About the author:Chuck Brooks serves as President of Brooks Consulting International, is a globally recognized thought leader and subject matter expert in Cybersecurity and Emerging Technologies. Chuck is also an Adjunct Faculty at Georgetown University’s Graduate Applied Intelligence Program and the Graduate Cybersecurity Risk Management Programs. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn.” He was named as one of the world’s “10 Best Cyber Security and Technology Experts” by Best Rated. He is a contributor to securityinfowatch.com and is also a Cybersecurity Expert for “The Network” at the Washington Post, Visiting Editor at Homeland Security Today, an Expert for Executive Mosaic/GovCon, and a Contributor to FORBES. 

About the Author

Chuck Brooks | President of Brooks Consulting International

Chuck Brooks, President of Brooks Consulting International, is a globally recognized thought leader and subject matter expert in Cybersecurity and Emerging Technologies. Chuck is also Adjunct Faculty at Georgetown University’s Graduate Cybersecurity Risk Management Program where he teaches courses on risk management, homeland security technologies, and cybersecurity. He is also IEEE Cyber Security for Next Generation Connectivity Systems for Quantum IOT Vice-Chair and serves as the Quantum Security Alliance Chair for IOT. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn.”

 He was named as one of the world’s “10 Best Cyber Security and Technology Experts” by Best Rated, as a “Top 50 Global Influencer in Risk, Compliance,” by Thompson Reuters, “Best of The Word in Security” by CISO Platform, and by IFSEC, and Thinkers 360 as the “#2 Global Cybersecurity Influencer.” He was featured in 2020, 2021, and 2022 Onalytica "Who's Who in Cybersecurity" He was also named one of the Top 5 Executives to Follow on Cybersecurity by Executive Mosaic, He is also a Cybersecurity Expert for “The Network” at the Washington Post, Visiting Editor at Homeland Security Today, Expert for Executive Mosaic/GovCon, and a Contributor to FORBES. He has an MA in International relations from the University of Chicago, a BA in Political Science from DePauw University, and a Certificate in International Law from The Hague Academy of International Law.