In the evolving landscape of cybersecurity, the Zero Trust Architecture (ZTA) framework stands out as a beacon of modern defense strategy. At the heart of this framework is the Data Pillar, a critical component of the Zero Trust Maturity Model (ZTMM) as outlined by the Cybersecurity and Infrastructure Security Agency (CISA). This pillar is not just a set of guidelines; it is the embodiment of a strategic approach to data security, designed to protect and manage all structured and unstructured data within federal systems.
Understanding the Data Pillar
The Data Pillar within ZTA is built on the premise that data, no matter where it resides or in what format, must be securely handled and accessed. It underscores the importance of understanding and classifying data across the enterprise. By identifying what data exists, where it is stored, and its level of sensitivity, agencies can apply the appropriate security controls to safeguard against unauthorized access and breaches.
A core principle of the Data Pillar is the implementation of least privilege access. This principle dictates that users and systems are granted only the minimum level of access necessary for their roles and functions, significantly reducing the risk of data exposure or compromise. Moreover, the pillar promotes cross-pillar interoperability with continuous monitoring and centralized visibility, ensuring comprehensive situational awareness of data security.
Key Functions of the Data Pillar
The Data Pillar is composed of several key functions that are essential for the protection and management of data within ZTA:
Data Categorization: Classifying and labeling data to determine its sensitivity and the security controls needed is the first step. This foundational function is crucial for applying Zero Trust principles effectively.
Data Authorization: Authorizing users utilizing a trusted identity manager that contains a user’s Role-based access control (RBAC), attribute-based access and control (ABAC) policies to data is critical to ensuring when access is granted to the right person at the right time.
Segmentation: Segmentation and micro-segmentation help enforce the principle of least privilege by limiting access to resources to only those users and devices that have been authenticated and authorized to access data within the data pillar.
Data Protection: Implementing encryption and access controls to protect data at rest and in transit is vital. This function ensures that sensitive information is shielded from unauthorized access and potential exfiltration.
Data Encryption: Encrypting sensitive data in transit and at rest with FIPS-validated algorithms protects it from unauthorized interception or access.
Data Access Management: Controlling and monitoring data access is imperative. By implementing least privilege access controls, only necessary data is accessible to users and systems based on their roles.
Audit and Monitoring: Continuous monitoring and auditing of data access and usage help detect and respond to security incidents. This includes maintaining logs and analyzing data access patterns.
Data Availability: Maintaining the integrity and availability of data, even amidst cyber threats, is a key function. This ensures that authorized users can access data when needed.
Addressing Challenges in Zero Trust Adoption
The transition to Zero Trust, including the Data Pillar, presents challenges such as integrating Zero Trust principles with existing systems, managing the dynamic nature of cloud environments, and continuously adapting to evolving threats. Large enterprises, including the Federal Government, must overcome these hurdles to ensure a secure and resilient data environment.
VAST Data Platform: A Secure Foundation
The VAST Data Platform is designed from the ground up with security in mind, leveraging cutting-edge technology to create a Disaggregated, Shared-Everything (DASE) architecture. This innovative approach enables the platform to deliver all-flash performance for large datasets, including unstructured data, at scale and affordability.
Key Zero Trust Features of VAST Data Platform
Automated Data Labeling: The platform gives administrators the ability to define labels/attributes at the “View” level. You can define up to 20 different attributes that every object, file, directory will inherit that can be leveraged for data classification and authorization.
Authorization: VAST employs a hybrid RBAC + ABAC model, enhancing traditional access control mechanisms with dynamic, attribute-based policies. The platform works with Microsoft Active directory to identify a user’s roles, their attributes, and their attribute access policy to allow for fine-grained access control, streamlined administration, and flexibility in assigning permissions.
Segmentation: The platform allows you to control what VLAN(s) have access to Views and what protocols are allowed to be accessed on said VLAN(s). Furthermore, customers can even filter based on endpoint IP and make micro-segmentation decisions controlling what an endpoint can access and what type of access it has like read vs read/write.
At-Flight encryption: The platform supports at-flight encryption of S3 (HTTPS), NFS, NFSoRDMA, and NFSoROCEv2. We can do this utilizing TLS 1.3 with S3 and NFS or KRB5P for customers.
Key Exchange & at rest encryption: The platform supports key exchange and offers crypto erase capabilities at the tenant level, View level, providing robust key management and secure data erasure options.
Protocols and Authorization: VAST supports a variety of protocols, including NFS, SMB, and S3, and employs a robust policy manager for authorization, ensuring proper access to data across different protocols. It integrates with Azure AD, On-Prem AD, and other identity providers to authorize users in real-time. The platform also supports protocols with encryption in transit over Ethernet and InfiniBand, enhancing data security during transmission.
Metadata and Audit: The VAST Catalog revolutionizes metadata management, enabling efficient queries without resource-intensive tree walks. Coupled with comprehensive protocol and admin audit capabilities, the platform ensures meticulous recording of all system, protocol, and administrative activities.
Anomaly Detection: VAST’s Uplink service employs machine learning algorithms for anomaly detection, enabling it to identify atypical user activities and data patterns that may signal security threats, including ransomware attacks.
VAST Indestructible Snapshots: Indestructible snapshots are designed to provide an additional layer of protection against ransomware attacks by making backup copies immutable, ensuring they cannot be altered or deleted by attackers.
The VAST Data Platform’s implementation of the Data Pillar within the ZTA framework exemplifies how advanced security features and compliance with regulatory standards can create a secure, compliant environment. By embracing the principles of Zero Trust and implementing the Data Pillar with precision and foresight, VAST ensures that sensitive data remains protected against the evolving threats of the digital age. With VAST, organizations can confidently secure their data assets, paving the way for a future where data security and compliance are seamlessly integrated into the fabric of data management.