An Open Standard for Data-Centric Security

By Will Ackerly, CTO and Co-Founder, Virtru.

  • 1 year ago Posted in

Designed to facilitate the sharing of sensitive information, TDF offers CISOs a data-centric alternative to perimeter-centric security.

We’re living in a world of daily data leaks and network breaches, compromised and socially hacked passwords and portals. In this threat environment, people are also sharing more data than ever before, from an unprecedented number of devices in myriad locations. 

It’s a perfect storm of challenges for security professionals tasked with safeguarding corporate data. The traditional methods of perimeter security are no longer adequate for protecting sensitive information, largely because data is fluid: It moves, it changes hands, and different data objects have different levels of sensitivity.  

Given these dynamics, how can CISOs get a handle on the unstructured sensitive data constantly moving in and out of their organisations? 

By applying protections to the data itself. 

This approach is known as data-centric security, which is aligned with the data pillar of CISA’s Zero Trust Maturity Model. Ultimately, a data-centric approach to security allows organisations to make individual access decisions about individual data objects, helping to ensure that sensitive information is only accessed by those with a need to know. 

In this context, the Trusted Data Format (TDF), an open standard published by the U.S. Office of Director of National Intelligence (ODNI), takes data-centric security a step further: TDF equips users to apply simple, easy-to-use protections to the information they share, regardless of the file type. TDF wraps each individual piece of data in its own layer of encryption — complete with attribute-based access controls and persistent protection that travels with the ‘self describing’ data as it moves. 

The standard originated out of the U.S. National Security Agency a decade or so ago to address gaps in secure information sharing between U.S. federal government agencies. It is already used by thousands of organisations, including the U.S. Intelligence Community. And now, thanks to an Open Source project initiative making it freely and easily accessible to the wider development community, many more enterprises will be able to benefit.      

There are three key advantages for enterprise users: 

Free movement of data 

Security professionals are often faced with a conundrum: Securing data that people need to share to get their jobs done. If you lock data down in the name of security, it hinders collaboration. If you let data move unrestricted, it can easily result in a costly breach. 

TDF resolves this conundrum because it provides enduring protection that moves with the data, everywhere it goes — so it can be securely shared. Think of it as a secure wrapper that becomes part of the data itself. With TDF in place, data can move, even outside of an organisation, and still remain in the data owner’s control. 

This allows people, as well as devices relaying sensitive data, to transmit sensitive information with the assurance that it remains protected in transit and at rest — and that the information is only accessible to the intended recipient, which leads to another key advantage of TDF. 

Granular data sharing decisions

TDF leverages attribute-based access control (ABAC) to make sure data is only accessible to the right person, in the right place, at the right time. 

Unlike other methods of access control (e.g., role-based, or policy-based), ABAC has an extremely simple and simultaneously powerful methodology for access that is defined based on attributes assigned to the data itself. The TDF-protected data is simply tagged with a set of attributes, and if the user has been assigned matching, qualified attributes, then the user can access the data. The TDF can also incorporate rules (as attributes) from both role and policy-based controls that may have already been defined. Additionally, the user doesn’t have to be a person: It can be a Non-Person Entity (NPE), essentially an application or other system.

With this level of sophistication, you can make much more granular decisions about your data and who can access it. With ABAC and TDF, an organisation could also cryptographically enforce document redaction that protects words, sentences, or paragraphs of text, all based on the attributes assigned. Different users would essentially see the same document in different ways, depending on their entitlements. This can be especially powerful - for example, a global coalition of partners who need to share highly sensitive information with a select few credentialed individuals. 

Simplified user experience 

Data security products are only effective if people use them. As we’ve seen with clunky encryption portals and other legacy solutions, if your security protocol makes it difficult for people to get their jobs done, then those people will simply find a way to circumvent your security measures. 

TDF makes it easy for a user to protect the data they share, and it also makes it easy for the right people to access data that’s been shared with them. Recipients of TDF-protected information don’t need new software or accounts to access shared data, because they can verify their identity with the accounts they already have, regardless of vendor.

In summary, everyone benefits from a more secure digital world, and with the rise of data-centric security, standards like TDF not only protect vital information, but make data-centric security easy and accessible for any organisation that wants to implement it. From government agencies to schools, banks, manufacturers, tech companies, and non-profit organisations, those who leverage open standards to underpin a data-centric approach will reap the security and collaboration benefits for years to come.    


By Alasdair Anderson, VP of EMEA at Protegrity.
By Eric Herzog, Chief Marketing Officer, Infinidat.
By Shaun Farrow, Security Practice Lead at Bistech.
By Andre Schindler, GM EMEA and SVP Global Sales at NinjaOne.
By Darren Thomson, Field CTO EMEAI, Commvault.