Zero trust, a government wide initiative
Zero-trust was originally introduced as a network-based architecture model, which centralized on identity and multi-factor authentication. This model gained popularity in the industry with many vendors positioning their technology products as zero-trust solutions.
I’ve always believed that zero-trust is a principle that should be applied wherever possible, more than just in technologies and products. As it has evolved, especially in the most recent years, we have seen the wide adoption of zero-trust in domains much beyond network and identity. Nowadays zero-trust is being recognized as a principle and a best practice that can be applied to broad aspects of security, accelerated by industry’s innovations.
In fact, the US federal government has made it a mandate; it has been one year since the White House set forth its zero-trust strategy.
Among multiple publications from the National Institute of Standards and Technology (NIST), Cybersecurity and Infrastructure Security Agency (CISA), and Office of Management and Budget (OMB) on zero-trust in the recent years, in the OMB memo M-22-09, issued Jan 26, 2022, the White House set forth a zero-trust strategy as a mandate for all of the US federal government. It requires agencies “to meet specific cybersecurity standards and objectives by the end of Fiscal Year (FY) 2024 in order to reinforce the Government’s defenses against increasingly sophisticated and persistent threat campaigns.”
“Agencies are on a clear, shared path to deploy protections that make use of thorough data categorization…”
Data categorization: a central theme
Upon release, the federal zero-trust strategy has received accolades from industry and academia as a significant step forward toward addressing the ever-present cyber security challenges.
It sets out clear visions and specific actions around the five pillars of security: identity, devices, networks, application & workloads, and data.
Among the five pillars, what is most notable for the Chief Data Officers (CDOs) is Data Categorization as a central theme of the data pillar. The strategy envisions that in the federal government: “Federal security teams and data teams work together to develop data categories and security rules to automatically detect and ultimately block unauthorized access to sensitive information.”
This vision goes much beyond the traditional concept of building security controls (such as data encryption, data access, data rights) into data solutions. Rather, it draws on an agency’s ability to inventory and categorize its data, to set the foundation for automating security responses and user access controls based on sensitivity of the data.
The strategy calls for near term actions for agencies to start work with stakeholders to “implement initial automation of data categorization and security responses, focusing on tagging and managing access to sensitive documents”.
“Agencies must implement initial automation of data categorization and security responses, focusing on tagging and managing access to sensitive documents.”
At the same time, the federal government recognizes that “…… the technology market supporting enterprise-wide data categorization is still maturing ……” and sets out to play a long game. They created a joint working group that consists of the Federal CDO Council and the Federal CISO Council, led by OMB. This group’s goal is to develop a data security guide for agencies that addresses how existing federal information categorization schemes can support effective data categorization in a security context.
What’s to come
The federal zero-trust strategy reflects the federal government’s goal of a comprehensive zero-trust approach to data management as the CDOs in the federal agencies are called on to implement this strategy and work with the security team and other stakeholders.
To begin with, as the memo acknowledges, it will be challenging for many agencies to develop an accurate approach to categorizing data and tagging data. Initially, for some agencies there may need to be some manual categorization, narrowed down scope and pilot initiatives to pave ways for mechanisms of automated security access rules and responses.
This is only the beginning toward a comprehensive zero-trust approach to data management. The goal is automation of data categorization, which undoubtedly, will drive other aspects of data management to become part of the zero-trust ecosystem.
Full coverage of data enterprise
Automation will enable the full coverage of the data enterprise. This, in the design phase of zero-trust, helps ensure the thoroughness of all use cases of zero-trust such as those specified in NIST Special Publication 800-207 on Zero-Trust Architecture. It will also help with the implementation phase of zero-trust, making it possible for full scale automated security responses and access controls across the whole organization.
With such capabilities, the CDO will be well positioned as a partner of the Chief Information Security Officer (CISO) organization. It is now possible for the CISO stakeholders to get full visibility into the many business applications.
Moreover, a potential array of reports and analytics built from a large amount of automated data would provide tangible inputs into the CISO’s decision-making process, especially large-scale implementation initiatives, such as data loss prevention programs, to ensure thorough enterprise coverage.
Lifecycle security trust verification
A zero-trust approach to secured user access, however rigorous that may be, establishes the security trust needed for data at the point of authentication and authorization. It won’t provide the insight into the data itself or the dynamics of the data as all data has a lifecycle. They are consumed once created. They may change, move, be shared, and may take on a different meaning under a different context.
Due to these dynamics, business leaders are already keenly aware of the importance of keeping track of data, to help them answer questions such as:
- Who is using the data?
- What information does it contain?
- When was the data created/transformed?
- Where does the data come from?
- Why does the data exist?
From a business perspective, these questions speak to the data ownership, residency, and quality characteristics such as data consistency, completeness, and trustworthiness.
On the other hand, they also pose the questions to the security trust granted since it was last established. For instance,
- A business steward with privileged access shared certain data elements with non-privileged users
- A business analyst published a report to an audience who may not have the need to know
- A database administrator pushed data to various locations, more than intended
Whether done inadvertently or without sufficient security controls, the security trust in these scenarios may be broken. This is why we need continuous verification through the data life cycle.
Data solutions seek to address these business and security concerns, e.g., creating lineage showing data movement across an enterprise, and continuously monitoring data quality characteristics through adaptive rules. While data solution capability is centered at the business level, in contrast to the automated security responses typically led by security organizations, a zero-trust approach to data management will certainly drive the capabilities at two ends of the spectrum to marry up, leading to seamless integration of business and security organizations in protecting data as their common goal.
Fueling maturity – it’s reciprocal
The goals laid out in the federal zero trust strategy are organized using the CISA zero-trust maturity model. In this model, zero-trust maturity is characterized by increasing levels of automation and centralized visibility.
Specifically for the data pillar, CISA envisions that zero trust culminates at the optimal mature state with characteristics such as agencies continuously inventorying data with robust tagging and tracking, augmented with machine learning models, and automatic updating and accounting for all agency data. Reflected in the federal zero-trust strategy is the calling out of agencies’ data categorization directly fueling this maturity characteristic.
While data categorization is a central theme in zero-trust for the data pillar and most important, it is an aspect of data management that is the foundation of various other domains including data governance, metadata management, data quality, privacy and compliance, etc., that companies have relied on to find, organize, track, integrate, and govern the enormous amount of data in their enterprises to achieve their business goals.
As expected, a growing capability of data categorization at federal agencies will be driven by the zero-trust vision and as zero-trust matures. Categorization, an underpin of the data management capabilities for any enterprise, will have a broad and in-depth impact into other areas of data management.
This is very exciting and in the upcoming years we will be seeing agencies’ increased ability in their overall data management capabilities, to enable their business processes, gain valuable insights into their data to make better use of them, meet regulatory requirements, and provide strategic inputs to achieve longer term business outcomes.
Collibra for Public Sector
With a zero-trust approach to data management as a mandate, data categorization is a critical capability that federal agencies are required to have. Federal agencies are well positioned to champion, adopt, and utilize data management solutions to the fullest extent possible while the federal government’s zero-trust vision will drive technology adoption and innovations beyond meeting the traditional business needs.
Collibra works closely with federal agency CDOs and CIOs to help them address their data management needs including data cataloging, governance, quality & observability, privacy and protection. In this journey, security has played an important role. Under the zero-trust initiative, security will carry even more significant weight in our joint pursuits. Collibra can help federal agencies become more effective data enterprises providing the data offices and CDOs with the ability to have a greater impact on security.
Zero-trust is a topic that is top of mind for many including us here at Collibra. In fact, we are planning a blog series to dive into this topic even more, so stay tuned.
