Data interoperability standards and enterprise-wide collaboration could harmonize zero trust efforts with cybersecurity strategies, Department of Veterans Affairs’ (VA) CDO Kshemendra Paul said at ACT-IAC's Cybersecurity Forum 2022.
"Cybersecurity and zero trust are a big data problem," Paul said during the forum Friday. “There's a lot of emphasis on sharing what's going on in the different [VA] departments. This is an area where, while there are differences between departments, we're all better served through higher degrees of standardization. That doesn't happen automatically; it is a pretty heavy lift. It only happens if you have effective data governance.”
Paul said establishing minimum interoperability standards for key security controls takes an enterprise, whole-of-government approach, collaborating with the CISO community, the CDO Council, privacy experts, industry and academia. To do this, VA is taking a federated, “data-centric” approach, where security, networks, applications and systems revolve around data.
“These problems that are so cross-cutting and only really work at the level we need to when we take an enterprise approach that goes across functional domains, that partners with our mission stakeholders,” Paul said. “We start to do it in a more uniform way, regardless of what domain, and add that little bit of customization.”
VA’s Data Strategy focuses on a holistic, enterprise approach with five key elements: stewardship, analytics, secure technology platforms, a data literate workforce and governance. The strategy is focused on data analytics, but the agency’s leadership, including the CISO and CIO, plan to build out additional frameworks around zero trust and IT modernization.
As the agency continues to improve on its data strategy, VA is leveraging a human-centered perspective so the agency can seamlessly share, safeguard and protect data as well as support longitudinal service for the veteran.
“Critical for the strategy is this idea a human-centered approach, focused on the veteran or on the service member... to, over time, work towards maximizing lifetime impact of the services and benefits we provide,” Paul said. “That's a very big vision—it aligns with the evidence based policymaking act—but it's one that we can build to incrementally by focusing on real world use cases and then building up the pieces there.”
As VA works to meet the zero trust requirements outlined in President Biden’s May 2021 Executive Order on Improving the Nation's Cybersecurity, the agency is looking to leverage zero trust to standardize its systems and security controls.
“We've implemented application security one system at a time," Paul said. "There are slight variations... It's a real nosebleed to get that all lined up. The zero trust here is the way now the government decided to break back layers as we implement these data management techniques. We use them to help that standardization and help with horizontal approach.”
By collaborating with the CIO, CDO and CISO communities across the agency and government, Paul hopes to improve implementation of the zero trust protocols, ensure VA is not hampering information-sharing and understand data in its full context.
"As you do a better job managing and integrating your data and making it more useful, you're also creating a more and more attractive target, from a threat vector perspective,” Paul said. “You have to ensure appropriate use... so you're elevating the protection to allow for greater sharing, without compromising any of the controls in place. I definitely think that's a journey that we're going to be taking over the coming years, dramatically increasing our ability to assure authorized use of this valuable information.”