Mandating Data In Transit Protection - Zero Trust Activity 5.4.4

Shielding the Journey: Mandating Data In Transit Protection for Zero Trust (Zero Trust Activity 5.4.4)

We’ve invested heavily in securing identity and devices, implementing granular access controls, and building programmable networks to control who can access what and where. In a Zero Trust world, the “never trust, always verify” principle extends to data that is actively moving across our networks. A user might be authorized, a device might be compliant, but if the data itself is exposed or tampered with as it travels, our security posture is compromised. This brings us to Zero Trust Activity 5.4.4: Protect Data In Transit.

This activity emphasizes the critical need to secure data while it’s in motion. It directs DoD Components to mandate protection of data in transit based on the data flow mappings and monitoring standards provided by the DoD Enterprise. This means understanding where sensitive data travels and enforcing encryption on those pathways. The activity highlights several common use cases for this protection: Coalition Information Sharing (where data crosses organizational boundaries), sharing across system boundaries (e.g., between different enclaves or applications), and protection across architectural components (e.g., between microservices or different tiers of an application).

This activity is vital because data in transit is inherently vulnerable to interception, eavesdropping, or alteration if not adequately protected. Ensuring its confidentiality and integrity while it travels is a non-negotiable aspect of Zero Trust.

The outcomes for Activity 5.4.4 reflect the successful implementation of this mandatory protection:

Enterprise guidance is provided on protecting Data In Transit.
Protect data in transit during Coalition Information Sharing.
Protect data in transit across system high boundaries.
Integrate data in transit protection across architecture components.

The ultimate end state signifies a secure network environment for data movement: Policies are effectively implemented to protect data in transit during coalition information sharing across system high boundaries, and within various architectural components. Data in transit is securely encrypted and monitored ensuring Zero Trust. This ensures that data remains confidential and retains its integrity throughout its journey.

Solutions for Achieving Protect Data In Transit

Implementing Activity 5.4.4 requires a policy-driven approach to encryption across various network segments and communication pathways, leveraging established technologies and integrating them with your programmable network.

Defining Data In-Transit Protection Policies:
1. Based on the enterprise data flow mappings and monitoring standards, define clear policies that mandate encryption for all data in transit. This includes specifying the minimum encryption standards, protocols, and mechanisms to be used for different data classifications and use cases.
2. Policies should cover all relevant communication types: user-to-application, application-to-application (API calls), server-to-server, and data replication.
Implementing Encryption Protocols and Technologies (Leveraging Zscaler and Okta):
1. Transport Layer Security (TLS) / Secure Sockets Layer (SSL): The most common protocol for securing web traffic (HTTPS) and many application protocols. Mandate strong TLS versions and cipher suites for all web-based applications and APIs.
2. Zero Trust Network Access (ZTNA) with Cloud Security (Zscaler’s Contribution): When using a ZTNA, challenges with traditional VPNs for user remote access are largely superseded. Zscaler inherently encrypts traffic as users and devices connect to applications through its cloud platform. This provides a secure, encrypted tunnel for data in transit without the need for traditional VPN appliances. Zscaler also offers Cloud Firewall capabilities that can enforce encryption for traffic traversing its cloud, and its Microsegmentation ensures traffic between application components is controlled and can be encrypted.
3. SSH (Secure Shell): For securing remote administrative access and file transfers.
4. Encrypted File Transfer Protocols: Such as SFTP (SSH File Transfer Protocol) or managed file transfer solutions that encrypt data end-to-end.
5. Database Encryption in Transit: Configure databases to encrypt connections between clients and servers.
6. Application-Layer Encryption: In some cases, sensitive data may be encrypted at the application layer before being sent, adding an extra layer of protection.
7. Endpoint-Driven Data Protection (Trellix Contribution): Trellix’s Data Loss Prevention (DLP) capabilities can be deployed at the endpoint (and network egress points) to identify sensitive data as it attempts to leave a device. It can then enforce policies to encrypt that data before it’s transmitted over unencrypted channels, or block the transmission altogether if encryption isn’t feasible or compliant. This ensures sensitive data is protected even if the underlying network protocol isn’t inherently encrypted.
Leveraging PKI and Certificate Management:
1. Public Key Infrastructure (PKI): Essential for issuing and managing the digital certificates used by TLS, IPsec (for specialized site-to-site tunnels not covered by ZTNA), and other encryption protocols. This streamlines certificate lifecycle management, linking it directly to your core identity platform.
Policy Enforcement Points and Programmable Network Integration:
1. Enforce policies to mandate encryption at various points in the network infrastructure.
2. Application Delivery Controllers (ADCs) / Proxies: Can enforce TLS/SSL encryption for application traffic.
3. Next Generation Firewalls (NGFWs): Can enforce IPsec for specialized site-to-site tunnels and inspect/control encrypted traffic where necessary.
4. Software-Defined Networking (SDN) / Programmable Network Infrastructure: Leverage SDN APIs (from Activity 5.2.1) and programmable network devices (from Activity 5.2.2) to dynamically configure and enforce encryption policies. For example, the SDN could automatically route sensitive data flows through encrypted tunnels or ensure specific segments only communicate via encrypted links.
5. Cloud Security Controls: Utilize cloud provider services (e.g., VPC encryption, load balancer SSL policies, VPN gateways for cloud-to-cloud/cloud-to-onprem connections) to protect data in transit within and between cloud environments.
6. Endpoint Enforcement (Trellix Contribution): Trellix Endpoint Security and Trellix DLP agents provide enforcement at the endpoint itself. They can ensure endpoints use encrypted protocols, block unencrypted sensitive data transfers, and contribute telemetry to identify non-compliant data flows, feeding into broader security operations.
Monitoring and Verification:
1. Implement network monitoring and analytics tools (e.g., NetFlow/IPFIX from Activity 5.2.3) to identify unencrypted sensitive data flows.
2. Integrate logging from encryption enforcement points (firewalls, ADCs, Trellix DLP, and Zscaler’s Zero Trust Exchange) into your SIEM for continuous monitoring and alerting on policy violations or attempts to transmit sensitive data unencrypted. Zscaler’s centralized logging for all traffic flowing through its platform provides comprehensive visibility into encrypted and unencrypted flows for applications it brokers access to.

Key Items to Consider:

Comprehensive Data Flow Mapping: You must have a clear understanding of where sensitive data resides and how it moves across your environment (Activity 4.4.2 data flow mappings).
Leveraging ZTNA for Secure Transport: Recognizing that Zscaler’s ZTNA inherently encrypts user-to-app traffic, focus on defining policies to ensure all applicable traffic goes through this secure path, and identifying other specialized data flows (e.g., server-to-server replication) that still require dedicated encryption.
Key and Certificate Management (Okta’s Role): Securely managing encryption keys and certificates across a distributed enterprise is complex and vital. Okta’s PKI/ICAM solution streamlines the issuance, management, and revocation of certificates used by TLS, IPsec, and other encryption mechanisms.
Performance Implications: Encryption adds processing overhead. Carefully plan and test encryption implementations to minimize impact on network performance and application latency.
Interoperability: Ensure that encryption protocols and implementations are interoperable across diverse systems, applications, and external partners (especially for coalition sharing).
Policy Enforcement Consistency: Implement consistent policies across all relevant architectural components, including on-premises, cloud, and hybrid environments. Leverage integrated endpoint solutions like Trellix to extend enforcement to the device level.
Exceptions Management: Establish a strict, risk-based process for managing any unavoidable exceptions to encryption mandates.
Visibility into Encrypted Traffic: While encryption protects data, it can also hide malicious activity. Consider solutions that allow for secure decryption and inspection for threat detection (e.g., SSL/TLS inspection on NGFWs or dedicated proxies, or within Zscaler’s platform) where policy allows and is technically feasible.

Relevant Technologies and Tools:

Successfully implementing Activity 5.4.4 relies on a combination of networking, security, and identity technologies, heavily leveraging your chosen strategic platforms:

Zero Trust Network Access (ZTNA) / Cloud Security Platforms: Zscaler’s Zero Trust Exchange (including ZTNA, Cloud Firewall, Microsegmentation) is central to securing data in transit by encrypting traffic between users/devices and applications, and enforcing policy on traffic traversing its cloud.
Identity Provider (IdP) / ICAM / PKI Solutions: Okta serves as your PKI/ICAM solution, essential for issuing and managing the digital certificates used by TLS, IPsec, and other encryption protocols.
Endpoint Security Platforms with DLP: Trellix Endpoint Security and Trellix DLP are key for protecting data in transit at the endpoint. They ensure endpoints use encrypted protocols and can block or enforce encryption on sensitive data transfers.

The Technical Buyer’s Data Protection Mandate:

Activity 5.4.4 is a key step in achieving data protection within your Zero Trust architecture. It moves beyond controlling access to mandating protection for your data in transit. For technical buyers, success here means implementing a policy-driven approach to encryption across all sensitive data flows, leveraging your strategic platforms. Zscaler’s Zero Trust Exchange inherently secures traffic for users and devices connecting to applications, often eliminating the need for traditional VPNs. Okta PKI/ICAM solution simplifies the management of the certificates vital for all encryption. And Trellix’s endpoint security and DLP provide crucial enforcement at the device level, ensuring data is protected at its source. This comprehensive, integrated approach ensures that your data remains confidential and untampered with as it travels across your network, across system boundaries, and during crucial activities like coalition information sharing, providing a fundamental layer of trust and resilience in your Zero Trust environment.

Pillar: Network and Environment

Capability: 5.4 Micro-Segmentation

Activity: 5.4.4 Protect Data in Transit

Phase: Target Level

Predecessor(s): None

Successor(s): None