Data Management Sets the Next Phase of Zero-Trust

The original of this blog is published at https://www.collibra.com/us/en/blog/data-management-sets-the-next-phase-of-zero-trust

Zero-trust has been in the center of security conversations for years. 2022 is a notable year as the federal government set forth the zero-trust strategy and put data categorization at the foundation of data security. Driven by this strategy, we will be seeing fast growing data management capabilities at federal agencies to discover, classify and protect their sensitive data. These capabilities will equip CDOs to partner with CISOs on enterprise scale initiatives. The joint pursuit will surely accelerate innovations from the industry and have profound impact beyond the federal government.

What’s ahead of us is very exciting. Working at Collibra, a data intelligence company, provides me with fresh new angles at security. Zero-trust concept as it evolved has removed the network perimeter. I believe the security industry is at another inflection point, turning from “security control” centric safeguarding data to “data centric” protection through the lifecycle and dynamics of data.

Zero Trust, A Government Wide Initiative

In the early days of zero-trust, it was brought out as a network-based architecture model and then centralized on identity and multi-factor authentication. This model gained steam in the industry with many vendors positioning their technology products as zero-trust solutions.

I’ve always believed that zero-trust is a principle that should be applied wherever possible, more than technologies and products, it indeed has propelled the industry to innovate. As it has evolved, especially in the most recent years, we have seen the wide adoption of zero-trust in domains much beyond network and identity. Nowadays zero-trust is being recognized as a principle and a best practice that can be applied to broad aspects of security, accelerated by industry’s innovations.

And the US federal government has made it a mandate.

Among multiple publications from the National Institute of Standards and Technology (NIST), Cybersecurity and Infrastructure Security Agency (CISA), and Office of Management and Budget (OMB) on zero-trust in the recent years, in the OMB memo M-22–09, issued Jan 26, 2022, the White House sets forth a zero-trust strategy as a mandate for all of the US federal government, requiring agencies “to meet specific cybersecurity standards and objectives by the end of Fiscal Year (FY) 2024 in order to reinforce the Government’s defenses against increasingly sophisticated and persistent threat campaigns.”

Data Categorization, a Central Theme

Upon release, the federal zero-trust strategy has received accolades from industry and academia as a significant step forward toward addressing the ever-present cyber security challenges.

It sets out clear visions and specific actions around the five pillars of security: identity, devices, networks, application & workloads, and data.

Among the five pillars, what is most notable for the Chief Data Officers (CDOs) is Data Categorization as a central theme of the data pillar. The strategy envisions that in the federal government: “Federal security teams and data teams work together to develop data categories and security rules to automatically detect and ultimately block unauthorized access to sensitive information.”

This vision goes much beyond the traditional concept of building security controls (such as data encryption, data access, data rights) into data solutions, rather, it draws on an agency’s ability of inventorying and categorization of its data, to set the foundation for automating security responses and user access controls based on sensitivity of the data.

The strategy calls for near term actions for agencies to start work with stakeholders to “implement initial automation of data categorization and security responses, focusing on tagging and managing access to sensitive documents”.

At the same time, the federal government recognizes that “…… the technology market supporting enterprise-wide data categorization is still maturing ……” and sets out to play a long game: the joint working group created from the Federal CDO Council and the Federal CISO Council, led by OMB, to develop a data security guide for agencies that addresses how existing federal information categorization schemes can support effective data categorization in a security context.

What’s to Come

The federal zero-trust strategy reflects the federal government’s ambition on a comprehensive zero-trust approach to data management as the CDOs in the federal agencies are called on to implement this strategy and work with the security team and other stakeholders.

To begin with, as the memo acknowledges, it will be challenging for many agencies to develop an accurate approach to categorizing data and tagging data. Initially, for some agencies there may need to be some manual categorization, narrowed down scope and pilot initiatives to pave ways for mechanisms of automated security access rules and responses.

This is only the beginning toward a comprehensive zero-trust approach to data management. The goal is automation of data categorization, which undoubtedly, will drive other aspects of data management to become part of the zero-trust ecosystem.

Full Coverage of Data Enterprise

Automation will enable the full coverage of the data enterprise. This, in the design phase of zero-trust, helps ensure the thoroughness of all use cases of zero-trust such as those specified in NIST Special Publication 800–207 on Zero-Trust Architecture, and in the implementation phase of zero-trust, makes possible full scale automated security responses and access controls across the whole organization.

With such capabilities, the CDO will be well positioned as a partner of the Chief Information Security Officer (CISO) organization. The enterprise visibility into the many business applications, having long been desired by the CISO stakeholders who granted the authorization to operate (ATO) but had no easy way of keeping track of them, have now become a reality.

Moreover, a potential array of reports and analytics built from a large amount of automated data would provide tangible inputs into the CISO’s decision-making process, especially large-scale implementation initiatives, such as data loss prevention programs, to ensure thorough enterprise coverage.

Lifecycle Security Trust Verification

A zero-trust approach to secured user access, however rigorous that may be, establishes the security trust needed for data at the point of authentication and authorization. It won’t provide the insight into the data itself or the dynamics of the data as all data has a lifecycle. They are consumed once created. They may change, move, be shared, and may take on a different meaning under a different context.

Due to these dynamics, business leaders are already keenly aware of the importance of keeping track of data, to help them answer questions such as:

• Who is using the data?
• What information does it contain?
• When was the data created/transformed?
• Where does the data come from?
• Why does the data exist?

From a business perspective, these questions speak to the data ownership, residency, and quality characteristics such as data consistency, completeness, and trustworthiness.

On the other hand, they also pose the questions to the security trust granted since it was last established. For instance,

• A business steward with privileged access shared certain data elements with non-privileged users
• A business analyst published a report to an audience who may not have the need to know
• A database administrator pushed data to various locations, more than intended

Whether done inadvertently or without sufficient security controls, the security trust in these scenarios may be broken and thus the need for continuous verification through the data life cycle.

Data solutions seek to address these business and security concerns, e.g., creating lineage showing data movement across an enterprise, and continuously monitoring data quality characteristics through adaptive rules. While data solution capability is centered at the business level, in contrast to the automated security responses typically led by security organizations, a zero-trust approach to data management will certainly drive the capabilities at two ends of the spectrum to marry up, leading to seamless integration of business and security organizations in protecting data as their common goal.

Fueling Maturity — It’s Reciprocal

The goals laid out in the federal zero trust strategy are organized using the CISA zero-trust maturity model. In this model, zero-trust maturity is characterized by increasing levels of automation and centralized visibility.

Specifically for the data pillar, CISA envisions that zero trust culminates at the optimal mature state with characteristics such as agencies continuously inventorying data with robust tagging and tracking, augmented with machine learning models, and automatic updating and accounting for all agency data. Reflected in the federal zero-trust strategy is the calling out of agencies’ data categorization directly fueling this maturity characteristic.

While data categorization is a central theme in zero-trust for the data pillar and most important, it is an aspect of data management that is the foundation of various other domains including data governance, metadata management, data quality, privacy and compliance, etc., that companies have relied on to find, organize, track, integrate, and govern the enormous amount of data in their enterprises to achieve their business goals.

As expected, a growing capability of data categorization at federal agencies will be driven by the zero-trust vision and as zero-trust matures. Categorization, an underpin of the data management capabilities for any enterprise, will have a broad and in-depth impact into other areas of data management.

This is very exciting and in the upcoming years, we will be seeing agencies’ increased ability, in their overall data management capabilities, to enable their business processes, gain valuable insights into their data to make better use of them, meet regulatory requirements, and provide strategic inputs to achieve longer term business outcomes.