In a previous blog post, I discussed how The White House Executive Order issued on May 12, 2021 laid out new, rigorous government cyber security standards for federal agencies. Since then, the Office of Management and Budget (OMB) has released a strategy to help agencies to implement those standards, particularly those concerning their move to a zero trust architecture (ZTA). The document requires agencies to achieve specific goals for embracing zero trust by the end of Fiscal Year (FY) 2024. Towards that end, agencies must decide how they intend to use centralized identity management systems, multi-factor authentication (MFA), and reliable asset inventories. They then need to submit an implementation plan for these measures, among others, as well as create a budget estimate for FY 2024 within 60 days of the strategy taking effect.
It’s not always that easy, however. Public sector agencies—particularly those in state and local government—sometimes lack the technology or technical expertise in house to implement the security measures discussed above. Fortunately, those organizations can draw upon four new Thales “Cyber Packs”.
Let’s explore how this type of solution works below.
What Are Cyber Packs?
Thales Cyber Packs are holistic, cloud-based solutions that help organizations to increase their cyber security postures using the following foci:
- Discover – Quickly find and categorize data
- Protect – Encrypt data at rest and in-flight without costly performance impact
- Control – Insulate and layer access against digital threats like ransomware attacks
Thales designed its Cyber Packs to help US companies become Executive Order-ready. They enable agencies to discover, protect, and control access to sensitive data anywhere. They do all this while integrating within existing IT infrastructures as well delivering the same level of security whether deployed on-premises or in cloud environments. Such capabilities are essential for preventing intrusions, minimizing the impact of a successful intrusion, incident detection and response, as well as correlating incident forensics.
Let’s look at what’s included in the Cyber Packs for the Executive Order specifically.
Cloud Security
Requirement 3(c)(i) of the May 2021 Executive Order states that organizations “shall develop a Federal cloud-security strategy and provide guidance to agencies accordingly.” In support of this mandate, Cyber Packs provide organizations with Bring-Your-Own-Encryption (BYOE) capabilities for both IaaS and PaaS cloud strategies. Building on the theme of encryption, they enable agencies to maintain control of their keys and encryption for zero trust in the cloud through file-level encryption and granular access control. The solutions balance out these specs with additional features such as HSM-as-a-Service cloud key management, Cloud Key Broker services for Azure and SFDC, as well as compliance with standards including FIPS 140-2 Level 3, ISO 27001, and SOC Type 2.
Identification of Unclassified Data
Later in the Executive Order, Requirement 3(c)(iv) states that in-scope agencies “…shall prioritize identification of the unclassified data considered by the agency to be the most sensitive under the greatest threat, and appropriate processing and storage solutions for those data.” Cyber Packs seek to address this directive by enabling Bring-Your-Own-Key (BYOK) across a diverse multi-cloud deployment and by providing Hold-Your-Own-Key (HYOK) for Google EKM. They also include AWS GovCloud and Azure U.S. Government.
MFA and Encryption
In Requirement 3(d) of the Executive Order, the White House explains how “…agencies shall adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws….” Cyber Packs can help agencies to fulfill this objective by scanning their on-premises and cloud-based environments for sensitive data including structured, unstructured, and cloud object data stores. They can then remediate data findings with encryption and access control from the same platform using true end-to-end, authenticated network encryption, MFA, Identity-as-a-Service, policy management, risk assessments, geo fencing, session management, and support for compliance frameworks like ISO/IEC 27001, CSA STAR, and SOC 2.
What Types of Cyber Packs Are Available to Agencies?
Thales offers four Cyber Packs that address different company architectural requirements. Let’s examine the features of each of these Cyber Packs below.
Cyber Pack Quick Start
- Emergency production pilot
- For companies less than 500 employees
- Perfect for small groups of users
- Up and running in minutes
- Virtual deployment
- Best-in-breed technology
- Thales Cyber Security Center of Excellence Supported
- FIPS 140-2 L3 Compliant
Cyber Pack Small
- Small departments
- For companies less than 1,000 employees
- Perfect for centralized architecture
- Up and running in hours
- Virtual deployment
- Best-in-breed technology
- Thales Cyber Security Center of Excellence Supported
- FIPS 140-2 L3 Compliant
Cyber Pack Medium
- Multiple departments
- For companies less than 5,000 employees
- Perfect for multi-site models
- Up and running in days
- Virtual deployment
- Best-in-breed technology
- Thales Cyber Security Center of Excellence Supported
- FIPS 140-2 L3 Compliant
Cyber Pack Large
- Large organizations
- For companies more than 5,000 employees
- Perfect for connected campuses
- Up and running in a week
- Virtual deployment
- Best-in-breed technology
- Thales Cyber Security Center of Excellence Supported
- FIPS 140-2 L3 Compliant
Ease of Use as the Key Objective
Cyber Packs are designed to free federal agencies from time wasted on trying to understand, select, procure, deliver, and use a solution so that they can focus on their zero trust journeys. As it turns out, public agencies aren’t the only ones that can benefit from Cyber Packs in this way. I’ll explore this point in my next blog post.
If you have more questions regarding Cyber Packs, our data security specialists are more than willing to answer them for you.