In this episode, cloud security expert John Martinez explores why organizations must understand and control how their data is accessed. He breaks down the NSA’s Zero Trust guidance, including the 7 Pillars and the DoD Zero Trust Reference Architecture. Learn what it takes to build a modern, data-centric security model.
Hey everybody.
Welcome to today’s episode of John Has Trust Issues, where I discuss issues relevant to the worlds of zero trust and authorization in a few minutes.
I’m John Martinez. I’m the technical evangelist over here at StrongDM, and my trust issue today stems from that weird Wi-Fi network that just popped up in my neighborhood. It says “FBI surveillance van.” I wonder if I should connect to it just to see what’s going on.
Today I’m talking about zero trust in actuality, and specifically about zero trust. I’m talking about the newly released cybersecurity information sheet from the NSA.
It’s all about the TL;DR for the paper they released called Advancing Zero Trust Maturity Throughout the Data Pillar. It’s an important addition to their existing zero trust content, including things like Embracing Zero Trust and various DoD materials around zero trust architecture.
This is strong content focused on data security and the data pillar itself, and we’ll get into some of the details. But first, let’s talk about what zero trust really is.
We’ve all heard “zero trust” used in many different ways and implementations, but most of the time it’s framed as a product or solution rather than a security model. So I want to recap what the zero trust security model is, at least from my perspective.
There are a few core tenets.
First is “never trust.” As the name implies, it’s about not trusting any connection or user by default. I like to compare it to a home alarm system. Locking doors and windows isn’t enough - you also install alarms and cameras that work together to monitor activity.
The next is “always verify.” Every connection, every user, and every request to a resource must be explicitly authenticated and authorized, regardless of where it originates. Going back to the home example, even after entering your code to disarm the alarm, cameras are still monitoring. Verification is continuous.
The third is “assume breach.” This means you assume threats already exist both inside and outside your network. You operate as if attackers are already present or about to get in. With the home analogy, when you leave, you don’t just lock up—you arm the system, activate motion sensors, and monitor activity remotely. Alerts come to your phone, and in advanced setups, systems can even notify authorities automatically.
These principles force a proactive approach to security, requiring continuous verification, validation, and authorization for all sessions accessing sensitive systems and data.
Implementing zero trust isn’t something you can install overnight. It’s a journey that requires maturity over time.
The NSA paper highlights this with a real-world example: a major breach involving a credit reporting agency in 2017. That breach exposed highly sensitive data like social security numbers, names, and addresses. Looking back, we can see a clear connection between weaknesses in the data layer and vulnerabilities in application and server infrastructure.
There’s a direct relationship between workload security and data security.
The NSA lays out a maturity model using a crawl, walk, run approach.
First, you need to catalog your data. Know what you have. Identify whether it includes sensitive information like PII or financial data.
Next, tag and label your data. This helps organize it, assign ownership, and eventually feed automation systems.
Then, apply encryption and leverage tag-based access controls. These tags aren’t just for organization - they can drive policy decisions and access controls across your environment.
From there, you move into automating granular access control decisions. This includes automating responses to access requests and triggering additional security checks when needed.
At the most mature stage, you’re automating enforcement and response across your data layer.
At the end of the day, securing the data pillar comes down to one core idea: ensuring that data is only accessed by authorized users, and only when appropriate.
That’s the essence of the data pillar maturity model outlined by the NSA. It’s a great paper - about 15 pages - and worth reading in full. There are many more details that I didn’t cover here.
I also have a blog on this topic through StrongDM that should be available soon, if it isn’t already.
That’s another episode of John Has Trust Issues. This episode was brought to you by StrongDM, the modern access management platform that enables continuous zero trust authorization for all of your infrastructure.
Thank you for watching. Have an awesome day.
