Request Demo
Platform CapabilitiesPolicy Creation and ManagementFile Sharing and CollaborationFile Transfer AutomationFully Governed Email DataData Streaming with Next-gen DRMControlled AI Data AccessSecure Data Intake Via Online Forms
Use CasesControl Data ExchangeMeet Regulatory RequirementsSafeguard Private AI Data
PartnersTechnology PartnersMSP & MSSP PartnersResellers & Channel Partners
ResourcesResource CenterDevelopersCustomers
CompanyAbout UsManagementInvestorsCareersTechnical SupportNewsroomTrust PageVulnerability CenterContact Us
Request Demo
Mouseover to personalize your Kiteworks website experience

NSA ZT Maturity for Data Pillars

Advance zero trust maturity for data protection with NSA-aligned controls covering data cataloging, labeling, monitoring, encryption, and access management.

How Kiteworks Supports NSA Zero Trust

How Kiteworks Supports NSA Zero Trust Compliance

The National Security Agency (NSA) has published guidance on advancing Zero Trust maturity across multiple pillars, with the Data Pillar being critical for organizations seeking to protect sensitive information. NSA's Zero Trust framework moves beyond traditional perimeter-based security to a model where every access request is verified, every user is authenticated, and every data interaction is monitored. Kiteworks provides the technical capabilities necessary to advance through the NSA's Data Pillar maturity levels, ensuring comprehensive protection for data at rest, in transit, and in use.

Zero Trust Architecture Principles

Zero Trust is built on the fundamental principle of "never trust, always verify." The NSA's guidance emphasizes several core principles that Kiteworks implements:

  • Assume Breach: Design security controls assuming adversaries are already inside the network. Kiteworks' defense-in-depth architecture protects data even if perimeter defenses are compromised.
  • Verify Explicitly: Authenticate and authorize every access request based on all available data points including user identity, device health, location, and behavior.
  • Least Privilege Access: Limit user access to only the resources needed for their current task, enforced through granular role-based access controls.
  • Micro-Segmentation: Create security zones that limit lateral movement, implemented through Kiteworks' isolated content management architecture.

NSA Data Pillar Maturity Model

The NSA defines the Data Pillar maturity model with progressive levels of sophistication for data protection. Kiteworks helps organizations advance through each level:

Maturity LevelDescriptionKiteworks Capabilities
PreparationInitial assessment and planningData inventory, classification framework, risk assessment
BasicFoundational data protectionEncryption, access controls, basic monitoring
IntermediateEnhanced data governanceDRM, advanced analytics, automated policy enforcement
AdvancedComprehensive data-centric securityZero-access architecture, behavioral analytics, continuous verification

Data-at-Rest Protection (AES-256 Encryption)

Protecting data at rest is fundamental to the NSA Zero Trust Data Pillar. Kiteworks provides:

  • AES-256 Encryption: All stored data is encrypted using the strongest commercially available symmetric encryption standard.
  • Customer-Controlled Encryption Keys: Organizations manage their own encryption keys, ensuring a true zero-access architecture where even Kiteworks cannot decrypt stored data.
  • FIPS 140-Validated Modules: All encryption operations use NIST-validated cryptographic modules.
  • Encrypted Backups: Backup data is encrypted with the same standards as primary storage.
  • Secure Key Storage: Encryption keys are stored in hardened key management systems separate from encrypted data.

Data-in-Transit Protection (TLS 1.3)

Protecting data as it moves between systems is a critical Zero Trust requirement. Kiteworks implements:

  • TLS 1.3: The latest transport layer security protocol providing improved security and performance.
  • Perfect Forward Secrecy: Ephemeral key exchange ensures that compromise of long-term keys does not expose past communications.
  • Certificate Pinning: Prevent man-in-the-middle attacks by validating server certificates against known-good values.
  • End-to-End Encryption: Data remains encrypted from sender to recipient without intermediate decryption.

Data-in-Use Considerations

While data-in-use protection remains challenging, Kiteworks addresses this through:

  • Secure viewing environments that prevent unauthorized screen capture
  • Digital Rights Management controlling what users can do with accessed data
  • Session isolation preventing cross-contamination between data access sessions
  • Memory protection mechanisms for processed data

Data Cataloging and Categorization

Zero Trust requires organizations to know what data they have and its sensitivity level. Kiteworks supports:

  • Automated content scanning and classification
  • Metadata tagging for sensitivity levels and data categories
  • Integration with data loss prevention (DLP) tools for content inspection
  • Comprehensive data inventory across all communication channels

Data Labeling and Tagging

Proper labeling ensures data is handled according to its sensitivity. Kiteworks provides:

  • Classification labels aligned with government and organizational standards
  • Automated labeling based on content analysis
  • Persistent labels that travel with data across systems
  • Policy enforcement based on data labels

Data Monitoring and Sensing

Continuous monitoring is a Zero Trust imperative. Kiteworks delivers:

  • Real-Time Activity Monitoring: Track every data access, movement, and modification in real time.
  • Behavioral Analytics: Detect anomalous data access patterns that may indicate insider threats or compromised accounts.
  • SIEM Integration: Feed monitoring data into enterprise security operations for correlated analysis.
  • Automated Alerting: Trigger immediate notifications for policy violations or suspicious activities.

Data Encryption and Rights Management

Beyond basic encryption, Zero Trust requires granular control over data usage. Kiteworks provides:

  • Digital Rights Management (DRM) controlling view, edit, print, download, and forward permissions
  • Time-limited access that automatically expires
  • Watermarking for tracking document distribution
  • Revocation capabilities to instantly remove access to shared data

Data Loss Prevention

Preventing unauthorized data exfiltration is critical in a Zero Trust environment. Kiteworks supports:

  • Content inspection policies that scan for sensitive information
  • Blocking or quarantining transfers that violate data protection policies
  • Integration with enterprise DLP solutions for comprehensive coverage
  • Geofencing controls preventing data from leaving authorized geographic boundaries

Continuous Verification and Validation

Zero Trust requires ongoing verification rather than one-time authentication. Kiteworks implements:

  • Continuous session validation with risk-based re-authentication
  • Device posture assessment before granting data access
  • Context-aware access decisions based on user, device, location, and behavior
  • Automated policy adjustment based on real-time risk assessment

By implementing Kiteworks, organizations can systematically advance their Zero Trust maturity for the Data Pillar, building a comprehensive data protection strategy that aligns with NSA guidance and modern cybersecurity best practices.