Elevating Data Protection with the Department of Defense Zero Trust Strategy

On November 22, 2022 the Department of Defense (DoD) released the Department of Defense Zero Trust Strategy and Roadmap with the goal of implementing Zero Trust capabilities and activities by fiscal year 2027. The DoD will be checking agencies’ budgets and holding them accountable for demonstrating progress. There is a special urgency to securing defense agencies as part of critical infrastructure, but any organization can learn from what the DoD is proposing.

The plan states, “Zero Trust enables information dominance across the communications spectrum in the tactical environment by ensuring the security of data, applications, assets, and services (DAAS).” Most organizations also must manage security in these four areas, with prioritization based on the unique needs of the business and its customers.

This DoD Zero Trust plan is intended to align with other Executive-level guidance, including:

 
Zero Trust is a data-centric strategy, rather than location-centric, and protecting data from breach wherever it resides while ensuring its usability is a key focus. The stated DoD Data Goal is “enable and secure data transparency and visibility with enterprise infrastructure, applications, standards, robust end-to-end encryption, and data tagging.”

The DoD mentions cybersecurity challenges including geopolitical and disruptive events like the COVID pandemic: “DoD’s migration to increased remote work, an unprecedented technology refresh while divesting outdated technologies, shifts to artificial intelligence and cloud-based technologies complicate these trends. Advances in technology amplify the means to exfiltrate sensitive data from DoD and National Security Systems (NSS) and allow malicious actors the potential to inflict serious damage to DoD’s information environment. These factors, combined with the expansion of partner relationships, create opportunities for malicious actors, using limited technical resources, to impact national security.”

There are seven pillars outlined in the plan including:

    • Users
    • Devices
    • Applications & Workloads
    • Data
    • Network & Environment
    • Automation & Orchestration
    • Visibility & Analytics

    DoD Zero Trust Data Capability Goals stated in the plan include:

      • Data Catalog Risk Assessment
      • DoD Enterprise Data Governance
      • Data Labeling and Tagging
      • Data Monitoring and Sensing
      • Data Encryption & Rights Management
      • Data Loss Prevention (DLP)
      • Data Access Control

      The National Institute of Standards and Technology (NIST) is working on a new Data Classification guide to aid in helping organizations prioritize and manage data protection. Currently the project is in draft form. NIST states that:

      “Data-centric security management aims to enhance the protection of information (data) regardless of where the data resides or who it is shared with.

      The NCCoE aims to make data-centric security management feasible at scale by developing technology-agnostic recommended practices for communicating and safeguarding data protection requirements through data classifications and labels.”

      A data-centric foundation to cybersecurity must start with understanding your data. An article from Nextgov offers tips including “focus on your data and the rest will follow” and goes on to say that “data is ultimately at the core of what government agencies must protect. The reality is that data is everywhere, and security must be too.”

      A data inventory is really a foundational bridge to all the other data security activities because you need to fully understand what is at risk. A Help Net Security interview with the Mark Ruchie, CISO at Entrust, discussed how important having an asset inventory is for successful Zero Trust. Ruchie said:

      “Zero Trust strategy requires an inventory of every single item in a company’s portfolio, including a list of who and what should and should not be trusted. Additionally, organizations must develop a strong understanding of their current workflows and create a well-maintained inventory of all the company’s assets … Zero Trust provides more clarity for organizations as it is focused on protecting data rather than securing different segments.”

      Data Discovery and Risk Assessment Are Essential to Zero Trust

      Recently Forrester published research that highlights how lack of data discovery and classification leads to Zero Trust microsegmentation project failures. According to David Holmes, senior analyst at Forrester and author of the report:

      “The vast majority of organizations we talk to, do not do sufficient data discovery and classification, both of which are needed to some extent for a proper microsegmentation project. Just knowing what data you have and where it lives is a hard problem to solve.” 

      Forrester Research also hosted a Security and Risk Forum that included topics around implementing Zero Trust. In addition to the forum, they published a 2023 Security & Risk Planning guide. Both the forum and the guide highlight that CISOs who use cyber-risk quantification increase business leaders’ confidence in Zero-Trust initiatives and funding. Forrester also sees growth in four categories, and with privacy concerns growing, one of the categories is privacy-preserving technologies.

      Privacy concerns and increasing regulation can’t be ignored, and the 2022 edition of the Office of Inspector General (OIG) annual report on the Department of Health and Human Services’ (HHS) top management and performance challenges called on HHS to improve data governance. OIG described the challenge of securing HHS data as “multifaceted and complex because program needs and timeliness often compete with cybersecurity controls and capabilities.” OIG emphasized the need for a risk-based approach due to the time-sensitive nature of cyber threats.

      Cybersecurity risk profiles are a key element of Zero Trust, and crucial foundational activities include understanding, mapping, and prioritizing your assets like data so that you can then implement proper controls based on risk appetite. These activities should use automation tools to help with continuous asset risk assessment – in today’s world you can’t have a “set it and forget it” mentality.

      Nextgov podcast with Lynette Sherrill – the Department of Veterans Affairs (VA) CISO – discussed the VA’s progress in implementing its Zero Trust strategy as well as the importance of safeguarding veterans’ personal data. The VA has complex cybersecurity challenges due to both the healthcare side and the benefits side of the organization. She talked about the importance of taking a risk-based approach to determine priorities and the challenges of managing huge amounts of data logs.

      Data privacy is a serious matter, particularly when it comes to Protected Health Information (PHI). The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that enforces national standards to protect PHI from being disclosed without a patient’s consent or knowledge. Unfortunately, PHI is a favorite target of hackers. A USA TODAY article reported in November that more than 40 million Americans’ medical records have been stolen or exposed so far this year because of security vulnerabilities in electronic health care systems, highlighting concerns mentioned in the OIG article regarding securing data.

      Growing Privacy Legislation Requires Data Inventory

      The responsibility for protecting data should be elevated to organizational leadership as an essential ongoing business concern as legislation increases, such as the California Privacy Rights Act (CPRA) which goes into effect on January 1, 2023. Risk management and data governance must work in concert because data is continuing to grow in both quantity and complexity.

      A few of the compliance activities that may be required with legislation like CPRA include:

      • Take an inventory of CPRA data
      • Conduct privacy risk assessments to safeguard data
      • Update your policy and processes for dealing with sensitive personal information (SPI)
      • Streamline data flow mapping to monitor privacy risk
      • Execute data retention policies at scale
       

      Dark Reading article stated a comprehensive data security strategy is essential and “CISOs and CIOs are confronted with data spread across their organization and they need to gain visibility into all their siloed, heterogeneous data to understand who controls, maintains, processes, and accesses which parts of the data.”

      A risk-based approach is also emphasized in a VentureBeat article, “Cybersecurity Frameworks Are Not Enough to Protect Organizations from Today’s Threats.” According to research, “48% of organizations with no breaches in 2021 took a risk-based approach to their security programs” and companies must go beyond a “check-the-box” mentality. The article states:

      “This proactive approach to cybersecurity involves regularly assessing risk probabilities and impacts, conducting advanced quantitative and scenario analysis, incorporating cybersecurity into enterprise-wide risk management, and working with business leaders to mitigate risks proactively. A risk-based approach allows organizations to achieve greater cybersecurity proficiency by giving them the tools to identify, measure, prioritize and manage the threats they face.”

      We recently published a couple articles on cybersecurity risk management guides that specifically focused on NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM):

       

      The NIST risk management guide calls out the related problems of insufficient asset information, as well as human bias and assumptions that incorrectly set priorities. The guide and its supplements also emphasize the need for automation and tools for continuous risk identification so that organizations have up-to-date data on threats.

      The urgent need for Zero Trust is due to evolving threats that are sophisticated, as well as potential threats from nation-state actors. CPO Magazine recently reported on a potentially concerning piece of Russian software that is buried in thousands of apps in Google and Apple office app stores, and The Hacker News reported that there are as many as 34 Russian-speaking gangs who have used malware to steal over 50 million passwords in the first seven months of 2022. The FBI has also recently warned of data privacy concerns with Chinese-owned social media giant TikTok.

      Data protection can no longer be set aside as a future priority. To help prepare for potential data threats to quantum-vulnerable systems, the White House Office of Management and Budget is requiring that federal agencies provide an inventory of assets containing cryptographic systems that could be cracked by quantum computers by May 4, 2023. There is a concern that encrypted data stolen now could be accessed in the future by more advanced technology.

      Psychological Risks to Data

      Understanding people risks, as well as your assets, is critical to effective risk management. In some of our recently published articles we emphasize the human-first approach to cybersecurity because a wide variety of human mistakes (from executives, security teams, and end users) are often the reason data is exposed. Understanding the risk landscape and instituting proper controls is essential to not overburdening cybersecurity staff who are in short supply.

      Organizations can help combat threats by educating themselves on human psychology as it relates to cybersecurity, such as learning to think like a hacker, and use that insight to shape risk assessment and security strategies. Addressing detrimental human bias, conditioning, and habits is also important to making necessary changes.

      Clear and authentic collaboration, communication, and two-way feedback are required for the culture shift necessary for modern cybersecurity. A Dark Reading article included an interview with Frank Kim, an industry veteran and former CISO of the Sans Institute, who said, “fostering a collaborative and engaged working environment is key to ensuring that the security talent you have will want to remain in your organization” and that “data security is another growing concern, specifically the ability of businesses to use, share and leverage data securely.” 

      To help leadership understand threats, Steve Winterfeld, advisory CISO at Akamai, likes to take stakeholders on data journeys. Leadership should understand how security controls can protect the employee data journey, and they must also understand what happens when employees go out to the internet.

      Storytelling often resonates more deeply when communicating the cybersecurity message throughout the organization. See a few of our articles on the psychological concerns of cybersecurity:

       

      Insider risks are a real threat to data as well. A Cyberhaven survey found employees are 83% more likely to take sensitive data in the two weeks before they give notice. To help prevent data loss, the Dark Reading article states “It’s important to have full visibility and a complete inventory (i.e., users, assets, applications, groups, and domains) to enable security and IT teams to put in place the appropriate preventative controls.”

      True Data Discovery Must Be Comprehensive and at the Content Level

      An ongoing inventory of data assets is foundational to Zero Trust as a data-centric security strategy that aims to protect data and also improve usability. Data discovery and classification are necessary for data governance and to see what risks are inside your data stores. Organizations can’t assume they understand asset risks without taking the time to identify what is there or what data-handling mistakes may have occurred in the past.

      Many data discovery solutions are only able to see certain types of files or are more focused on classification without comprehensively inventorying both unstructured and structured data. Incomplete data discovery solutions can give the organization a false sense of security. Many solutions may also only view file attributes and not be able to see risks hidden in the actual content of files. Effective data discovery should automate indexing, inventory, filters, search, data tagging, and workflows down to the content level. Single pane visibility on a broad array of file types helps to simplify risk management and reduce the burden on staff.

      Anacomp’s data discovery and intelligent document processing solutions help provide data asset visibility and automate multiple data inventory, risk assessment, digital transformation, and processing functions for cybersecurity, risk management, data privacy and compliance, cloud and data migrations, and analytics projects.

      Data Discovery and Distillation (D3) provides a single pane view of both structured and unstructured data stores for over 950 file types with visualization of all file properties and customizable metadata.  D3 crawls your entire data estate and uses artificial intelligence and machine learning to see risks hidden in actual file content – not just file attributes. Risk filters, workflows, data tagging, and federated search help to identify, manage, clean, and protect data and keep it that way with ongoing, automated monitoring. 

      You can also quickly and easily perform Data Subject Access Requests (DSARs), as well as intellectual property or other sensitive data requests, using advanced queries. D3 is unique in that it provides actionable visibility for many data types with data visualization down to the content-level.

      High-Speed Intelligent Document Processing uses technologies like Artificial Intelligence, Machine Learning, and Natural Language Processing to process and ingest many types of data including handwriting and poor quality documents, as well as images, enabling you to incorporate more data into your projects. You can also flag any data privacy or other data risk concerns.

      These solutions can be combined and customized to validate and improve data quality for security, data privacy, compliance, and analytics projects. 

      You can test out data discovery on your own data with a free 1 TB Test Drive of Anacomp’s D3 AI/ML Data Discovery Solution.

      This article is an updated version of a story that appeared in Anacomp’s weekly Cybersecurity & Zero Trust Newsletter. Subscribe today to stay on top of all the latest industry news including cyberthreats and breaches, security stories and statistics, data privacy and compliance regulation, Zero Trust best practices, and insights from cyber expert and Anacomp Advisory Board member Chuck Brooks.

      Anacomp has proudly served the U.S. government, military, and Fortune 500 companies with data visibility, digital transformation, and OCR intelligent document processing projects for over 50 years.