The National Security Agency (NSA) issued a cybersecurity information sheet (CIS) on April 9 detailing recommendations for maturing data security and enforcing access to data in transit and at rest.
The CIS Advancing Zero Trust Maturity Throughout the Data Pillar aims to ensure that authorized users can access data.
Specifically, the CIS outlines data security capabilities that should be integrated into a comprehensive Zero Trust Framework, as described in the NSA’s Embracing a Zero Trust Security Model, according to an agency announcement.
Since releasing the Embracing a Zero Trust Security Model CIS in February 2021, NSA has provided several updates and related products to guide a zero trust mindset adoption.
The seven pillars in the zero trust security model CIS are user, device, network/environment, applications and workload, visibility and analytics, automation and orchestration, and data.
“Malicious cyber actors continuously increase their ability to infiltrate networks and gain access to sensitive data,” Dave Luber, NSA’s Director of Cybersecurity, said in a press release. “Assuming that breaches will occur, implementing the pillars of the Zero Trust Framework is how we combat that activity,” he said.
The new CIS recognizes the value of the data pillar and how its capabilities mitigate risk.
“[The] data pillar capabilities verify all access to data – key foundational element for building improved cybersecurity – thereby reducing the impact of breaches and enabling earlier detection of even advanced malicious cyber actor activities,” Luber said.
The NSA guidance lists several data pillar capabilities and aligns them to zero trust maturity levels – preparation, basic, intermediate, and advanced phases.
For example, the data monitoring and sensing capability highlights the role of security information and event management tools in helping data owners collect and analyze security data from information systems through a single interface.
The capabilities listed in the CIS are data catalog risk alignment, enterprise data governance, data labeling and tagging, data monitoring and sensing, data encryption and rights management, data loss prevention, and data access control.
According to the CIS, the DoD zero trust strategy centers on protecting an organization’s data through constant verification.
“So, it is important that data owners take the steps necessary to survey their data to design and implement effective controls,” the CIS reads.
Implementing an effective data management plan within the zero trust framework limits data breaches, and “if a breach does occur, will provide the necessary information on the assets that were compromised to minimize the damage,” the CIS says.
