Recently issued Executive Order 14028 serves as a call to action for the federal government, in partnership with private industry, to make “bold changes and significant investments” to strengthen the cybersecurity posture of the nation.
Among its objectives, the executive order mandates accelerated adoption of multi-factor authentication, encryption of data, and pursuit of zero-trust architectures by federal civilian executive branch agencies. As the requirements of order 14028 are executed over the next year and beyond, one primary consideration should drive implementation: who gets to see what content?
Encryption alone is not a data-centric security approach. However, sound security policies can be enforced through encryption, even at the data level, through use of a consistent and diligently applied approach to access control built on a zero-trust model.
Elements of Zero Trust
Zero trust is predicated on the fact that, within the context of an information system, trust is never assumed or inherited, and, per NIST SP 800-207, it “involves minimizing access to resources (such as data, compute resources, and applications/services) to only those subjects and assets identified as needing access as well as continually authenticating and authorizing the identity and security posture of each access request.” With this foundational approach in mind, below are the six core elements of a data-centric zero-trust architecture:
Identity. This applies to individuals, devices, software, APIs and any other entity accessing sensitive information. The means of managing identity must be thoroughly examined by use case and should align with existing federal policies and trust
