Virtru

Virtru is a data security platform that governs access through authoritative identity attributes, with a Policy Decision Point built to the NIST SP 800-162 ABAC standard.

About

Reach out

About Virtru

Virtru is pioneering the shift from network-centric to data-centric security, embedding protection directly into data so mission owners maintain control wherever sensitive information is shared. The Virtru Data Security Platform is built on OpenTDF, an open standard evolved from technology developed at the NSA by co-founder Will Ackerly, and supports ACP 240, the Five Eyes-ratified Zero Trust standard for secure coalition operations. Trusted by more than 6,000 public and private-sector organizations, including the U.S. Department of War, JPMorgan Chase, and Salesforce, Virtru enables secure collaboration across classification boundaries at mission speed, with integrations across leading defense, cloud, and cross-domain solution providers. For more information, visit www.virtru.com.

The partnership: Real-time access governance for classified collaboration

Rocket.Chat is where classified work happens. Virtru governs who is authorized to be there.

Until now, channel membership was managed through static rosters and IT tickets. When a clearance lapsed or a program rotation processed, the channel did not know until someone took action. That gap is where access risk lives.

This integration connects Virtru's Policy Decision Point directly to Rocket.Chat's enforcement engine, so as to enforce channel access based on live identity attributes sourced from the organization's authoritative IdP. When a user's attributes change in your identity system, Rocket.Chat channel membership reflects that change automatically at the next sync cycle, without any manual intervention.

Channel access is governed by the same authoritative identity source that governs everything else in the organization, continuously enforced, fully auditable, and aligned with EO 14028, M-22-09, and the DoD Zero Trust Strategy.

Built for how operations actually work

Access risk in classified environments rarely looks like a deliberate breach. It looks like an engineer still in a channel three weeks after rotating off the program. An analyst whose clearance lapsed but no ticket was filed. A task force that dissolved while the channels stayed open. This integration handles all of it automatically.

Program rotation: An engineer moves from Program TITAN to APOLLO. The attribute updates in the IdP. At the next sync, Virtru re-evaluates TITAN. The engineer is removed, without having to raise tickets and manually revoke access.
Clearance expiry: An analyst's compartment clearance lapses pending reinvestigation. Virtru detects the change at the next sync and removes them automatically. Every removal logged with full context, the evidence an IG review requires.
JTF stand-down: A Joint Task Force dissolves. When the status updates in the IdP, all members across agencies and allied nations are evicted at the next sync. The operational footprint collapses with the mission.
PERSEC hold: A security hold is applied at 2am. The attribute updates immediately. The next sync, configurable to every minute, removes the employee from every affected channel. Exposure window: minutes, not days.

Features

Real-time access governance: Channel membership is validated against live identity attributes at a configurable sync interval, as frequently as every minute, so access always reflects current authorization.
Automatic eviction: When attributes change in the IdP, non-compliant members are removed at the next sync with no administrative action required.
Add-time validation: Every manual add is validated against the channel's attribute policy before it completes. Non-compliant users cannot be added regardless of admin privilege.
Fail-secure by default: Users with no assigned attributes are treated as non-compliant. The system always defaults to restrictive, never permissive.
Decision-level audit trail: Every access decision logged: user, channel, attributes evaluated, decision, timestamp. Continuous evidence for Zero Trust compliance reviews and IG audits.
Identity sovereignty: No user attribute data ever enters Rocket.Chat. Virtru holds the identity posture. The communications platform receives only Allow or Deny.

Requirements

Rocket.Chat deployment: On-premises, customer cloud, or air-gapped. Supported on NIPRNet, SIPRNet, and JWICS. DoD ATO to Impact Level 6.
Virtru Data Security platform: Deployed in customer VPC or on-premises, matched to Rocket.Chat's deployment profile and accreditation boundary.
Authoritative identity provider( IdP): Any SAML/LDAP/OIDC/OAuth2-compatible identity system holding clearance, program, department, and nationality attributes.
ABAC policy definition: Per-room attribute policies defined by an authorized admin in Rocket.Chat, for example: clearance_level = SECRET AND project_assignment = OLYMPUS.
Network connectivity: Established between Virtru and Rocket.Chat services, within the accreditation boundary of the deployment environment.

Security and compliance

The integration enforces a clean separation of responsibilities across the access decision chain.

The organization's IdP is the authoritative source of user attributes.
Virtru's Policy Decision Point evaluates every access request against those attributes and returns a binary decision.
Rocket.Chat enforces that decision, executes evictions, blocks unauthorized additions, and logs every outcome. No user attribute data is stored in the communications platform at any point in this chain.

The integration supports NIST SP 800-162 for Attribute-Based Access Control and NIST SP 800-207 for Zero Trust architecture continuous validation requirements.