Data-Centric Security on AWS
Security embedded in the data itself -- not the network, not the perimeter. Protection that persists wherever data travels, whoever holds it.
This site covers concepts, hands-on labs, reference architectures, and operational scenarios for implementing Data-Centric Security (DCS) in coalition and defence environments using AWS.
Where should I start?
I'm new to DCS and want to understand the basics
Start with What is Data-Centric Security? -- a plain-language introduction covering the problem DCS solves, the three protection levels, and how NATO standards fit in.
Then try Lab 1 (~30 min) to build a working DCS Level 1 system on AWS and see the concepts in action.
I want to build something on AWS
The Hands-On Labs walk you through building all three DCS levels step by step:
| Lab | What you build | Time |
|---|---|---|
| Lab 1: Labeling | S3 objects with security tags, Lambda data service, CloudTrail audit | ~30 min |
| Lab 2: Access Control | Cognito identity, Verified Permissions with Cedar policies, ABAC enforcement | ~45 min |
| Lab 3: Encryption | OpenTDF on ECS Fargate, KMS key management, policy-gated decryption | ~60 min |
When you're ready for production, the Reference Architectures provide STANAG-compliant designs with Terraform.
I'm planning an integration or evaluating DCS for a programme
Start with the Operational Scenarios -- 17 problem definitions covering coalition sharing, tactical operations, legacy systems, and emerging domains. Each includes actors, constraints, and measurable acceptance criteria.
Then review Solution Patterns for approach options, and Reference Architectures for concrete AWS implementations.
I need to understand the NATO standards
See NATO Standards and DCS for how STANAG 4774, 4778, ZTDF, and ACP-240 relate to each other, or the full NATO STANAGs Reference for detailed coverage of each standard.
Key concepts
- Data-Centric Security (DCS)
- Security embedded in the data itself. Protection persists wherever data travels -- across networks, organizations, and classification domains.
- The Three DCS Levels
- Level 1 labels data with classification metadata. Level 2 enforces access control based on those labels. Level 3 encrypts data so only authorized parties can decrypt it.
- Zero Trust Data Format (ZTDF)
- NATO-standardized (March 2024) data wrapper built on OpenTDF. Combines labels, encryption, and federated key management into a single interoperable format.
- Federated Key Management
- Each nation operates its own Key Access Server (KAS). Data can require approval from one KAS (AnyOf) or all of them (AllOf) before decryption.
References
- OpenTDF Specification -- Official TDF standard
- OpenTDF Platform -- Reference implementation
- ACP-240 -- FVEY/CCEB data-centric security interoperability standard (adopted by NATO)
- NATO STANAGs -- Search the NSO standards database by standard number