Protecting Department of Defense (DoD) personnel data remains a top priority for defense officials as they move forward with IT modernization plans. DoD officials have stated publicly that the department’s current lack of proper data protection protocols has left personnel data vulnerable to privacy breaches, data spillage, and other cyber threats.
Whether it’s unauthorized access of sensitive data and security clearance information or personally identifiable information (PII), leaving DoD databases and personnel data unprotected will have dire consequences for the department and its personnel if its data environment remains vulnerable to cybercriminals.
The DoD’s data conundrum
In the current DoD landscape, data resides everywhere. In fact, the department has too many data environments that it can effectively manage and view. And as the DoD transitions to a more centralized data environment and the cloud, defense officials must have mechanisms to secure and protect data critical to our national security. Additionally, the challenges related to properly securing and sharing data types increase as the DoD seeks to protect controlled unclassified information (CUI), such as HIPAA/PII data, digital footprints and aggregated publicly available information (PAI) that attackers can piece together to compromise operational objectives.
When it comes to safeguarding the digital footprints of civilian and military personnel on a commercial platform, solutions are limited. However, when protecting CUI and digital footprints, DoD must abide by current data compliance laws — not only on the data, but also on the individuals tied to that information. The solution: deploy a common data platform (environment) that leverages attribute-based access control (ABAC).
The DoD has many disparate data systems and most with role-based access controls (RBAC) where data exists in silos. However, as DoD transitions to a centralized data environment, its personnel will want to know how their data gets used, how it’s being exposed and what measures are in place to protect their data. Deploying a centralized data platform that uses ABAC can fulfill this protective measure to address their questions, particularly when securely sharing data within the DoD or externally.
ABAC: how it can protect personnel data and controlled unclassified information
The DoD currently has mechanisms for granting user access to a system, using common access cards (CAC cards), also known as “smart” IDs, for CUI and public key infrastructures (PKIs) for classified data. However, even with these systems in place, data access does not scale. And as more data enters military systems, it’s critical for those who manage data access and analyze it to have capabilities that let them connect data to users’ attributes and determine what type of data they can view. Deploying dynamic policies using ABAC will ensure users access the right data at the right time.
Within any data environment, cloud environments grow, data moves fast, and policies increase, which requires a dynamic authorization framework like ABAC to meet the data demand. Rather than RBAC, ABAC has been based on the user's attributes for data security, determining who should have access to sensitive data and for the right reasons. ABAC acts as the framework that will dynamically empower authorization and access to sensitive DoD networks, applications and databases in real time – a key differentiator from RBAC.
Addressing DoD security gaps in cyberspace
Safeguarding digital footprints, protecting against cyber threats and preventing data spillages have been top priorities for DoD leadership as cyber threats rapidly evolve and as defense officials move forward with digital modernization plans.
To prevent cyber threats and data spillage, the DoD must deploy data governance technology that applies data policies at the data layer. Integrating ABAC into the DoD data environment will allow a systems administrator or systems engineer to make all the policies in one place while dynamically streamlining data when a user logs in so that the user only gets granted access to the data they were assigned. With the DoD’s myriad of domains and platforms, there will never be one centralized domain or cloud architecture for data to reside. However, for DoD leadership looking to accelerate their digital modernization plans, deploying ABAC concepts and capabilities from the start offers a step in the right direction to address security gaps related to personnel data and CUI.
Deploying zero-trust for data security
To avoid data silos and the potential to miss critical sensitive information, it’s crucial that DoD management and personnel share data both internally and externally – and fast. However, DoD personnel must securely share data and prevent unauthorized access by malicious cyber actors. Deploying a zero-trust architecture remains critical to preventing cybercriminals from accessing sensitive. data, whether classified or unclassified. With zero-trust, any user, tool, application or system is never trusted from the start; they must always be verified on the network.
As the DoD makes this transition to a zero-trust environment, we believe ABAC will ensure sensitive defense data and applications are only accessed by authorized users. As such, ABAC will remain the top data authorization model to empower the DoD to safely share critical data in a zero-trust environment and improve national security.
Walter Paz, director of defense programs/customer success public sector, Immuta