The U.S. Department of Defense (DoD) recently released its “zero trust” strategy. This article will summarize the approach the DoD is taking, which serves as a potential guide for other industries as well.

For years, various vendors have offered zero trust solutions. However, this “never trust, always verify” approach is just a concept that fundamentally requires a shift for everything from the IT infrastructure capabilities and the technologies used to processes and how communication services are delivered. This requires a more far-reaching change across the organization than ever before. Therefore, the DoD created an entire department, the Zero Trust Portfolio Management Office (ZT PfMO) to organize and accelerate this multiyear effort.

In order to protect its missions and warfighters from sophisticated attacks and adversaries, the DoD realized zero trust is not just about technology. It also requires a completely new approach to culture and processes to address a daunting list of challenges outlined below.

• Complex security threats persist and increase from nation states, cybercriminals, and even malicious insiders.
• The traditional perimeter defense, also known as “castle defense”, combined with conventional authentication and authorization models, are insufficient to thwart today’s cyberattacks.
• Security models must take into account that today’s operational models do not only need to cover the diverse DoD multi-domain operations (cyber, space, air, ground, and sea), but require a diverse global set of national allied forces, industry partners, and outside service providers.
• Infrastructure is not controlled and operated by the DoD directly but includes physical devices and cloud services operated by partners. Furthermore, locking down infrastructure or overly restricting access to data gets in the way of collaboration and swift action.
• In order to quickly access the full situation, data can no longer be siloed in incompatible formats, and not fully validated and secured. Instead, it needs to be unified, validated, and secured to allow for timely decisions and swift actions.
• All this data needs to be securely accessed from anywhere, from any end-user or device, from warfighters in forwarding operating bases to contractors working at commercial enterprises.

Legacy infrastructure may not fit into this new concept but is still essential. For legacy infrastructures, additional security measures need to be put in place.

Everybody needs to be on the same page

The DoD recognizes that, in order to address these challenges, alignment of multiple vectors needs to come together, requiring investments and initiatives across not just infrastructure but also leadership, organizations, personnel, and facilities — all the way to policies and education. The goal is to create a scalable, resilient environment that’s also auditable and defendable in as little as five years. The strategy assigns the necessary resources and leadership for immediate execution while recognizing the framework and the approach will have to mature and adapt over time.

To address these cybersecurity challenges, the U.S. Federal Government and DoD have released a number of strategies, architecture frameworks, and guidelines that are the most comprehensive effort in bringing zero trust from a concept to reality. The most notable ones are the DoD Zero Trust Reference Architecture Version 2.0 (July 2022) and the DoD zero trust Strategy (Oct 2022).

The DoD developed the following strategic principles to guide the implementation and ensure the zero trust approach meets its needs.

Be mission oriented — Allow for data access based on least privilege from any location using dynamic credentials.

Organizational — Presume breach and limit the “blast radius” to mitigate potential damage and reduce the possible attack surface by segmenting the network and data access while constantly monitoring any actions.

Governance and Control — Simplify and automate to quickly adjust policies and authorize an ever-evolving mission environment. Never trust, always verify every user, device, application, or data, requiring ongoing authentication and authorization.

Technically — Allow lowest privilege users to only access what is needed for the task while constantly analyzing behavior and monitoring every event in near-real time for every user and device.

DoD’s zero trust pillars

In Zero trust Reference Architecture Version 2, DISA and NSA identified seven essential pillars (Figure 1) that must be addressed for a successful implementation of zero trust, incorporating users, devices, applications and workloads, data, network and environment, automation and orchestration, and visibility and analytics.

“Users,” as well as “non-person entities” (i.e., devices, such as HVAC sensors), are required to be authenticated repeatedly. Access is only granted on a per-session basis based on the user, access method and device status, and resources accessed. Access is only provided to the resources required and continues monitoring all user activities.

“Devices” incorporates any device that can be accessed by an end user, network, server, or storage system. Real-time inspection via automated asset and patch management ensures security measures are up-to-date. Endpoint protection requires security and device management, such as endpoint and mobile device management (UEM and MDM), as well as endpoint and extended detection and response applications (EDR and XDR).

Applications and workloads secure applications and the processing environment they operate in, be it physical or virtual. This includes the protection of hypervisors, containers, and virtual machines — local or cloud-based. These requirements extend beyond the operation to secure development and integration approaches and to ensure the safety of the entire delivery chain.

Data is the information any application or user consumes. End-to-end encryption is mandatory for any data transferred across the network in addition to data stored on any device. All data needs to be tagged, indicating content and classification to allow for data access control, monitoring, rights management, and data loss prevention.

Network and environment allows for the segmentation, control, and isolation of all the connectivity between devices, whether it’s managed by the enterprise directly or via service providers at a granular level. Software-defined networking (SDN) provides the underpinning for dynamic and programmatic network configuration to ensure micro-segmentation can be easily achieved. Unlike today’s macro-segmentation via technologies, like virtual privat networks (VPNs), micro-segmentation allows users to logically divide network, compute, and storage resources down to the individual workload level with their own security controls.

Automation and orchestration recognizes the complexity of the above infrastructure approach requires automation for timely access to resources and a fast security response. It ties together the policies in domain controllers with the device and network infrastructure. It automates previously manual security processes, ensuring patch levels are remediated as needed, encryption is applied, and suspicious or nonconforming activities are blocked based on AI/ML derived behavior analysis. This requires close interaction of already deployed IT management infrastructures, such as SIEMs, SOARs, element managers, and domain controllers, via standard APIs.

Visibility and analytics is essential for the IT team to monitor and assess this complex environment and to adjust as needed. It allows network managers to analyze events, activities, and behaviors and apply AI/ML to achieve better visibility and shorten reaction times. This requires capabilities, such as logging all traffic, analyzing user and entity behavior, collecting, and analyzing events and alarms, and incorporating threat intelligence provided by outside sources.

An aggressive roll-out schedule

The DoD recognizes these pillars require a coordinated approach to ensure the security and protection of infrastructure while managing existing risks. Therefore, the DoD developed a road map for capabilities that are essential to be implemented by 2027, with more advanced capabilities for a more comprehensive approach by 2032. This is a very aggressive plan but reflects the urgency in light of the increasing damage threat actors are doing to critical infrastructure.

In addition to the technology capabilities, the DoD defined the required ecosystem to ensure its success. Starting with cultural adoption across the organization, the need to coordinate and accelerate technology deployments, and driving essential processes and policies. The objectives for adoption call for a solid architecture definition in 2023, which includes outreach to both DoD internal and external federal and industry partners. By the end of fiscal year 2023, the plan is to have specific component policies and frameworks as well as contracts in place. By 2024, interoperability needs to be defined to ensure compatibility and integration between existing and new systems. Implementation for the targeted capabilities is scheduled to be done by end of fiscal year 2027. This is a very aggressive plan.

The DoD recognizes that implementing zero trust is a continuous and adaptive process that goes well beyond technology and needs to address people, processes, resources, governance, and risk management. Overall, this is an ambitious plan that matches the urgency and importance of the situation. It provides an opportunity for industry vendors to accelerate their zero trust product development through tangible contracts and for the rest of the industry to learn and apply the lessons of this massive project.