Achieving Optimal Zero Trust Maturity: The Role of Data and Governance

By Carolyn Duby, Chief Technology Officer, Cloudera Government Solutions

The federal government has placed a stronger emphasis on zero trust since OMB’s federal zero trust strategy memo from the beginning of 2022, requiring agencies to have a security model in place that assumes every device, application, or user attempting to access a network cannot be trusted.

Most recently, the Cybersecurity and Infrastructure Security Agency (CISA) issued a second version of its Zero Trust Maturity Model (ZTMM 2.0), which provides a roadmap to guide agencies to a zero trust model by 2024. The ZTMM is a combination of five pillars: identity, devices, networks, applications and workloads, and data. It also addresses four levels of maturity, providing useful information for agencies regardless of their location on the zero trust journey (traditional, initial, advanced, optimal).

With the impending deadline, the Department of Defense is feeling the pressure and making strides toward implementing the ZTMM to reach the “optimal” stage of maturity. DOD’s approach to a zero trust strategy will equip the Department with the guidelines to instill the “never trust, always verify” mindset, along with a map of how to implement the zero trust strategy across all components of the agency, including capabilities, technologies, solutions, and processes.

While making this progress, agencies must understand the impact a successful zero trust process can have on data and the future of government decision-making. There are also key strategies and data governance policies that agencies can implement to abide by the CISA guidelines and find achievable solutions for a zero trust future.

How Agencies Can Safeguard Their Data 

The updated ZTMM from CISA claims that agency data should be protected on devices, in applications, and on networks in accordance with federal requirements, and that agencies should inventory, categorize, and label data; protect data at rest and in transit; and deploy mechanisms to detect and stop data exfiltration.

Zero trust is all about enhancing your security posture. The balancing act of security and accessibility is possible through platforms that can operate independently from compute and storage layers which offer integrated security and governance based on metadata. The ideal zero trust approach will contain a data security platform capable of contextualizing across analytics and cloud environments while simplifying data delivery and access with a unified multi-tenant model.

Ultimately, the approach of utilizing a secure platform to assist with zero trust will result in reduced cybersecurity risk and operational costs, all while allowing faster deployment of governed and secured data lakes for broader responsibly safeguarded data access.

Role of Data in the Zero Trust Journey 

With data as one of the five main pillars of the ZTMM, it is critical that DOD moves to optimal maturity to properly secure our nation’s data and privacy. The DOD has already shared various plans and guidelines that focus heavily on data protection and management, so movement to an optimal zero trust position greatly aligns.

Therefore, implementing the ZTMM will eliminate unauthorized access by bad actors and safeguard data from non-trusted sources. This is essential as data continues to play a key role in the federal government’s mission-critical operations. The optimal maturity of zero trust will better position defense agencies to protect their essential data, ranging from citizen services to military intelligence; all government data will be protected and safeguarded.

Proper Governance Supports the Trek to Optimal

Governance is a need as CISA also stated that agencies should carefully craft and review data governance policies to ensure all data lifecycle security aspects are appropriately enforced across the enterprise. When you have proper governance with zero trust, it frees up the data so you can share it effectively within the organization. The data is protected and highly accessible by the team members who need it most.

Adhering to the guiding principles of a zero trust architecture requires a multifaceted approach.

First, verification using multi-factor authentication everywhere provides a normalized SSO token for the representation of the authenticated user. Using least privileged access will allow agencies to incrementally grant access on an as-needed basis.

Next, in order to minimize the blast radius of a breach through segmented data access, the ideal support platform will be given access to the appropriate zone key to decrypt the underlying data. This combined with complete auditing through long-term retention of data and robust machine learning, will provide a powerful tool for threat hunting, investigation, and remediation.

Lastly, governance, compliance, and data cataloging – allows teams to better understand and protect your data efficiently. These approaches provide a high transparency level to each task that allows decision-makers and those tackling key missions to see specifically what is going on throughout the process. When followed effectively, teams are able to smoothly move along the zero trust journey to optimal.

Achieving the required deadline demands respecting the role of data in the zero trust journey, understanding how agencies can best protect their data, and how proper governance supports the trek to optimal maturity. As a constant and evolving mission, the nation is working to protect our country from cyber adversaries and secure its intelligence, including DOD missions.

This comes with the help of platforms that are prepared to fulfill a balance of security from bad actors and access to the right members of the DOD, all while maintaining zero trust and abiding by the CISA guidelines. A platform that operates independently from compute and storage layers will offer integrated security and governance based on metadata, while a simplified data delivery and access model will reduce risks and costs while enabling faster deployment. Implementing an effective zero trust approach and reaching the optimal maturity level will better secure the nation’s cyber and technological landscape, and understanding the role of data and governance within the process can lead to greater mission success.

About the Author

Carolyn Duby is the current Field CTO and Cybersecurity Lead at Cloudera Government Solutions. With nearly three decades of experience, Carolyn spearheads the digital transformation efforts for Cloudera’s customers and delivers high-performance, data-intensive applications in a variety of industries. She can be reached online at our company website https://www.cloudera.com/solutions/public-sector.html