Agency data leaders see strong tie into federal zero trust security push

At first blush, it might seem like agency chief data officers would be hampered by the move to a “zero trust” cybersecurity posture.

After all, the security strategy rests on the idea of governing access to data using the principle of “least privilege,” while CDO’s are working hard to inventory and share data across agencies.

But in reality, data leaders are working closely with their counterparts in the chief information security officer’s teams to deploy “thorough” data protections, as called for under the White House’s zero trust strategy. And efforts to catalog and tag data will be central to the strategy’s emphasis on implementing stronger identity and access controls. 

Kshemendra Paul, chief data officer at the Department of Veterans Affairs, said CDO teams and CISO officials are collaborating more closely than they would have five or 10 years ago. Data sharing and safeguarding are now “two sides of the same coin,” he said during an April 21 webinar hosted by AFCEA Bethesda.

“You can always do more sharing if you build in place better safeguards,” Paul said. “And then there’s a natural imperative to introduce automation on the safeguarding side to accelerate sharing and to improve safeguarding. There’s a virtuous cycle here between sharing and safeguarding, and, really, I don’t sense tension between the CISO community and the CDO community.”

Paul said the VA is working on an approach to consistently tag metadata across multiple legacy systems and build an “Enterprise Data Catalog” for the large agency. The catalog will help the VA ensure data is more easily discoverable for the right people and applications, while also implementing effective access rules around that data.

“The Enterprise Data Catalog is such an important aspect of having that understanding in an actionable way, the location of data, what the metadata is associated with it is, to be able to understand and make real the promise of blending access decisions and discovery decisions across the application, the data and the network layer,” Paul said. “It’s at the heart of a zero trust architecture.”

The VA has a big focus on unstructured data and making sure metadata is interoperable, he said. And a CDO’s goal to achieve data quality is “really not that different” from a CISO’s goal to ensure data integrity, Paul said.

“We do come at the challenges from different perspectives, but with a deep appreciation for what we each bring to the fight and kind of puzzling through what’s the best collaboration model, strategically, as well as operationally and tactically,” he said.

While the collaboration may be happening organically, it’s also by design. The White House’s zero trust strategy required CDO’s and CISO’s to create “a joint committee to develop a zero trust data security guide for agencies.” In addition to the guide, the strategy called on the committee to identify and support pilots for enterprise data categorization approaches.

“Developing a comprehensive, accurate approach to categorizing and tagging data will be challenging for many agencies,” the strategy states. “While agencies have been required to inventory their datasets for some time, a comprehensive zero trust approach to data management requires going beyond what agencies may be accustomed to thinking of as ‘datasets.’”

Carole House, director of cybersecurity and secure digital innovation at the White House National Security Council, said cybersecurity and data go hand-in-hand.

“To effectively implement a cybersecurity program, you need that data,” House said. “Just like for managing other programs and systems, you have to be able to understand really what’s happening on your networks, what’s on your networks, what are their vulnerabilities, how is it being targeted?”

Data as a ‘superpower’

At U.S. Citizenship and Immigration Services, officials have spent the last couple years building out the agency’s data enterprise, according to Rob Brown, chief technology officer of USCIS.

“We’ve been fortunate enough over the past two years to really focus and aggregate our data into a data lake house, and are burgeoning on the realm of really a true data mesh, not only internally within USCIS, but also externally in a lot of our sort of sister [Department of Homeland Security] components, as well as some of our other federal business partners,” Brown said. “We’ve discovered quite a few gaps there that we’re working towards filling.”

Last summer, USCIS also established a zero trust working group within its IT organization to bring different groups together to begin to evaluate across the agency’s “tools, technologies, people processes,” he said.

The effort identified gaps in USCIS’s security posture when they compared to the Cybersecurity and Infrastructure Security Agency’s draft zero trust maturity model and other zero trust resources, according to Brown.

“The next step right now is we’ve been meeting with a lot of industry and a lot of vendors to get a better finger on the pulse, and educating the folks within the zero trust working group,” Brown said. ”So we understand really how some of these tools and technologies can fill some of the gaps, and ideally even replace and consolidate some of the disparate tooling that we do have in place today.”

Meanwhile, at the VA, Paul described how support for a major data initiative was dependent on good security practices. The Common Operating Platform program is aimed at integrating health and benefit data across the agency. The VA awarded Palantir Technologies a four-year, $90 million data integration contract for the platform last October.

“We’ve built the technical support for greatly enhanced rules-based access,” Paul said. “It’s been critically important to the success of the initiative that we could reassure folks that it’s appropriate, secure, ethical access. At the VA our data is our superpower, and by integrating it this way, we’re unlocking our superpower.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.