TL;DR: The NSA’s Zero Trust “Data” Pillar Cybersecurity Information Sheet

Zero Trust
Written By Aquia
Mack Wartenberger
Security Architect

The National Security Agency (NSA) has released a series of cybersecurity information sheets (CSIs) that offer prescriptive guidance for how agencies can pilot DoD-defined zero trust systems and integrate zero trust guidance into their enterprise strategy, design, and operations. These documents are dense and granular, so we are going to summarize the key points into a “TL;DR” to help you orient yourself around this guidance. Today, we focus on the “Advancing Zero Trust Maturity Throughout the Data Pillar” CSI. 

Skip right to the key areas:

The data pillar in zero trust is all about protecting the confidentiality, integrity, and availability (CIA) of data no matter where it resides or how it's being used. Data is a critical asset, from customer records, personally identifiable information (PII), and security tokens to credentials, intellectual property, and personal emails, all of which require proper governance, categorization, and continuous monitoring. By aligning risk with a data catalog, applying labels and tags, enforcing tag-based encryption, and automating access controls — alongside strategies like encryption, Data Loss Prevention (DLP), and Data Rights Management (DRM) — organizations can build a strong defense against data breaches.

That all sounds great in theory, but the zero trust approach to data security is often one of the most daunting challenges to organizations looking to adopt this framework. Why? Because data is everywhere, and building a sustainable, scalable management approach to it can feel like a massive undertaking. Most organizations looking to secure their data prefer to slap a shiny next-generation firewall (NGFW) on their perimeter and call it a day. But leaning too much on plug-and-play tooling alone, and skipping the foundational planning steps, limits your organization’s security, effectiveness, and efficiency at scale. Ignoring robust data security sets you up for disaster when breaches inevitably happen. 

Storytime

The NSA (who doesn’t do storytime as a general rule) goes out of its way to include a story about a 2017 breach of one of the nation's largest credit reporting agencies (CRA), that resulted in exposing the PII of 148 million Americans and over $425 million in losses to the firm. The breach, which lasted 76 days and covered over 51 databases, could have been prevented, or at least mitigated, with some combination of the zero trust capabilities we are outlining here; but just like many organizations the CRA in question felt that implementing those controls was too complicated.

Secure data management doesn’t have to be complicated. We’ll spend the rest of this blog demonstrating how a carefully planned and executed approach to zero trust data security can be not only possible but achievable for even the most complex enterprises.

Key insights:

  • You can’t secure what you can’t see: you have to catalog your data (yes this is the equivalent to eating your vegetables, but it pays dividends in the long run.)

  • Some data is more vulnerable than others: label and tag your data to keep track of what’s what.

  • Reduce blast radius to ensure that breaches aren’t widespread: microsegment your data through encryption and tag-based access controls

  • Least privilege: control what users and services can see based on their needs and leverage modern technology to make faster, smarter (contextual) access decisions.

Key Areas to Implement Zero Trust

Data Catalog Risk Alignment

  • Overview: A comprehensive, real-time inventory of all devices is the cornerstone of any robust zero trust strategy. A well-managed inventory ensures that only authorized devices are granted access to your network, supporting a critical "deny-by-default" policy that minimizes risk. Maintaining this inventory requires more than just tracking devices — it demands robust policies governing the entire lifecycle of device management. This includes strict criteria for procurement, ensuring devices meet security requirements like trusted platform module (TPM) certificates, encryption (where applicable), and proper firmware configurations. Additionally, acceptance testing (using guidelines like NIST SP 800-161) should be used to audit supply chain integrity, with tools like software bill of materials (SBOM) and TPM platform certificates providing a secure chain of custody. Proper deprovisioning procedures must also be in place to securely erase sensitive data and reset devices before they are retired, ensuring they don’t become a security liability.

  • Getting There: Begin by establishing a manual inventory, but recognize that this is only a starting point. To achieve a true sense of your posture, advance to an automated, real-time inventory system. Enforce strict policies for adding or removing devices, ensuring that every device is registered and authenticated with a unique identifier. This level of rigor is essential to prevent unauthorized devices from slipping through the cracks.

  • Takeaway: A dynamic and continuously updated device inventory is not just beneficial—it’s essential for establishing and maintaining trust in your network. Without it, you risk exposing your organization to unnecessary vulnerabilities.

Enterprise Data Governance

  • Overview: Data governance policies are your guardrails for safe, effective artificial intelligence/machine learning (AI/ML) tagging.

  • Getting there: Define enforceable data labeling, access control policies, and standards. Over time, refine policies and move toward automation.

  • Takeaway: Strong, carefully considered policies upfront are the foundation for scaling data security.

Data Labeling and Tagging

  • Overview: Use your experts to create tagging standards, then automate tagging throughout your system.

  • Getting there: Set tagging standards and use both manual and automated tools to apply them. Shift toward machine-enforced tagging as you mature.

  • Takeaway: Accurate tagging drives better security across your entire system.

Data Monitoring and Sensing

  • Overview: Combine policy with tech to prevent unauthorized access or sharing.

  • Getting there: Use metadata and monitoring tools to first track, and then control data access, integrate Data Loss Prevention (DLP) and Digital Rights Management (DRM), and feed analytics into a Security Information and Event Management (SIEM) system.

  • Takeaway: Automated encryption and tagging help ensure sensitive data isn’t mishandled.

Data Encryption and Rights Management

  • Overview: Assume breach. Encryption is key to limiting damage if data is compromised.

  • Getting there: Develop a strategy for encrypting data at rest and in transit. Automate encryption and DRM over time.

  • Takeaway: Encryption keeps your data safe, even if attackers get in—limit what they can do with it.

Data Loss Prevention

  • Overview: Data Loss Prevention (DLP) isn’t just for the perimeter; embed it throughout your system.

  • Getting there: Start with "monitor-only" DLP, refine policies, and move to “prevention mode”. Use automated tags to expand coverage.

  • Takeaway: Ransomware and insider threats demand strong, embedded DLP.

Data Access Control

  • Overview: Control who/what accesses data by using inventory, tagging, and policies.

  • Getting there: Define access policies for users/devices, integrate with automation, and refine over time with context aware access controls, including Policy-Based Access Controls (PBAC), Attribute-Based Access Controls (ABAC), and Role-Based Access Controls (RBAC).

  • Takeaway: Granular access control ensures only authorized users interact with your data.

Securing the data pillar in the zero trust model is all about smart classification, protection, and monitoring. Start by setting solid data classification and tagging standards, making sure everything is properly labeled and encrypted. Tie those tags directly to encryption policies for consistent protection. Sensitive data, especially when it leaves your systems, needs extra layers like DRM. A strong DLP framework is key to countering threats, both internal and external. Enforce strict access controls based on your policies and the context of each request, and always keep an eye out for unauthorized movement or changes. That might seem like a lot of work, but it pays off. Remember that data, and its protection, is the central focus of any robust zero trust maturity journey.

Need help with zero trust implementation? We’re here to support your journey toward a secure, resilient enterprise. Reach out to learn how we can assist you in advancing your ZT maturity.

Aquia

Securing The Digital Transformation ®

Aquia is a cloud and cybersecurity digital services firm and “2024 Service-Disabled, Veteran-Owned Small Business (SDVOSB) of the Year” awardee. We empower mission owners in the U.S. government and public sector to achieve secure, efficient, and compliant digital transformation.

As strategic advisors and engineers, we help our customers develop and deploy innovative cloud and cybersecurity technologies quickly, adopt and implement digital transformation initiatives effectively, and navigate complex regulatory landscapes expertly. We provide multi-cloud engineering and advisory expertise for secure software delivery; security automation; SaaS security; cloud-native architecture; and governance, risk, and compliance (GRC) innovation.

Founded in 2021 by United States veterans, we are passionate about making our country digitally capable and secure, and driving transformational change across the public and private sectors. Aquia is an Amazon Web Services (AWS) Advanced Tier partner and member of the Google Cloud Partner Advantage Program.

Next

Six Business-Critical Gaps Uncovered in AppOmni’s “The State of SaaS Security” Report