As outlined in Executive Order on Improving the Nation’s Cybersecurity (EO 14028), Section 3: Modernizing Federal Government Cybersecurity, CISA has been tasked with developing a Federal cloud-security strategy to aid agencies in the adoption of a Zero Trust Architecture to meet the EO Requirements. While the government awaits the completion of that effort, I think it’s important to look at the two government reference architectures that have already been published, as they will undoubtedly be considered in the development of CISA’s cloud-security strategy. Both NIST (800-207) and DoD (Version 1.0) have released Zero Trust reference architectures. Both define a Zero Trust telemetry architecture informed by security sensors to dynamically evaluate device and user trust and automatically change access permissions with changes in entity trust. They each accomplish the same goal, even if they take slightly different paths to get there.
Whereas the DoD architecture establishes control planes that each have their own decision point, with data given its own decision point, NIST takes a broader approach to Zero Trust and emphasizes Zero Trust in relation to all resources, not just data. The data control plane within the DoD architecture encompasses data processing resources and applies data-specific context to them. As most networks, applications, storage and services exist to process and store data, it makes sense that access to these resources should be specific to the data contained within them, and not just the access to the resources themselves. Protecting data is central to Zero Trust, and the DoD’s architecture acknowledges this.
Data Centric Enterprise
Today, most Zero Trust efforts seem to focus on defending the applications, networks and services that contain the data but fall short of building data specific protections. And while protecting network, application, and service resources is certainly important and essential to layered protections, improving protection around the data is imperative to successfully adopt Zero Trust architecture. People with alarm systems on their homes still lock up valuables in a safe to guard against failures in controls, or less than trustworthy house guests and hired workers.
The DoD puts data at the center of its reference architecture. User and entity trust is assessed in relation to the data being accessed, and permission levels are dynamically changed specific to individual data resources. If Zero Trust operates under the assumption that networks and applications are already compromised, then the only logical way to successfully implement Zero Trust is to combine network, application, and service access technologies with a comprehensive data protection platform. In a well-designed Zero Trust architecture, a comprehensive data protection platform serves not only to protect data, but also as a means to inform the analytics layer of potentially malicious insiders or compromised user accounts in order to automatically trigger changes in access permissions.
Imagine a very simple scenario where an organization has classified specific types of data and implemented controls to protect the data. Jane is a contractor, who, because of her contract function, was vetted and cleared for access to critical applications and controlled unclassified data. Jane has a government-issued laptop with data protection software, and she has access to government cloud applications like Office 365 that are protected and governed by the agencies’ CASB solution. Unfortunately, Jane has been having well disguised and undisclosed financial troubles, which have put her in a compromised situation. In order to try to get herself out of it, she has agreed to act as an insider. Jane initially attempts to send sensitive data to herself through her Office 365 email, but the attempt is blocked by the CASB. She then attempts to share the records from SharePoint to an untrusted email domain and again is blocked by the CASB and reported to security. Desperate, she tries to move the data to an external hard drive, and yet again she is blocked. At this point, Jane gives up and realizes the data is well protected.
On the backend of this scenario, each one of these attempts is logged as an incident and reported. These incidents now inform a Zero Trust dynamic access control layer, which determines that Jane’s trust level has changed, resulting in an automatic change to her user access policies and a Security Operations alert. This is one very basic example of how a data protection platform can inform and affect user trust.
What Comprises a Comprehensive Data Protection Platform?
Effectively architecting a comprehensive data protection platform requires a multi-vector and integrated approach. The platform should be a combination of control points that leverage a common classification mechanism and a common incident management workflow. Data protection enforcement should facilitate enforcement controls across managed hosts, networks, SaaS, and IaaS resources, and whenever possible restrict sensitive data from being placed into areas where there are no controls.
McAfee enables this today through a Unified DLP approach that combines:
- Host Data Loss Prevention (DLP)
- Network Data Loss Prevention (DLP)
- Cloud Access Security Broker (CASB)
- Hybrid Web Gateway – On-Premises and SaaS
- Incident Management
This comprehensive approach enables data protection policies to follow the data throughout the managed environment, ensuring that enterprise data is protected at rest, in transit, and in use. Within the platform, user trust is evaluated conditionally based on policy at each enforcement point, and any change to a user’s group through the Zero Trust architecture automatically modifies policies within the data protection platform.
Data protection has long been a challenge for every enterprise. Successful implementation of data protection technologies requires a programmatic effort that includes data owners to accurately and successfully identify and build protections around sensitive information. If not implemented properly, data protection opens the door to user disruptions that many organizations have very little tolerance for. That’s why so many organizations focus their efforts on improving perimeter and access protections. Adversaries know this, which is why compromising user credentials or the supply chain to gain access remains a highly leveraged entry point for threat actors, because perimeter and access control protections fail to guard against people already inside the network with appropriate access. As enterprises plan for Zero Trust architectures, data protection has to take center stage.
By mandating that agencies quantify the type and sensitivity of their unclassified data, the EO appears to be steering Executive Branch agencies down the path of data centricity. The Executive Order focuses on improving the adoption of encryption best practices around data and implementing multifactor authentication in an effort to protect access to sensitive data from malicious outsiders. It falls short, however, of encouraging broad adoption of data loss prevention architectures to protect against accidental and malicious data leakage.
CISA has an opportunity to prioritize data as an enterprise’s central resource in their upcoming cloud-security strategy, which will drive agency adoption of Zero Trust Architecture. They should take this opportunity to emphasize the importance of designing a comprehensive data protection platform to serve as both a trust identifier and a mechanism of protection.