The Defense Digital Service has helped the Defense Department get up to speed on zero-trust security.

Nov 11 2020

Zero Trust Gains a Foothold Among Military Branches

The 2020 move to remote work accelerated plans to adopt a zero-trust approach to network security.

When 2020 began, says Lance Cleghorn, digital services expert for the Defense Digital Service, stakeholders across the ­military were looking into new IT strategies such as zero-trust cybersecurity as a way to ­protect their systems and data.

But, Cleghorn says, movement was happening at “DOD speed.”

“Now we’re trying to get a lot more vocal about zero trust,” he says. “The coronavirus has acted as a big catalyst to move DOD more toward cloud services. And as we move more toward cloud serv- ices, zero trust really outpaces defense in depth, which is DOD’s traditional methodology.”

It’s a story that repeats itself across the military, which has multiple zero-trust projects underway.

“When COVID hit and we had to push everybody home, we found that we couldn’t put everybody through our normal security architectures,” says Navy CISO Christopher Cleary. “We couldn’t put everybody on a VPN connection. It was just too much. And we discovered that not everybody needed that.”

Adds Brandon Iske, chief engineer for the Security Enablers Portfolio at the Defense Information Systems Agency, “The COVID environment of mass telework has been a big driver and catalyst for accelerating some of these concepts.” 

The rapid move to remote work will require a massive migration to cloud resources, Cleghorn explains. The Commercial Cloud Computing Office is tasked with providing this resource to DoD organizations, making use of commercial cloud software solutions that rely heavily on the tenets of zero trust (as opposed to the more traditional security architectures that have historically been used to protect on-premises DOD resources).

“The faster we move to the cloud, the faster that zero trust should become our standard,” Cleghorn says.

What Is Zero-Trust Security?

In August, the National Institute of Standards and Technology issued the final draft of Special Publication ­800-207 on zero-trust architecture, which defines zero trust as “a ­cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated.”

Some in government — and in ­military agencies specifically — initially dismissed zero trust as little more than a new marketing buzzword, but have since become convinced of its benefits.

“The biggest misconception or ­misunderstanding is that zero trust is new,” says Scott Rose, a NIST computer scientist and co-author of the special publication. “The more you dig into zero trust, the more you realize this is an ­evolution of the trends that have been going on for a decade or more.”

These trends, he says, include the principle of least privilege, which gives people access only to the functions they absolutely require to get their jobs done; focuses on endpoints and resources more than just broad network segments; and uses network and application telemetry to modify security policy.

“All of the things people have been talking about as the ideal are becoming more approachable and more usable,” Rose says. “People have been doing the foundational work of zero trust for years without knowing it.”

Rather than a set of specific products, zero trust is characterized by certain tenets. In its report, NIST lists seven, including per-session access, dynamic policy and continuous monitoring.

The “core component” of a zero-trust architecture, says Cleghorn, is an access proxy. 

“An access proxy’s goal is to sit between the user requesting access and the thing they are trying to get access to,” he says. “The goal is to ensure the user is who they say they are, and then pass that information off to the resource to guarantee that they’re authorized as that user to access that resource.”

Iske acknowledges some initial ­wariness because of the hype surrounding zero trust. 

“The skepticism was a reaction from a lot of us, frankly, to the overused marketing term by vendors,” he says. “Really, it stems from some of them saying there was a simple, out-of-the-box solution.

“It’s definitely more complex than, ‘Buy a box, and you have zero trust.’ It requires broad coordination across many security and IT ­capabilities, as well as a shift in mindset about how we configure and monitor our infrastructure.”

EXPLORE: Read our roundtable discussion on how federal agencies are approaching zero trust. 

Zero-Trust Security Pilots Take Off at DOD

Although many military agencies are working on zero-trust pilots, “we really are in the infancy right now of trying to understand what applying zero trust to DOD infrastructure means,” says Joe Brinker, head of DISA’s Security Enablers Portfolio.

“We want to leverage those real-world lessons learned to support our initial reference architecture document, so it’s not just theoretical,” Brinker says. “But we’re also incorporating real-world results. Zero trust is going to be most effective when it’s broadly adopted, and when it’s understood across the ­department. That’s where the power comes from. It’s really a fundamental shift in how we design, operate and manage our networks.”

Lance Cleghorn, digital services expert for the Defense Digital Service,
The faster we move to the cloud, the faster that zero trust should become our standard.”

Lance Cleghorn Digital Services Expert, Defense Digital Service

As agencies implement zero-trust architecture, they will have to strike a careful balance between security and access, notes Cleghorn.

“When you ask security professionals how to secure a network, they’ll joke that you unplug it,” he says. “Our goal is to make things simpler, which is why we’re pushing open-source tools, and also commercial acquisitions.”

He notes that commercially available tools like Google Authenticator will likely have a large role to play in ­zero-trust environments. This doesn’t mean that current tools and processes are not secure, Cleary notes — only that security practices will need to change along with IT environments.

“The DOD has not built an inherently nonsecure environment,” Cleary says. “It’s just the opposite. It’s heavily guarded — walls and moats, all the things you would expect from an organization that takes creating a secure environment seriously.”

“But the workforce is getting more and more distributed,” he adds. “It’s getting more challenging to keep everybody behind the castle walls.”

DOWNLOAD: Read this white paper to explore how next-generation endpoint security solutions can help your agency. 

Geber86/Getty Image