Data is emerging as the major challenge under a government-wide push to adopt “zero trust” cybersecurity defenses.

Agencies have made varying degrees of progress across the “pillars” of the federal zero trust strategy published in early 2022. Identity, credential and access management (ICAM) was one of the initial focus areas for most agencies, as was the push to adopt encryption and isolation principles across networks.

Even the strategy itself recognizes the difficulties around the data pillar.

“Developing a comprehensive, accurate approach to categorizing and tagging data will be challenging for many agencies,” it states. “While agencies have been required to inventory their datasets for some time, a comprehensive zero trust approach to data management requires going beyond what agencies may be accustomed to thinking of as ‘datasets.’”

Shane Barney, chief information security officer at U.S. Citizenship and Immigration Services, said USCIS is now confronting the “monstrous” task of understanding and securing its data.

“Immigration is a data heavy kind of activity,” Barney said. “On any given day, we’re adding literally billions of new lines of data to all of our systems. We ingest data like it’s going out of style. . . . So staying in front of that, how we’re tagging it, and then determining the access levels for that data is exceptionally challenging.”

The Labor Department is also a data-intensive organization, and like many agencies, Labor’s data sits on the networks of various cloud service partners, not to mention contractors and other partners.

“Our data is in so many places with partners and cloud service providers,” Paul Blahusch, Labor’s CISO, said on Federal News Network. “Partnerships very important, making sure that whether it’s a grant, an interagency agreement or a contract, that we make sure we understand what our risks are, and how do we address those either through contract language, and or being able to evaluate how that organization is doing with security and keeping on top of that through some continuous monitoring.”

At the Nuclear Regulatory Commission, officials have instituted a “bring-your-own-device” program, giving their employees a more flexible way to approach work.  Jonathan Feibus, CISO at the NRC, said the agency then tailors access control decisions based on where they are, what device they’re using, and what they’re trying to access on that device.

“Making those decisions on the fly, making them as close to the data as possible, is what we aspire to,” Feibus said. “We’d like to automate those zero trust decisions when we have someone coming in, we want to know that, yes, they are an authorized user of our systems. We want to look at their device, yes, it’s appropriate for that device and that user to be paired together. And, yes, it’s appropriate for that data, and that application on that device for that user. So we’d love to have that automated all the way through. We’re not there yet. But we’re making strides.”

Industry is also seeing the increased focus on data and automation. Ned Miller, vice president of Crowdstrike Federal, said “a number of vendors” are working on new data security features.

“I think you’ll start to see industry come up with some innovative approaches to really help address the data problem, because it is pretty significant,” Miller said. “In terms of the challenge many of us have faced and have been around for what I would consider the first generation attempts with data loss prevention technologies, they were extremely difficult to deploy, if they ever got deployed. There was a lot of policy involved. I think we’ll see a lot of innovation come out here in the fall focused in this area. So I would encourage everyone to stay optimistic and look on the horizon.”

Agency CISOs are also keeping an eye on the use of artificial intelligence to help them with many security tasks. Blahusch said he sees an opportunity for generative AI systems to help with complex compliance tasks, like writing system security plans.

“I want to use automation and AI to move my human resources from lower value work to higher value,” Blahusch said.

Adam Hesch, lead architect at Amazon Web Services, said AI and machine learning can also help address the data challenges.

“Where we start to add in some of this newer generative artificial intelligence and large language models, it’s going to start to really add context,” Hesch said. “That’s going to let us get a handle on this data problem that we’ve never had before. And so then when you’re able to consume these large quantities of data at scale, you train these models to your specific needs, to the specific functions of your particular industry or for your agency, that is going to unlock so much in terms of being able to mark and tag data to understand what you’re trying to secure. And then that’s kind of then let you make those access based decisions to say, ‘Hey, should someone have the ability to access this?’”

Learning objectives:

• Current federal cybersecurity strategies
• The zero trust journey
• Cybersecurity trends

Complimentary Registration
Please register using the form on this page or call (202) 895-5023.