Zero Trust is a strategic initiative and principle that helps organizations prevent data breaches and protect their assets by assuming no entity is trusted. Going beyond the “castle-and-moat” concept which had dominated traditional perimeter security, Zero Trust recognizes that when it comes to security, trust is a vulnerability. Traditional security considered all users trusted once inside a network—including threat actors and malicious insiders.
By eliminating the concept of a “safe” network, Zero Trust requires strict identity verification and moves the decision to authenticate and authorize closer to the resource. The identity of the user/device/service provides key context for the application of access policies. With Zero Trust, access rules are as granular as possible to enforce least privileges required to perform the requested action.
Thales Trusted Cyber Technologies (TCT) is a U.S. based provider of government high-assurance data security solutions. Thales TCT offers authentication, encryption, and key management solutions that address foundational pillars of Zero Trust outlined by Cybersecurity and Infrastructure Security Agency (CISA): Identity, Device, Network, Application Workload, and Data.
Identities are the cornerstone of a Zero Trust Architecture (ZTA). The Cybersecurity & Infrastructure Security Agency (CISA) defines identities as “an attribute or set of attributes that uniquely describe an agency user or entity. Agencies should ensure and enforce that the right users and entities have the right access to the right resources at the right time”.
Thales TCT’s wide-range authenticators includes hardware and software OTP tokens, X.509 certificate-based USB tokens and smart cards, OOB, hybrid tokens, and phone tokens for all mobile platforms. Many Thales TCT hardware tokens support physical access control to secure buildings and sites, as well as continuous access online.
Thales TCT’s access management solutions have robust policy engines which allow for setting access policies that are extremely flexible. Security policies cater for the creation of very granular and specific rules to constantly reassess users during an open session, rather than only for certain events such as authentication time-outs. If the level of risk changes, Thales TCT’s access management solution forces the user to re-authenticate or step up to a stronger form of authentication. Policies can be set per application, apply to network ranges, operating systems, and user collections and geolocations. Authentication rules can be established as dynamic and as context specific as needed adapting to changes in a dynamic cloud environment.
The integrity of devices connecting to agency networks—whether agency-owned or bring-your-own device (BYOD)—must be validated. Unauthorized devices must be prevented from accessing agency networks and data.
CISA suggests that “need to align their network segmentation and protections according to the needs of their application workflows instead of the implicit trust inherent in traditional network segmentation”2 and cites encryption as a key ZTA functionality.
Thales HSE Features:
Certified Security. Thales HSEs are FIPS 140-2 L3, Common Criteria, NATO, DoD Information Network Approved Products List (DoDIN APL) certified. Our solutions support standards-based, end-to-end authenticated encryption and client-side key management. Advanced security features include traffic flow security, support for a wide range of elliptic curves (Safe Curves, Brainpool, NIST). VLAN based encryption provides unique key pairs in hub and spoke environments to protect against mis-configured traffic. For high-assurance environments, the encryptors also support nested encryption.
Transport Independent Mode. Transforming the network encryption market, Thales HSEs are the first to offer Transport Independent Mode (TIM) network layer independent (covering OSI Layer 2, Layer 3, and Layer 4) and protocol agnostic data in motion encryption.
Fully Interoperable. A single platform can be used to centrally manage encryptors across either single links or distributed networks.
Crypto-Agility. Thales HSE Solutions are crypto-agile, meaning they support customizable encryption for a wide range of elliptic and custom curves support. Thales HSEs already leverage Quantum Key Distribution (QKD) and Quantum Random Number Generation (QRNG) capabilities for future-proofing data security.
CISA recommends that agencies “integrate their protections more closely with their application workflows to ensure the protections have the visibility and understanding needed to provide effective security”.
Thales TCT CipherTrust Application Data Protection for DevSecOps
CISA also recommends that agencies apply zero trust principles to the development and deployment of applications.
CipherTrust Application Data Protection supports the rapidly evolving needs of DevOps and DevSecOps, targeting the desired combination of rapid software evolution with security. It offers simple-to-use, powerful software tools for application-level key management and encryption of sensitive data. The solution is flexible enough to encrypt nearly any type of data passing through an application. Application-layer data protection can provide the highest level of security, as it can take place immediately upon data creation or first processing and can remain encrypted regardless of its data life cycle state – during transfer, use, backup or copy.
CipherTrust Application Data Protection can be deployed in physical, private or public cloud infrastructure to secure data even when it is migrating from one environment to another, without any modifications to existing encryption or data processing policies.
CipherTrust Application Data Protection is deployed with CipherTrust Manager, an architecture that centralizes key and policy management across multiple applications, environments, or sites. The combined solution provides granular access controls that separate administrative duties from data and encryption key access. For example, a policy can be applied to ensure that no single administrator can make a critical configuration change without additional approval.
Taking a data-centric approach to security is not only a core component of ZTA, but it also critical for any cybersecurity infrastructure. CISA recommends that “agencies should begin to identify, categorize, and inventory data assets”.4 Next, agencies should deploy security solutions to protect the data itself.
Unlike alternative, disjointed solutions that can leave data exposed or compromised, DDC provides a streamlined workflow all the way from policy configuration, discovery, and classification, to risk analysis and reporting. This eliminates security blind spots and complexities. As a result, you can easily uncover and mitigate your data privacy risks, enforce data sovereignty, and proactively respond to a growing number of data privacy and security regulations, including GDPR, CCPA, LGPD, PCI DSS and HIPAA.
CipherTrust Transparent Encryption delivers data-at-rest encryption, privileged user access controls and detailed data access audit logging. Agents protect data in files, volumes and databases on Windows, AIX and Linux OS’s across physical and virtual servers in cloud and big data environments. Security intelligence logs and reports streamline compliance reporting and speed up threat detection using leading security information and event management (SIEM) systems.
CipherTrust Application Data Protection delivers crypto functions such as key management, signing, hashing and encryption services through APIs, so that developers can easily secure data at the application server or big data node. The solution comes with supported sample code so that developers can move quickly to securing data processed in their applications. CipherTrust Application Data Protection accelerates development of customized data security solutions, while removing the complexity of key management from developer responsibility and control. In addition, it enforces strong separation of duties through key management policies that are managed only by security operations.
CipherTrust Tokenization is offered both vaulted and vaultless and can help reduce the cost and complexity of complying with data security mandates such as PCI-DSS. Tokenization replaces sensitive data with a representative token, so that the sensitize data is kept separate and secure from the database and unauthorized users and systems. The vaultless offering includes policy-based dynamic data masking. Both offerings make it easy to add tokenization to applications.
CipherTrust Database Protection solutions integrate data encryption for sensitive fields in databases with secure, centralized key management and without the need to alter database applications. CipherTrust Database Protection solutions support Oracle, Microsoft SQL Server, IBM DB2 and Teradata databases.
CipherTrust Manager is the central management point for the platform. It is an industry-leading enterprise key management solution that enables organizations to centrally manage encryption keys, provide granular access controls and configure security policies. CipherTrust Manager manages key lifecycle tasks including generation, rotation, destruction, import and export, provides role based access control to keys and policies, supports robust auditing and reporting, and offers development- and management-friendly REST APIs.
Luna T-Series HSMs are the choice for government agencies when storing, protecting and managing cryptographic keys used to secure sensitive data and critical applications. Meeting government mandates for U.S. Supply Chain, the high-assurance, tamper-resistant Luna T-Series HSMs are designed, developed, manufactured, sold, and supported in the United States. Luna T-Series models offer secure storage of your cryptographic information in a controlled and highly secure environment. All Luna T-Series models can be initialized by the customer to protect proprietary information by using either multifactor (PED) authentication or password authentication.
Solution Brief: Zero Trust Solutions from Thales TCT
This solution brief provides an overview of Thales TCT's solutions that address foundational pillars of Zero Trust.
On Demand Webinar: Zero Trust Beyond the Buzzword
Watch this to learn about the best practices for implementing a zero trust architecture to protect your most sensitive data despite the dissolving perimeter. The webinar will discuss the top 5 things you need to know about zero trust
Video: Cyber EO Compliance Video Series - Part 6 - Implementing a Zero Trust Architecture
Implementing a zero trust approach to data security is one of the best ways for agencies to protect their data. A good plan starts with taking a data-centric approach to security.
On Demand Webinar: Shifting the Mindset From Breach Prevention to Acceptance
Watch this webinar to learn what agencies need to do before their networks are compromised.