The US Government continues to evolve its cybersecurity vision and strategy. Increasingly sophisticated adversarial attacks on its networks, systems and data are ever present and it must improve its defensive posture. With recent global events, this emphasis could not come sooner.
The latest push starts with the current Administration’s 2022 Memorandum, “Moving the U.S. Government Toward Zero Trust (ZT) Cybersecurity Principles.”1
The document lists many requirements to achieve specific cybersecurity standards and objectives. They must be met by the end of Fiscal Year 2024. To achieve this deadline, agencies must start now. Success is only achieved when data management policies, practices and capabilities are established.
The memorandum stresses greater enterprise identity and access controls. It identifies improved device management and encryption across all network traffic. There is also the demand for empirical and vulnerability testing. In addition to all the above, it clearly places data management as a key component of the framework. Essentially, the overarching purpose for a ZT architecture is to protect data.
To get there, it will take a village comprised of people and technology. No one person or office, or one single technology solution, can provide what the ZT security concept requires. It will take a systemic approach to proactively control all interactions between people, data and systems to minimize security risks.
So how do agencies do this?
A Village of People
A collaboration between personas and offices that are not used to working with each other is a necessary first step. Senior agency leaders and their staff must partner closely to achieve, and then sustain, ZT capabilities. These include agency chief data officers (CDOs), chief privacy officers (CPOs), chief information security officers (CISOs), chief information officers (CIOs), chief financial officers (CFOs) and others.
Attempting a ZT architecture across the government without multi-disciplinary governing bodies and task forces is asking for trouble. It will likely lead to unorganized, uncoordinated and ineffective results. At the center of this effort must be the CISO and the CDO. The CISO sets the policy and implementation plans for a comprehensive cybersecurity program. The CDO handles managing the data at the core of that program. The role is also responsible for balancing data mission needs. Things such as accessibility, transparency and value to the data consumers fall under the CDO's umbrella.
Fortunately, improvement to agency data management has a head-start. Progress was already made on the US Federal Data Strategy and the Foundations for Evidence-Based Policy Making Act. Leveraging collaborative ZT efforts with this progress, agency CDOs can work in tandem with their C-suite peers. For example, the Act required agencies to inventory and catalog all their data. This step is also necessary for achieving ZT. It enables the identification and prioritization of sensitive data that requires increased protection.2
The Administration’s ZT memorandum also calls on federal data and cybersecurity teams to work together within and across agencies. It instructs them to “jointly develop pilot initiatives and Government-wide guidance on categorizing data based on protection needs, ultimately building a foundation to automate security access rules. This collaborative effort will better allow agencies to regulate access based not only on who or what is accessing data, but also on the sensitivity of the data being requested.”
A Village of Technologies
A recent industry report3 on ZT declared that there is no singular solution from any vendor that enables a ZT architecture. The National Institute of Standards and Technology’s 2022 ZT planning guide4 provides a similar sentiment.
Indeed, multiple technologies are needed within a ZT program. Things such as multi-factor authentication and endpoint security are necessary. Security information and event management capabilities are also important, among others. These have minimal impact however on establishing foundational data management capabilities. ZT architecture requires modern data management technologies.
Data Management Solution Pitfalls
It’s important for agencies to identify some common ZT data protection challenges. These include:
- A lack of understanding of your data environment — what do I have and what’s important?
- Inadequate management of the flow of data and processes that manage data
- An inability to monitor data usage and enforce a key ZT concept of “accurate, least privilege per-request access” of data across an enterprise
ZT Policy Compliance
- Inconsistent data protection operations that compromise reliable controls
- Using manual procedures to operationalize and enforce data protection policies
Data Use Monitoring
- Inability to identify anomalies in data handling from multiple sources or fix them quickly
- Manual, slow, unreliable orchestration of risk remediation controls
- Manual risk remediation processes and lack of prioritization
- Poor and incomplete data, increasing the risk of bad decisions
- Inability to scale across the enterprise due to manual, documentation-focused data governance approaches
- Difficulty in locating sensitive data in complex environments which lessens the ability to identify key data elements
Overcoming These Challenges
A functional ZT architecture needs an advanced, automated data management solution. This solution must be able to discover, categorize and classify sensitive data. It also needs to assess and prioritize risks, as well as remediate threats with data protection. If these aspects are limited or don't exist, it is only a matter of time until problems with a ZT architecture occur.
Agencies need a consistent, reliable approach that reduces risk and protects data at an enterprise scale. Meeting the federal mandate’s requirements of a ZT architecture and enabling the appropriate use of sensitive data depends on it. To achieve this requires the right technology. It must be able to help support and enforce agency policies and processes.
These technologies should be based on artificial intelligence (AI)-powered solutions. They must enable automated risk insights into threat vectors to help govern security. With AI-based solutions, agencies can build a reliable foundation to manage data risk exposure. These solutions can also be useful as data use and ZT requirements continue to mature. Agencies should also be able to scale out this foundation. Increasing demands from citizens, employees and auditors over transparency won't be an issue. With AI-based solutions, a consistent approach with minimized complexity is possible.
Essential data management technology capabilities for a ZT program include:
- Data governance helps agencies define, put in place, track, and report on business terms and processes. This also includes workflow and policies. Data governance helps with data ownership, stewardship and access control.
- Data cataloging allows agencies to locate and catalog technical metadata across their environment. It also reports on data lineage and assesses change impacts. This allows data labeling and categorization (sensitive, classified, private, etc.).
- Data privacy management identifies and classifies personal and sensitive data. It tracks data lineage. It also measures and assesses risk and prioritizes protection planning with automation.
- Sensitive data masking defines masking rules and executes data protection workflows.
Build Your Foundation to a ZT Architecture with Modern Data Management and Protection Capabilities
To recap, here are some key steps you can take to power your agency ZT program now, and build a village of people and technologies to achieve the White House mandate:
- Reduce security risks to government IT infrastructure and data
- Understand your data environment at the heart of a ZT program
- Discover and inventory what you have on an automated, continuously updating platform
- Establish an AI-driven data governance capability
- Ensure a common lexicon across the environment and implement policy
- Catalog that data to identify, label and categorize the most sensitive and critical information
- Track data at risk, understand data proliferation and orchestrate remediation when needed
Find out more about our approach to ZT architecture in this brochure, “Enable Zero Trust with a Data Foundation.”
Learn more about Informatica solutions for government agencies at www.informatica.com/goverment.