The success of U.S. military missions increasingly depends on data. Battlespace dominance more and more often comes down to data dominance – how effectively mission teams can capture, share, and act on information at mission speed.
In the process, though, teams need to keep data secure. That’s challenging enough when data is housed in a single system or consumed by a single command. But today’s battlespace often involves multiple military branches and an array of coalition partners. Safely exchanging sensitive information among all those stakeholders is exponentially more difficult – at least using traditional cyber approaches.
The solution is data-centric cybersecurity enabled by effective – and to the extent possible, automated – data classification, tagging, and encryption. With the right technology, security controls can be simply and reliably applied to the data itself, remaining in force wherever the information is shared and for as long as the information exists.
The data-centric security imperative
Conventional cybersecurity is network-centric and perimeter-based. It focuses on guarding systems and communication with layers of protections around users, applications, and endpoints. But as military teams, devices, and data become more dispersed and dynamic, this model is no longer up to the task.
Data-centric security, in contrast, safeguards information regardless of where it’s located or who it’s shared with. This approach comes with some prerequisites, however.
First, information must be classified based on its level of sensitivity. Such data classification is central to zero trust cybersecurity. It’s also mandated. For instance, Executive Order 13526 establishes a uniform system, including Confidential, Secret, and Top Secret levels, for classifying national security information. DoD Directive 5200.01 outlines responsibilities and procedures for marking controlled unclassified information and classified information. And Intelligence Community Directive 503 sets standards for safeguarding and sharing classified data.
With effective classification and tagging, the data has attributes that make data-centric security viable. Mission teams can apply policies to control who can access the data, how it can be used, and how long those policies apply to the data. The security controls are attached to the data itself – not to some proxy like user- or device-based security.
Automated classification and tagging
For most mission teams, however, classification and tagging currently are a largely manual, complex process. That’s a recipe for errors and omissions that can put information at risk and threaten mission success.
The solution is automated classification and tagging – combined with attribute-based access control enabled by an open technology standard called Trusted Data Format, or TDF. Approved by the Office of the Director of National Intelligence (ODNI) and used throughout the DoD, IC, and commercial enterprises, TDF protects data with fine-grained ABAC and optional military-grade encryption. It also works with popular classification and tagging tools.
Not all data can be tagged automatically. Email, for instance, is mandated by most agencies to be manually tagged. But there are quick TDF-based automations users can use – such as saved tags in their organization’s tagging tool – to tag and encrypt the email with a single click.
With ABAC enforced through TDF, access to information can be granted or denied based on user credentials, roles, responsibilities, locations, and other parameters. For instance, a data object might specify that the authorized user be a person, a U.S. citizen, have Top Secret clearance, and so on, including special handling caveats such as Special Access Programs (SAP).
Using TDF, that control persists no matter where the data is shared and for as long as the data exists. It includes an audit trail that shows if someone has attempted to tamper with the data. And if someone other than the original classification authority (OCA) – the person who originally tagged the content – tries to change the classification level, access to the data is denied.
What’s especially useful about TDF is that it can support automated tagging in many situations. An example is an edge sensor that monitors a mission space and sends updates as conditions change. The data can be automatically tagged and encrypted – while it’s onboard the sensor and before it’s transmitted – to control the individuals or applications that can access it. TDF can also validate that the data came from that specific sensor and that it wasn’t tampered with during transit.
Accelerating and securing missions
The advantages of automated data classification and tagging are numerous. First is accelerated workflows. With semi- and fully automated data tagging, team members can more quickly and safely generate and share vital information.
They can also avoid the errors and omissions of current manual processes. With content tagged and encrypted, users and teams can trust that shared data is fully protected and that its metadata will maintain access control wherever the data travels.
Automated data tagging also better protects data on unclassified networks. That’s especially important for sensors transmitting data across the open internet. With tagging and encryption applied at the data-object level, there’s less worry about data leakage from unsecure networks.
Finally, automated data tagging and TDF-enabled ABAC advance the goals of Joint All-Domain Command and Control, or JADC2, helping to enable a secure mission partner environment and optimize the sharing of sensitive information among partners. Military and IC teams – and other federal organizations exchanging sensitive data – can tie encryption and access control to the data itself. They can be confident that classification levels and access controls apply to the data wherever it’s shared and for as long as it exists. Ultimately, they can securely leverage shared data to help achieve the goals of their mission.
Shannon Vaughn is general manager of Virtru Federal and an officer in the U.S. Army Reserve.