Barracuda full logo

Understanding the new NSA guidance on Zero Trust - Data Pillar

Topics:
Jun. 13, 2024
|
Emre Tezisci

In today's digital era, where cyber threats are increasingly sophisticated, traditional security models are no longer sufficient. The Zero Trust model, which assumes that threats could be both inside and outside the network, emphasizes the need for stringent verification for every request. Recognizing this shift, the NSA has issued a new guidance about data pillar to help organizations strengthen their security posture through Zero Trust principles.

In a previous blog post, we explored the NSA's recommendations for the Network and Environment pillar of Zero Trust, using a city analogy to illustrate key concepts like network segmentation and access control. Today, we'll continue with this analogy as we delve into the crucial aspects of the Data pillar, focusing on how to protect the city's most valuable assets – its data.

The Data Pillar: Seven Key Components

The NSA's guidance on the Data pillar of Zero Trust can be understood through seven essential components. Each component plays a vital role in ensuring that data is secure, monitored, and controlled, much like the various security measures that protect a city’s most valuable assets.

1. Data Catalog Risk Alignment - City Inventory and Risk Zones

Imagine the city conducting a thorough inventory of all valuable assets, assessing the risk levels for each. Critical infrastructure, like power plants or water supplies, are classified and prioritized for protection. Similarly, Data Catalog Risk Alignment involves identifying, classifying, and prioritizing data assets based on their sensitivity and importance. This process includes creating a comprehensive data catalog with metadata, governance policies, and data usage details. Data owners play a crucial role in ensuring their data is identified, inventoried, and categorized in the catalog, which helps facilitate governance and risk management.

Benefits:

  • Enhanced Visibility: Knowing where your critical data resides and its risk level helps prioritize security efforts.
  • Focused Protection: Resources can be allocated to protect the most sensitive data, ensuring maximum security impact.

2. Enterprise Data Governance - City Council Regulations

Just as a city council enforces laws and regulations, Enterprise Data Governance ensures that policies are in place for how data should be managed, accessed, and protected. This involves labeling and tagging data, implementing access control and sharing policies, and potentially using Data as a Service (DaaS) capabilities to enforce policies at the data object level. This comprehensive governance framework ensures compliance across the organization and establishes robust data handling practices.

Benefits:

  • Regulatory Compliance: Helps meet legal and regulatory requirements, avoiding potential fines and sanctions.
  • Consistency: Ensures data management practices are uniform across the organization, reducing risks associated with ad hoc processes.

3. Data Labeling and Tagging - Property Zoning and Labels

In a modern city, different zones are labeled and managed based on their specific requirements. For example, school zones have reduced speed limits to ensure children's safety, while industrial zones might require more energy and resources. These labels simplify management and enforcement of rules across the city. Similarly, Data Labeling and Tagging classify information based on its sensitivity and value, aiding in its protection and management. Establishing granular data attributes integrated into access control systems (e.g., data tagging) is essential for machine-enforceable data access controls, risk assessment, and situational awareness. As these practices mature, automation will help meet scaling demands and provide better labeling accuracy. Organizations should prioritize tagging high-value data assets first and ensure tagging is done in accordance with enterprise policies.

Benefits:

  • Improved Data Management: Simplifies data handling by clearly categorizing information based on sensitivity.
  • Efficient Security Policies: Enables the implementation of targeted security measures based on data classification.
  • Automated Controls: Facilitates automated data access controls, risk assessments, and monitoring, enhancing security and compliance.

4. Data Monitoring and Sensing - City Surveillance Systems

Advanced surveillance systems are installed throughout the city to monitor activities in real-time. Similarly, in Zero Trust, Data Monitoring and Sensing involves detecting and analyzing data access and usage patterns to spot anomalies or threats immediately. Data should always be detectable and observable by those who need access to it. Security Information and Event Management (SIEM) tools play a crucial role in this capability, providing data owners with the ability to gather and analyze security data from various sources using a single interface. Ensuring all data has associated metadata, including information about access, sharing, transformation, and usage, enhances monitoring and decision-making.

Benefits:

  • Immediate Threat Detection: Quickly identifies and responds to suspicious activities, minimizing potential damage.
  • Comprehensive Visibility: Provides a detailed view of data usage and access patterns, enhancing security oversight.

5. Data Encryption and Rights Management - Secured Buildings

Imagine a city bank with vaults that have advanced locks and access controls. These vaults store the bank's most valuable assets, and only authorized personnel can access them. In some cases, accessing the vault requires two different authentications (keys), adding an extra layer of security. Money within the bank is locked securely at rest, and during transit between vaults, it remains protected by armored vehicles and security protocols. Similarly, Data Encryption and Rights Management protect data both at rest and in transit, ensuring only authorized individuals can access it. Data should be automatically encrypted based on attributes assigned through tagging and labeling. This encryption ensures that even if data is intercepted, it remains unreadable and secure. Additionally, other controls, such as Digital Rights Management (DRM) tools, can be applied to prevent unauthorized access, modification, or redistribution.

Benefits:

  • Data Security: Protects data from unauthorized access, ensuring privacy and confidentiality.
  • Regulatory Compliance: Helps meet data protection regulations that mandate encryption of sensitive information.

6. Data Loss Prevention - Airport Security and Customs Checks

In a city airport, security and customs checks ensure that no prohibited items are brought into or taken out. Similarly, Data Loss Prevention (DLP) tools act as security checkpoints for your data. These tools monitor and block unauthorized data transfers, safeguarding against data breaches. DLP tools are strategically placed at various enforcement points throughout the system to detect and mitigate data breaches and exfiltration effectively. They help prevent both insider threats, such as employees attempting to leak sensitive data, and external threats, such as hackers trying to steal data. Establishing a baseline for data usage is crucial before enabling the prevention capabilities of DLP tools.

Benefits:

  • Prevents Data Breaches: Blocks attempts to exfiltrate sensitive data, protecting against leaks and breaches.
  • Monitors Data Movement: Provides visibility into data transfers, ensuring they are authorized and secure.

7. Data Access Control - Checkpoints and Permissions

In a modern city, access to secure government buildings is tightly controlled to ensure that only authorized personnel with the correct credentials can enter. These buildings may house sensitive operations and confidential information, so access is granted based on strict criteria. For example, only employees with security clearances can access certain floors or rooms, and additional authentication may be required during specific times or for accessing particularly sensitive areas. Similarly, Granular Data Access Control ensures that access to data is only available to the right people under the right conditions. This context-aware access control is based on user roles, device attributes, and environmental factors, providing an additional layer of security. By integrating various data attributes for making access decisions, organizations can ensure that unauthorized entities or devices do not access sensitive data.

Benefits:

  • Enhanced Security: Ensures that only authorized users can access sensitive data, reducing the risk of insider threats.
  • Context-Aware Access: Adjusts access permissions based on various factors, providing dynamic and adaptive security.

SASE: A Modern Solution for a Modern City

Managing all these security measures can be complex, but it doesn't have to be. Barracuda SecureEdge, Barracuda Data Inspector, and Barracuda Backup offer comprehensive solutions to simplify and strengthen your security in a Zero Trust environment.

Barracuda SecureEdge is a cloud-native Secure Access Service Edge (SASE) platform that enhances network security with features like:

  • Firewall-as-a-Service (FWaaS): Advanced cloud-based firewall capabilities to protect your infrastructure and intellectual property.
  • Zero Trust Access (ZTA): Secure application access from any location or device.
  • Secure SD-WAN: Optimizes network performance with redundant connectivity for dispersed locations and cloud infrastructure.
  • Consistent Policy Enforcement: Applies security policies uniformly across the network, minimizing human error and misconfigurations.
  • Simplified Management: A unified platform that is easier to maintain and update than managing multiple security tools.

Barracuda Data Inspector complements this by focusing on data protection:

  • Automated Sensitive Data Discovery: Scans OneDrive and SharePoint for sensitive information, like Social Security numbers and credit card data, identifying where it is stored and if it’s been shared.
  • Data Risk Remediation: Offers options to unshare, quarantine, or delete sensitive data, ensuring compliance and reducing the risk of fines and reputation damage.
  • Malware Detection and Removal: Identifies and eradicates dormant malware in SharePoint and OneDrive to prevent potential ransomware attacks.
  • Enhanced Compliance: Supports compliance with regulations such as GDPR and CCPA by alerting users and administrators about sensitive data storage and potential risks.

Barracuda Backup adds another layer of protection by ensuring resilient data backup and recovery capabilities:

  • Comprehensive Data Protection: Protects physical, virtual, and SaaS environments, ensuring that data is securely backed up and recoverable.
  • Cloud and On-Premises Backup: Offers flexible deployment options to suit your organization's needs, whether on-premises or in the cloud.
  • Fast Recovery: Provides quick restoration of data in the event of loss or breach, minimizing downtime and operational impact.

Your Role as an IT Admin in Protecting Data

As an IT admin, you play a crucial role in implementing and maintaining a Zero Trust architecture within your organization. By leveraging solutions like Barracuda SecureEdge, Data Inspector, and Backup, you can:

  • Assess and Prioritize Data Risks: Identify and focus on protecting critical data assets.
  • Implement Robust Data Governance: Ensure consistent data management practices and regulatory compliance.
  • Utilize Advanced Monitoring Tools: Detect and respond to suspicious activities in real-time.
  • Enforce Granular Access Controls: Ensure only authorized users access sensitive data.
  • Prevent Data Loss: Monitor and block unauthorized data transfers.
  • Ensure Data Resilience: Utilize robust backup solutions to safeguard data against breaches and ensure quick recovery.

In summary, the NSA's guidance on the Data pillar of Zero Trust provides a robust framework for securing sensitive data. By implementing these principles and leveraging advanced tools like Barracuda SecureEdge, Data Inspector, and Backup, IT admins can significantly enhance their organization's security posture. Remember, in the world of cybersecurity, vigilance and proactive measures are key to safeguarding your digital assets. Barracuda can be an instrumental partner in your Zero Trust journey, providing the necessary tools to secure your network, protect your data, and ensure business continuity.

 

Emre Tezisci

Emre Tezisci is a Product Marketing Manager at Barracuda, focused on network security and secure access. 

Related Posts:
Devices, computing, security. It’s all about the edge.
Devices, computing, security. It’s all about the edge.
 Easily overcome Zero Trust deployment hurdles
Easily overcome Zero Trust deployment hurdles
 What we can learn from top tech advice we never listen to
What we can learn from top tech advice we never listen to
 How to win stakeholder support for Zero Trust implementation
How to win stakeholder support for Zero Trust implementation
Search the blog

Subscribe to the Barracuda Blog.

Sign up to receive threat spotlights, industry commentary, and more.

Sign up to receive threat spotlights, industry commentary, and more.

Get all the latest news, research, and analysis delivered right to your inbox.