A Data-Centric Approach to Zero Trust for Public Sector

By Derek Giarratana, Supplier Manager

An organization’s data is its most important and valuable asset. This is especially true as organizations continue to move towards data-driven approaches to deliver on their missions and are more actively putting that data to work — and in remote locations no less. This means the need to protect data and maintain its accuracy and integrity is paramount.

In this series, we will explore each of these facets of data security and how it applies to IT challenges currently faced in the public sector. This first installment examines Zero Trust and how a data-centric approach addresses some of the hurdles with which public sector IT leaders struggle.

What is Zero Trust?

Aptly named, a Zero Trust approach assumes nothing internal or external to an organization’s perimeters can be trusted and should, therefore, require additional verification for access. The level of sophistication needed to meet the expectations and requirements of public sector data security lends itself to a Zero Trust model, which prompts data security experts to assess and manage data at the most granular level. With this approach in mind, data security experts are taking a fine-tooth comb to their data and paying close attention to their data management environment.

Zero Trust at Work

Managing “toxic data” is a great example of the value of a data-centric Zero Trust approach. Toxic data is data that should not leave an organization under any circumstance because its exposure could violate regulatory compliance and/or cause reputational damage to an organization. In mitigating this risk, IT experts build their data management strategy around a thorough understanding of their data inventory, including location, classification and the presence of any toxic data.

Given the sensitivity of data created and managed by public sector agencies like the Department of Defense, and the simultaneous increase in remote work across those agencies, the increased level of scrutiny being employed in their cybersecurity strategy both internally and externally is warranted. Implementing a Zero Trust approach is crucial, especially in a work environment with distributed workforce and hybrid cloud models in use.

Ensuring Data Security via CMMC

Most defense contractors will soon need to abide by newly established cybersecurity requirements, known as Cybersecurity Maturity Model Certification. With the adoption of CMMC in the DOD’s supply chain, contractors will be expected to meet cybersecurity requirements necessary in keeping particularly sensitive data secure. This, alone, is ample justification for a Zero Trust approach.

My colleague, Lloyd McCoy, senior market intelligence manager at immixGroup, explained in a recent interview with GovDataDownload that CMMC will require almost all government contractors doing business with the DOD be independently certified by a third party as meeting one of five cybersecurity standards, and that this requirement will apply to every link in the government’s supply chain. This includes manufacturers, distributors and resellers. This practice could also carry into the civilian sector, making CMMC certification standard practice across the board for government contractors and, in turn, creating a multitude of opportunities for Zero Trust to demonstrate its value.

A Look Under the Hood of Zero Trust

In peeling back the layers of a Zero Trust approach, we must examine the most foundational part of the equation: the data itself and how to properly manage it. Naturally, this calls for a data-centric approach in the overall cybersecurity strategy.
These capabilities are demonstrated through the combination of offerings like NetApp ONTAP and the NetApp FPolicy® partner ecosystem, allowing users to gain the necessary controls to truly employ a data-centric Zero Trust approach.

The crown jewel of this approach is the application of user behavior analytics or UBA. This methodology uses unsupervised, adaptive machine learning algorithms to differentiate between normal user data access patterns and aberrant data access patterns to detect malicious or compromised users. Because UBA does not rely on static policy definitions, these algorithms can detect zero-day attacks. So, when combined with signature-based systems like anti-virus, UBA based systems can provide a high degree of fidelity in identifying and preventing attacks.

A Data-Centric Approach is Optimal

Ultimately, not taking a data-centric approach means reliance on yesterday’s perimeter-based security approach. In today’s work environment, access to the public or private cloud can happen at any time and in any location. Using a data-centric approach brings security to the edge, wherever that may be for the end user, and continuously authenticates applications and employees where the data transactions occur.

Because a data-centric approach to Zero Trust constantly enforces authentication against agency regulations, it’s more effective at preventing threats. Its simplicity makes it powerful. As a result, we get a framework uniquely suited for a remote workforce that has the agility and security every organization needs in 2021 and beyond.

Keep up with trends in public sector IT. Subscribe to immixGroup’s Government Sales Insider blog now!

Want to know the basics about CMMC? Read Jeff Ellinport’s recent blog to learn more.