This article is intended for senior officials at U.S. Federal Civilian Executive Branch Departments and Agencies responsible for implementing the requirements laid out in the Executive Order announced on May 12, 2021.
The recently issued Executive Order, Improving the Nation’s Cybersecurity, speaks to the necessity—and urgency—of encrypting content ubiquitously, ensuring that security is engrained from the moment it is created. The executive order calls for “bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.”
With federal agencies required to submit concrete plans for Zero Trust architecture within 60 days, and other key milestones falling shortly thereafter, it’s clear that cybersecurity is a central focus and high priority for the federal government in 2021.
The directive also encourages agencies to pursue encryption and accelerate adoption of multi-factor authentication (MFA). One primary consideration that must be made when implementing these objectives: who gets to see what content?
Agency Heads and their senior leadership teams have an opportunity to not only comply with the requirements of the latest executive order but implement encryption, MFA, and Zero Trust Architectures in a manner that both improves security and furthers organizational objectives to leverage data as a strategic asset.
Encryption alone is not a data-centric security approach. However, when supported by a requirement for strong identity and corresponding credentials for access, as well as a consistent and diligently applied approach to access control, policy can be enforced through encryption, even at the data level. Adoption of cryptographically enforced granular access control models – for example, attribute-based access control (ABAC) – is not only possible but increasingly necessary, as evidenced by the latest advanced persistent cyber campaign targeting civilian agencies, among others.
As a domain expert in data protection, including cryptography (encryption specifically), key management, ABAC, the Trusted Data Format (TDF), and Zero Trust solution design, Virtru offers the below recommendations for federal agencies seeking to meet the requirements of several key elements of this Executive Order:
A Zero Trust strategy is predicated on the fact that trust is never inherited and, per NIST SP 800-207, “involves minimizing access to resources (such as data and compute resources and applications/services) to only those subjects and assets identified as needing access as well as continually authenticating and authorizing the identity and security posture of each access request.” We at Virtru believe that for Zero Trust to be effective, encrypted data must be stored and managed separately from the associated encryption keys. Hosting keys alongside data dilutes the value of encryption in the case of a breach and leaves organizations more vulnerable to exploit.
With this foundational approach in mind, Virtru recommends that Federal agencies account for six core elements of a data-centric architecture when planning and executing a Zero Trust strategy:
In general, enterprise-level Zero Trust roadmaps should address the above elements in the following phases:
Each enterprise strategy will look different, with some approaches centralizing action and resources at the Department or Agency level while others adopt a more decentralized approach based on common enterprise guidelines. Interagency oversight and technical implementation leads for the EO, including OMB, NSC, and CISA, can focus on holding Agency Heads accountable for achieving results and offering assistance as a partner where needed and as appropriate.
Virtru addresses the collective needs of identity, credential, and access management (ICAM); encryption; data tagging; and policy enforcement. By encrypting sensitive data at the object level with the Trusted Data Format (TDF) — an ODNI-approved data protection standard — agencies can ensure data remains secure across its entire lifecycle, at all times — beyond the paradigm of “in motion and at rest” — all the way from creation to storage, collaboration, and sharing.
Virtru equips agencies with administrative controls that support data tagging and attribute-based access controls, so organizations can carefully manage exactly who can access certain types of data, with the ability to revoke access at any time. This level of visibility, paired with multi-factor authentication (MFA), ensures data can only be accessed by the intended recipient, supporting agencies’ data strategy and security efforts. However, strong authentication and encryption should be implemented as a means of access control policy enforcement, rather than an adjacent, separate solution.
The recent cyber attacks on SolarWinds systems, Microsoft Exchange Server users, and Colonial Pipeline demonstrate the importance of a layered approach to identity management and data security. Implementing the above recommendations in conjunction with an object-level encryption solution like Virtru that empowers data owners to manage their own keys and associated policies enables the immediate revocation of data access, regular and rapid rotation of encryption keys, and mitigation of data loss to “stop the bleeding” quickly.
With sophisticated, large-scale cyber attacks accelerating, it’s vital that federal agencies and their industry partners act quickly to reduce vulnerabilities, modernize their security, and safeguard their data. As the EO emphasizes, “The prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.”
Virtru’s mission is to empower organizations to unlock the power of data while maintaining control, everywhere data are stored and shared. Leveraging the ODNI-approved Trusted Data Format (TDF), Virtru’s core technology was originally created for the purpose of protecting the nation’s most sensitive, confidential data across its entire lifecycle. Virtru offers protection of any content with robust encryption, control of dissemination regardless of the consumer’s location or organization, and complete audit of any actions on protected content. Protection can be rule-based and automated to ensure data owners have complete control over their documents.
Over 20,000 organizations trust Virtru for data protection, including U.S. Federal civilian, defense, and intelligence agencies. With offerings authorized both through FedRAMP at the Moderate level and by specific agencies for mission workflows, Virtru’s portfolio of solutions and tools — built on the Virtru Data Security Platform — enables Federal organizations to realize a lifecycle approach to data management and security.
To see how Virtru can help your agency adapt, strategize, and rapidly respond to the new executive order, reach out to us today at federal@virtru.com.