版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
U/OO/140279-24|PP-24-1320|APRIL2024Ver.1.0
NationalSecurityAgency|CybersecurityInformationSheet
AdvancingZeroTrustMaturityThroughouttheData
Pillar
Executivesummary
Thiscybersecurityinformationsheet(CSI)providesrecommendationsformaturingdatasecurityandenforcingaccesstodataatrestandintransit,ensuringthatonlythosewithauthorizationcanaccessthedata.Itfurtherdiscusseshowthesecapabilitiesintegrate
intoacomprehensiveZeroTrust(ZT)framework,asdescribedinEmbracingaZero
TrustSecurityModel.
[1]
Traditionalsecurityapproacheshaveoftenreliedonperimeterdefensesalonetosecurenetworks.Recenteventshighlightthatadversarieswhoare
successfulatgainingafootholdininformationsystemsoftenreadilygainunfettered
accesstoalldatainthosesystems.Byapplyingtherecommendationsinthedatapillar,includingidentifyingriskstodata,integratinggranulardataattributesintoaccesscontrolmechanisms,andmonitoringdataaccessanduse,organizationswillreducetheimpactandconsequencesofbreachesandidentifysuspectactivityearlierinthecyberintrusionlifecycle.
Toprotectdata,anorganizationneedstoknowwhatdataithasandtrackhowitmovesandisaccessedinsideandoutsidetheenterprise.Trackingdatacanbeasignificant
task,sohavinganautomatedmethodforidentifyingdataofvalueonthenetworkor
performingadatainventoryoperationisrecommended.Dataprotectionensuresthat
dataisonlyaccessedbyauthorizedentities.Granularcontrolofdatanotonlykeepsitsafewithintheenterprise,butalsoensuresthatitcanbesafelysharedwithother
organizationsandpartnerstoachieveinteroperability.Implementingtheseactivitieswilllimittheabilityofadversariestoreachtargeteddataassets.Itwillalsoprovidevisibilitytosystemmanagersofcompromisedassetsthatrequiremitigationshouldadversariesbesuccessfulintheirefforts.
2
U/OO/140279-24|PP-24-1320|APRIL2024Ver.1.0
NSA|AdvancingZeroTrustMaturityThroughouttheDataPillar
Introduction
InSeptember2017,amajorcreditreportingagency(CRA)reportedithadbeenthe
victimofadatabreachresultinginthetheftofrecordsfrom148millionAmerican
customers.Thestolendataincludedhighlysensitivepersonallyidentifiableinformation(PII),suchassocialsecuritynumbers,creditcardnumbers,datesofbirth,residentialrecords,anddriver’slicensenumbers.
[2]
Theincidentbeganwithaccesstoa
vulnerableserver,whereuponPIIfromdisputeresolutiondocumentswasstolenand
additionallogincredentialsobtained.Thecyberthreatactorsthenusedthose
credentialstopenetratedeeperintothenetworkandpilferastaggeringamountofdataovera76-dayperiodinwhichtheyaccessed51differentdatabases.
[3]
Asoneofthenation’slargestCRAs,thiscompany’sdatawashighlyvaluableandthelossofitextremelycostlytoitselfanditscustomers.TheCRAagreedin2022toa
globalsettlementwiththeFederalTradeCommissionof$425millionpaidtothose
affectedbythebreach.
[4]
IfthedatahadresidedwithinaZTenabledenvironment,thebreachcouldhavebeenprevented,oratleastlessenedduetocontrolsondataaccessanduse.TheZTsecuritymodelassumesthatabreachisinevitableorhaslikely
occurredalready,soitconstantlylimitsaccesstoonlywhatisneededandlooksforanomalousormaliciousactivity.
[1]
“ZeroTrustisasecuritymodel,asetofsystemdesignprinciples,andacoordinated
cybersecurityandsystemmanagementstrategybasedonanacknowledgementthat
threatsexistbothinsideandoutsidetraditionalnetworkboundaries.TheZeroTrust
securitymodeleliminatesimplicittrustinanyoneelement,node,orserviceandinsteadrequirescontinuousverificationoftheoperationalpictureviareal-timeinformationfed
frommultiplesourcestodetermineaccessandothersystemresponses.”
[1]
This
guidancefocusesonthedatapillar,whichspecificallyaddressesdatacataloging,
governance,attributesandtags,monitoring,encryption,lossprevention,andaccesscontrol.
Theinformationpresentedinthisreportisnotadefinitiveguidewithastandardized
solutionthatfitsallorganizationalneeds,butratherprovidessuggestionsand
considerationsforadoptingZT.Discoveringandidentifyingtheassetsthatneedtobesecuredtosupporttheorganization’smissionwillhelpbuildapictureofthecurrent
architectureforapplyingtherecommendationsinthesesevenZTpillarreports.This
3
U/OO/140279-24|PP-24-1320|APRIL2024Ver.1.0
NSA|AdvancingZeroTrustMaturityThroughouttheDataPillar
pictureofthecurrentarchitecturewillhelpallstakeholdersidentifyorganizationalrisksandgapsandultimatelyinformbuildingamatureZTarchitecturefortheorganization.TheultimategoalistointegratetheseprinciplesintoacomprehensiveZTstrategy
alignedwiththeorganization’ssecurityobjectives.
AdoptingZTprinciplesisnotaccomplishedovernight.Implementingthemisachievedthroughcarefulanddeliberateplanningandcontinuousincrementalimprovementsthatbringcybersecurityprotections,responses,andoperationstomaturityovertime.
BuildingcapabilitiesalignedtoamatureZTframeworkrequiresintegratingeverysystemintheenterprisewiththeappropriatesecuritycontrols,bestpractices,
configurationmanagement,andvulnerabilitymanagementforeachofthesevenpillars:User,Device,Network&Environment,Data,Application&Workload,Visibility&
Analytics,andAutomation&Orchestration.EachpillarconstitutesakeyfocusareaofZTimplementation,withthedatapillareffectivelysecuredbytheothersix.
[5]
Audience
ThisreportprovidesguidanceprimarilyintendedforNationalSecuritySystem(NSS),
DepartmentofDefense(DoD),andDefenseIndustrialBase(DIB)networks,butmaybeusefulforownersandoperatorsofothersystemsthatmightbetargetedby
sophisticatedmaliciousactors.GuidanceforothersystemownersandoperatorsisalsoavailableviatheNationalInstituteofStandardsandTechnology(NIST)
[6]
andthe
CybersecurityandInfrastructureSecurityAgency(CISA).
[7]
Thisguidanceis
compatiblewiththeDoDZTguidancereferencedattheendofthisdocument.
[5]
Background
ThePresident’sExecutiveOrderonImprovingtheNation’sCybersecurity(EO14028)
[8]
andNationalSecurityMemorandum8(NSM-8)
[9]
directtheFederalCivilian
ExecutiveBranch(FCEB)agenciesandNSSownersandoperatorstodevelopplanstoadoptaZTcybersecurityframework.
IntheNSAreport,
EmbracingaZeroTrustSecurityModel,
theconceptofZTisdefinedandcontextualizedalongwiththeundergirdingprinciplesofthesevenpillars
[1]
as
illustratedinthefollowingfigure.ThepillarsaremadeupofseveralcapabilitiesthatearmarktheprogressivematurityofacomprehensiveZTframework.Thecapabilitiesdescribedinthisreportareintendedtocontinuallymaturecybersecurityprotections,
4
U/OO/140279-24|PP-24-1320|APRIL2024Ver.1.0
NSA|AdvancingZeroTrustMaturityThroughouttheDataPillar
responses,andoperationsovertime.Progressionofcapabilitiesineachpillarshouldbeseenasacycleofcontinuousimprovementbasedonevaluationandmonitoringof
threats.
Figure1:DescriptionofthesevenpillarsofZT
Figure1depictstheZTpillars,includingthedatapillar.ThecapabilitiesandmilestonesforthedatapillarcomponentoftheZTmaturitymodelaredescribedindetailthroughoutthisreport.Thepillarsarenotindependent;manycapabilitiesinthedatapillardepend
onoralignwithcapabilitiesinotherpillarsasindicated.
Datapillar
Anorganization’sdataisextremelyimportantandvaluable.Itisdata,initsmanyforms,thatistargetedbymaliciousentities.Customerrecords,usercredentials,proprietary
information,employeepersonallyidentifiableinformation(PII),intellectualproperty,
personalemails,etc.areallfundamentaltoanorganization.TheZTarchitectureis
designedasadata-centricsecuritymodelthatdrawsoneachconnectedpillartoensuretheconfidentiality,integrity,andavailabilityofanorganization’sdata,whetheritexists
withinoroutsideofthenetwork.
U/OO/140279-24|PP-24-1320|APRIL2024Ver.1.0
5
NSA|AdvancingZeroTrustMaturityThroughouttheDataPillar
Thedatapillarfocusesonsecuringandenforcingaccesstodataatrestandintransitthroughvariousmethods,includingencryption,taggingandlabeling,dataloss
prevention(DLP)strategies,andapplicationofdatarightsmanagement(DRM)tools.
Additionally,securingdatasoitisaccessedexclusivelybyauthorizedusersisaprimaryresponsibilityofthedatapillarandshouldnotbetakenforgranted.Thedatapillar
derivessecuritybenefitsfromcapabilitiesperformedbytheothersixpillars.ThosecapabilitiesaremappedtotheDoDChiefInformationOffice(CIO)ZTStrategy,andNISTSP800-207:ZeroTrustArchitecture.
[10],
[6]
ThisreportidentifiesthefollowingcapabilitiesandalignsthemtoZTmaturitylevels:
●
Datacatalogriskalignment
●
Enterprisedatagovernance
●
Datalabelingandtagging
●
Datamonitoringandsensing
●
Dataencryptionandrightsmanagement
●
Datalossprevention
●
Dataaccesscontrol
Figure2:ZTdatapillarmaturity
6
U/OO/140279-24|PP-24-1320|APRIL2024Ver.1.0
NSA|AdvancingZeroTrustMaturityThroughouttheDataPillar
Datacatalogriskalignment
Thefirststepincontrollingdataagainstthreatsistoidentifyalltypesofdatainthe
environmentandassesstheirrisksofexposure,lossofavailability,andlossofintegrity.Anenterprisedatacatalogshouldbeacomprehensiveinventoryofdatawithinthe
enterpriseavailableforreference.Thiscatalog,whilenotcontainingthedataitself,includesmetadataaboutthedata,governancepolicies,anddatausage.
[5]
Dataownerswithinanorganizationareawareofthedetailsandpurposeoftheirdata.Theymustensuretheirdataisidentified,inventoried,andcategorizedinthedata
catalog.Thisenterpriseviewofthedatahelpstofacilitatedatagovernanceactivities.
Whendataownersreviewthecatalog,theycanidentifypotentialrisksorrisklevels
relatedtodataloss,breach,oranyotherunauthorizedalterationand/oraccesstodata.
Table1:Datacatalogriskalignmentmaturity
Preparation
Basic
Intermediate
Advanced
Datalandscapeis
Critical
Automated
Dataisknownand
reviewedto
organizationdata
processesare
canbecollected,
identifypotential
ismanually
establishedto
tagged,andprotected
risksrelatedto
identifiedand
identifyandmonitor
accordingtorisk
dataloss,breach,
inventoried.
thedatalandscape
levelsinalignment
oranyother
withinthecatalog.
withaprioritization
unauthorized
Currentstateis
framework,and
alterationand/or
recordedanddata
Processesare
encryptedfor
access.
baselineset.
enabledtoensuredatais
protection.
Dataownershipis
automatically
Dataiscontinuously
identified,and
detectedand
analyzedtoevaluate
datais
includedwithinthe
risk.Toolingis
cataloguedbased
catalog.
employedtodiscover
onresource
improperlytagged
criticality.
Datausage
sensitivedataand
patternsare
alert/quarantinethe
established.
data.
U/OO/140279-24|PP-24-1320|APRIL2024Ver.1.0
7
NSA|AdvancingZeroTrustMaturityThroughouttheDataPillar
Enterprisedatagovernance
Enterprisedatagovernanceensuresthatdataiscontrolled,accessed,andshared
acrossorganizationsaccordingtodefinedpoliciesbasedoninputsfromtheir
cybersecurityinfrastructure.Enterprisedatalabelingandtagging,accesscontrolandsharingpolicies,alongwithDataasaService(DaaS)capabilitieswhereapplicable,ensureenforceabilityatthedataobjectlevel.
[11]
Table2:Enterprisedatagovernancematurity
Preparation
Basic
Intermediate
Advanced
Organization
Dataistaggedand
Dataprotection
Rulesandaccess
develops
labeledin
policiesareassessed
controlsare
enterprisedata
compliancewith
andrefinedfor
automatedthrough
labeling/tagging
applicable
interoperability
centralpolicy
andaccess
enterprisepolicies.
acrossnetworksand
management.
control/sharing
partner
policiesthatare
Dataisencrypted
organizations.
Policiesare
enforceable.
withpublished
reviewedona
Datataggingand
enterprise
Organization
periodicbasisand
frameworks
establishesjust-in-
solutionsregularly
interoperability
accordingto
timeandjust-enough
updatedtoremain
standardsare
enterprisepolicies.
dataaccesscontrol
incompliance.
defined.
policies.
Datalabelingandtagging
Establishinggranulardataattributesintegratedintoaccesscontrolsystems(e.g.data
tagging)consistentlyandcorrectlyisrequiredformachineenforceabledataaccess
controls,riskassessment,andsituationalawareness.Asdataattributetaggingand
labelingpracticesmature,labelingshouldbecomeautomatedtomeetscalingdemandsandprovidebetterlabelingaccuracy.Organizationsshouldapplygranularattributestosecurityandmissioncriticaldataonhighvalueassetsfirst.
Organizationsshouldtagdatainaccordancewithenterprisepolicies.Phasesof
implementationshouldadvancetowardfullautomationtoenableaccuratetaggingatscale.Oncedataisproperlylabeledandtagged,theorganizationshouldestablish
automateddataaccesscontrols,riskassessments,andmonitoringforsituationalawarenessbasedonenterprisegovernancepolicies.
[12]
NSA|AdvancingZeroTrustMaturityThroughouttheDataPillar
8
U/OO/140279-24|PP-24-1320|APRIL2024Ver.1.0
Table3:Datalabelingandtaggingmaturity
Preparation
Basic
Intermediate
Advanced
Datatagging
Datataggingand
Machineenforceable
Datataggingand
standardsare
classificationtools
dataaccesscontrols
supportisfully
definedand
areimplemented.
areimplemented.
automated.
toolsconfigured
tosupport
Dataowners
Automatedtoolingis
Continuousanalysis
enterprise
manuallylabeland
createdand
isemployedto
policies.
tagdatain
compliancewithenterprise
governanceonlabeling/taggingpolicy.
implementedtomeetscalingdemandsand
providebetteraccuracy.
ensuredatais
properlytaggedandlabeled,and
automation
proceduresremediedasneeded.
Datamonitoringandsensing
Datashouldalwaysbedetectableandobservablebythosewhoshouldhaveaccesstoitandthosewhoarerequiredtomanageit.Datametadatashouldbeobservablefor
trackingandalerting,althoughsometimesonlypartiallysincemetadatacanhave
sensitivitiesandaccesscontrols.Dataownersandautomatedmanagementsolutionsshouldensurealldatahasassociatedmetadatathatincludescurrentinformationabouttheaccess,sharing,transformation,anduseofthedataassets.Thisensuresbasic
integrationwithmonitoringsystems,anddataownerswithauthorizedaccesswillmake
decisionsaboutpotentialcorruptionorcompromise.Organizationsmusthaveenforcementpointsinplacetoenableloggingandpolicyenforcement.
SecurityInformationandEventManagement(SIEM)tools,whichwillbediscussedmoreintheVisibility&Analyticspillar,playaroleinthiscapability,providingdata
ownerswiththeabilitytogatherandanalyzesecuritydatafrominformationsystemsusingasingleinterface.
Table4:Datamonitoringandsensingmaturity
Preparation
Basic
Intermediate
Advanced
Dataowners
Database
Filemonitoringtoolsare
Logsandanalytics
identifyand
monitoringsolutions
usedtomonitorall
fromallthedata
captureactive
areprocuredand
regulatoryprotected
monitoring
9
U/OO/140279-24|PP-24-1320|APRIL2024Ver.1.0
NSA|AdvancingZeroTrustMaturityThroughouttheDataPillar
Preparation
Basic
Intermediate
Advanced
metadatathat
implementedacross
datainapplications,
solutionsarefed
providesinsight
alldatabases
services,and
intotheSIEMfor
intoaccess,
containingregulated
repositories.Extended
monitoringand
sharing,
datatypes(CUI,PII,
integrationisusedto
response.
transformation,
PHI,etc.)
senddatato
Analyticsarefed
anduseofdata
appropriateinter/intra-
intocrosspillar
assets.
Datafilemonitoringtoolsareutilizedto
pillarsolutions,suchasDLP,
activitiestobetterinformdecision
Analysisis
monitorcriticaldata
DRM,andUser&Entity
making.
conductedto
inapplications,
Behavior
determine
services,and
Analytics.
Additionaldata
wheretooling
repositories.
attributestomeet
shouldbe
Analyticsfrom
DataoutsideofDLP
ZTadvanced
deployedfor
monitoringisfed
andDRMscope,such
functionalitiesare
loggingand
intotheSIEMwith
asfilesharesand
integratedinto
enforcement
basicdata
databases,areactively
analytics.
points.
attributes.
monitoredfor
anomalousand
maliciousactivityusingalternativetooling.
Dataencryptionandrightsmanagement
Dataencryptionandrightsmanagementcombinestechnologywithpolicytoprotectdataagainstunwantedaccess,modification,orredistribution.Datashouldbe
automaticallyencryptedbasedondataattributesassignedthroughtaggingandlabeling.Byencryptingthedata,organizationscanbemoreassuredtheirdataisprotectedevenifitisexfiltratedorlostaslongasamaliciousactordoesnothavetheassociated
decryptionkeys.Foradditionalsecurityorifencryptionisimpossible,otherdatacontrolscanbeappliedtoprotectdata;thisincludesusingDRMtoolsthatpreventauserfrom
forwarding,editing,saving,orprintingdata.
10
U/OO/140279-24|PP-24-1320|APRIL2024Ver.1.0
NSA|AdvancingZeroTrustMaturityThroughouttheDataPillar
Table5:Dataencryptionandrightsmanagementmaturity
Preparation
Basic
Intermediate
Advanced
Organizations
Encryptiongapsare
Encryption
Datatagsareintegrated
establisha
identified;enterprise-
keysare
withDRM;datais
strategyfor
manageddevices
automatically
automatically
encrypting
andcentralizedkey
managed.
encryptedatrestbasedon
dataatrest
managementare
datatags.
andintransit
employed.
Alldatais
following
encrypted
Additionaltagsarecreated
enterprise
Organizations
acrossthe
toprotectextendeddata
standards
procureencryption
entire
repositorieswithDRM
and
toolsasneededto
enterprise
solutionsdesignedtotrack
requirements.
implementthedataatrestandintransit
encryptionstrategy.
InitialDRM
implementationsareusedtoreducedataexposureoutsideofenterprise-managedsystems,focusingonprotectingcritical
datainhigh-riskdatarepositories.
environment.
DRMis
expandedtoallscopeddata
repositories.
andprotectdata.
Machinelearningmodels
areusedtodetectandalertonanomaloususageof
data.Thesemodelsare
integratedwithencryptionandDRMtools.
Datalossprevention
Datalossprevention(DLP)isasecuritystrategyfocusedondetectingandpreventingdataleakageorlossthroughunauthorizeduse,exfiltration,ordestruction.DLPtoolsdeployedonlyatasystemboundaryareinadequatetoaddresscorruptionofdata
throughoutthesystem.Therefore,DLPtoolsareplacedatidentifiedenforcementpointsthroughoutthearchitecturetodetectandmitigatedatabreachesandexfiltration.
OrganizationsmustestablishabaselinefordatausagebeforeenablingthepreventioncapabilitiesofDLPtools.Whenimplementedcorrectlyalongwiththeothercapabilitiesofthedatapillar,DLPtools,establishedthroughoutanorganization’snetworkandnotjustattheperimeter,canmorereliablysecureanorganization’sdata.
NSA|AdvancingZeroTrustMaturityThroughouttheDataPillar
11
U/OO/140279-24|PP-24-1320|APRIL2024Ver.1.0
Insiderthreatscanposeagreatrisktoanorganization.Entitieswithaccesstosensitivedatafromwithincanleak,destroy,orstealthatdata,intentionallyorunintentionally.Asexamples,avexedformeremployeecouldstealdatatoselltoacompetitor,orone
mightaccidentallyleaksensitivedatabyusingitinanAItool,suchasalargelanguagemodel(LLM).DLPcanhelpstoptheunauthorizedforwarding,copying,ordestroyingofsensitivedatabytrackingsensitiveinformationwithinthenetwork.
Amongotherscenarios,externalthreatscantargetdataforexfiltration(theft),oruse
ransomwaretomanipulateanddestroydatatomakeitinaccessibletoauthorizedusers.DLPcanhelppreventmaliciouscyberactorsfromsuccessfullyobtainingorencryptinginternaldata.DLPisaproactivesolutionforprotectingdata,butthereshouldstillbea
planinplacefordatarecoveryshoulddatalossoccurinspiteoftheseeffortsduetohardwarefailure,ransomware,orothercauses.
Table6:Datalosspreventionmaturity
Preparation
Basic
Intermediate
Advanced
Organizations
ADLPsolutionis
DLPsolutionresults
TheDLPsolutionis
scope
deployedtothein-
areanalyzed
updatedtointegrate
enforcement
scope
andpolicyisfine-
datatagsbasedon
pointsto
enforcementpoints.
tunedtomanagerisk
parallelautomation
deployDLP
DLPsolutionissetto
toanacceptable
activitiesfordata
solutions.
“monitor-only”and/or“learning”modeto
level.
tagging.DLPdatascopeisextended,
Techniquesfor
limitimpact.
TheDLPsolutionis
utilizingthe
identifying
updatedfrom
automateddatatags
sensitivedata
monitormodeto
toidentifysensitive
are
preventionmode.
data.
established,
Basicmanualdata
suchaskey
tagsareutilizedfor
Automateddata
terms,
theDLPsolutionand
monitoringidentifies
fingerprints,
aloggingschemais
missingenforcement
pattern
integratedwith
pointsforadditional
matching,andfilematching.
manualtags.
DLPdeployment.
12
U/OO/140279-24|PP-24-1320|APRIL2024Ver.1.0
Dataaccesscontrol
Dataaccesscontrolseekstolimitaccesstoanduseofdata-basedpropertiesand
attributesassociatedwiththedataandauser/devicetuplealongwithanyotherrelevantinformation.Thiscapabilityisdependentontheothersandbringsintofocustheultimatejobofthedatapillartoenforcegranularaccesscontrolsandutilizeallavailabledata
attributesforaccessdecisions.Thisensuresunauthorizedentitiesorentitieson
unauthorizeddevicescannotaccessthedata.Italsoensuresthoseusersanddevices
withaccesstodatawillcontinuetohavetheirattributesinspectedthroughvariouspolicydecisionandenforcementspointswithinthearchitecture.
Thedataprotectionneedsoforganizationswilldiffer,andorganizationsmustdecidehowtheywilluseRoleBasedAccessControl(RBAC),PolicyBasedAccessControl(PBAC),AttributeBasedAccessControl(ABAC),andotheroptionstocontrolaccess.Organizationsshouldmaturethroughthephasesasfollows:
Table7:Dataaccesscontrolmaturity
Preparation
Basic
Intermediate
Advanced
Organizational
Centralmanagement
AttributeBased
Individualand
policyisdeveloped
solutions,suchasSDS
AccessControls
policybased
withenterprise-
andautomationtools,are
(ABAC)are
accesscontrols
widecentral
integratedwith
definedand
areestablished
management
establishedpolicyand
established,
andautomated
solutionsinmind.
DRMtoolinginaphased
ensuringidentity
central
approachtomeasure
attributes
management
Ensureappropriate
results,improve
correspondto
solutionsare
accessto,anduse
protections,andadjust
appropriatedata
fullyintegrated
of,databasedon
accordingly.
objects.
tomanage
thedataand
user/NPE/deviceproperties.
PolicyBasedAccessControls(PBAC)areestablished.PBACs
Rolesaredefinedandimplementedensuringaccess
changesfromthecentral
controller.
Asoftwaredefined
informdataaccess
todatadependent
ABAC,RBAC,
storage(SDS)
decisionsusingattributes
onproperuser
andPBAC
policyandan
determinedbypolicy
roleswithinthe
controlsare
enterpriseIdentity
rules.
organization.
furtherrefined
Provider(IdP)
toprovidemore
13
U/OO/140279-24|PP-24-1320|APRIL2024Ver.1.0
NSA|AdvancingZeroTrustMaturityThroughouttheDataPillar
Preparation
Basic
Intermediate
Advanced
integrationplanaredeveloped.
granular
access
regulations.
Datapillarguidanceataglance
●Developenterprisedataclassificationandlabeling/taggingstandards.
●Ensurealldataisproperlytaggedandencrypted.
●Ensurethatdatatagsareintegratedwithencryptionpolicies.
●Ensurethatallsensitivedataisprotectedusingproperencryptiontools,suchasDRMfordatathatmovesbeyondenterprisesystems.
●DevelopaDLPframeworkthatcountersinternalandexternalthreatstodatasecurity.
●Enforcedataaccesscontrolsbasedonenterprisepoliciesandallinformationavailableabouttheaccessrequest.
●Monitordataforunauthorizedmovement,access,oralterationofdata.
Conclusion
Theneedtoprotectdata,acriticalassetofanyorganization,isthedrivingforcebehindZT.Dataisprotectedthrougheffectivecataloging,labeling,andencryptionwhileatrestandintransit.ZTstrategyisultimatelycenteredonprotectinganorganization’sdata
throughconstantverification,soitisimportantthatdataownerstakethesteps
necessarytosurveytheirdatatodesignandimplementeffectivecontrols.Oncein
place,thosecontrolsshouldbetestedandthematurityevaluated.Implementingan
effectivedatamanagementplanwithintheZTframeworkwilllimitdatabreaches,andifabreachdoesoccur,willprovidethenecessaryinformationontheassetsthatwere
compromisedtominimizethedamage.
Furtherguidance
NSAisassistingDoDcustomersthatareimplementingZTcapabilities,coordinatingZTactivitieswithNIST,CISA,NSS,andDoD,anddevelopingadditionalZTguidanceto
supportsystemdevelopersthroughthechallengesofintegratingZTwithinNSS,DoD,andDefenseIndustrialBase(DIB)environments.Upcomingadditionalguidancewill
14
U/OO/140279-24|PP-24-1320|APRIL2024Ver.1.0
NSA|AdvancingZeroTrustMaturityThroughouttheDataPillar
helporganize,contextualize,andguideincorporationofZTprinciplesanddesignsintoenterprisenetworks.
SupplementaryNSAguidanceonimplementingaZTarchitectureandensuringasecureanddefensiblenetworkenvironmentareavailableat
/cybersecurity-guidance:
●
EmbracingaZeroTrustSecurityModel
●
NSA’sTopTenCybersecurityMitigationStrategies
●
DefendPrivilegesandAccounts
●
ContinuouslyHuntforNetworkIntrusions
●
SegmentNetworksandDeployApplication-awareDefenses
●
TransitiontoMulti-factorAuthentication
●
ActivelyManageSystemsandConfigura
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 工地赔偿协议书范本
- 借名买车协议书
- 防水工程承包合同完整版模板
- 安全生产文明施工责任合同
- 甘肃省兰炼一中高三下学期第二次模拟文科综合试卷
- 2019高三数学(人教A版理)一轮教师用书专题探究课4立体几何中的高考热点问题
- 08包含二力或者多力平衡问题的力学综合计算-2022中考物理力学压轴计算题难题专练(原卷版)
- 第15课 两次鸦片战争 课件高一上学期历史统编版(2019)必修中外历史纲要上册
- 第6课 从隋唐盛世到五代十国 课件高一上学期统编版(2019)必修中外历史纲要上
- 工程物资与在建工程的区别
- 杭州本级公共租赁住房资格续审申请表Ⅴ
- GB/T 18281.7-2024医疗保健产品灭菌生物指示物第7部分:选择、使用和结果判断指南
- 北京四中初一年级期中语文试题
- 2024年消防宣传月知识竞赛考试题库300题(含答案)
- 妊娠期高血压护理
- 地理大洲和大洋 课件 2024-2025学年七年级地理上学期(2024)人教版
- 2024年事业单位考试(综合管理类A类)职业能力倾向测验试卷及答案指导
- 【课件】跨学科实践:制作隔音房间模型人教版物理八年级上册
- 二十届三中全会精神学习试题及答案(100题)
- 2024二十届三中全会知识竞赛题库及答案
- 2024年江苏省昆山市自然资源和规划局招聘编外13人历年(高频重点复习提升训练)共500题附带答案详解
评论
0/150
提交评论