Protecting Department of Defense (DoD) employee data is a top priority for defense officials as they move forward with IT modernization plans. DoD officials have said publicly that the department’s current lack of proper data protection protocols leaves employees’ data vulnerable to privacy breaches, data spillages and other cyber threats.
Whether through unauthorized access to sensitive data and security clearance information or personally identifiable information (PII), leaving DoD databases and employee data vulnerable will have serious consequences for the Department and its employees if its data environment remains vulnerable to cybercriminals.
DoD’s Data Question
In the current DoD landscape, data lives everywhere. In fact, the department has many data environments that it can effectively manage and view. And as DoD transitions to a more centralized data environment and to the cloud, defense officials must have mechanisms in place to secure and protect data critical to our national security. Additionally, as the DOD seeks to protect controlled unclassified information (CUI), such as HIPAA/PII data, digital footprints, and aggregated publicly available information (PAI), the challenges associated with properly securing and sharing data types that attackers can combine to compromise increase. . Operational Objectives.
Solutions are limited when it comes to protecting the digital footprints of civilian and military personnel on commercial platforms. However, in protecting CUI and the digital footprint, DoD must comply with current data compliance laws — not only on the data, but also on the individuals associated with that information. Solution: Deploy a common data platform (environment) that leverages attribute-based access control (ABAC).
DoD has many disparate data systems and most with role-based access controls (RBAC) where data exists in silos. However, as DoD transitions to a centralized data environment, its employees will want to know how their data is used, how it is disclosed, and what measures are in place to protect their data. Deploying a centralized data platform using ABAC can complement these defensive measures to address their questions, especially when data is securely shared within or outside the DoD.
ABAC: How it can protect employee data and controlled unclassified information
DoD currently has a mechanism to allow users to access systems using Common Access Cards (CAC Cards), also known as “smart” IDs, for CUI and Public Key Infrastructures (PKIs) classified data. However, even in these systems, data access does not scale. And as more data enters military systems, they must have the ability to manage data access and analyze it by allowing them to connect data to the characteristics of users and determine what types of data they can see. Implementing dynamic policies using ABAC will ensure that users have access to the right data at the right time.
In any data environment, the cloud environment grows, data moves faster, and policies grow, requiring a dynamic authorization framework like ABAC to meet data demands. Rather than RBAC, ABAC is based on user attributes for data security, determining who should have access to sensitive data and for the right reasons. ABAC serves as a framework that will enable authorized and real-time access to sensitive DoD networks, applications, and databases—a key differentiator from RBAC.
Addressing DoD Security Gaps in Cyberspace
As cyber threats rapidly evolve and defense officials move forward with digital modernization plans, securing the digital footprint, protecting against cyber threats, and preventing data leakage are top priorities for DoD leadership.
To prevent cyber threats and data leakage, the DoD must deploy data governance technologies that enforce data policies at the data level. Integrating ABAC into the DoD data environment will allow a system administrator or system engineer to create all policies in one place and dynamically organize data at user login so that the user only has access to the data they are assigned. With DoD’s numerous domains and platforms, there will never be a centralized domain or cloud architecture for data to reside. However, for DoD leadership looking to accelerate their digital modernization plans, deploying ABAC concepts and capabilities early on provides a step in the right direction to address security gaps related to employee data and CUI.
Deploying zero-trust for data security
To avoid data silos and the potential for critical sensitive information to be missed, it is critical that DoD management and staff share data internally and externally – and quickly. However, DoD personnel must share data securely and prevent unauthorized access by malicious cyber actors. Deploying a zero-trust architecture is critical to preventing cybercriminals from accessing sensitive locations. Data, classified or unclassified. With zero-trust, no user, device, application or system is ever trusted from scratch; It must always be verified on the network.
As DoD makes this transition to a zero-trust environment, we believe ABAC will ensure that sensitive defense data and applications are accessed only by authorized users. As such, ABAC will remain the top data authorization model to enable DoD to securely share critical data in a zero-trust environment and improve national security.
Walter Paz, Director of Defense Programs/Customer Success Public Sector, Imuta