Security

DOD's Zero Trust Framework: 3 Key Considerations

The department’s strategy involves a culture shift in which branches must balance mission support anywhere without leaving systems vulnerable to attack.

Mindy Gilbert

Mindy Gilbert is Vice President of Product Management and Operations at Forcepoint.

The Department of Defense outlined an aggressive zero-trust strategy in the past year, an “ambitious undertaking” in its deputy CIO’s words, and one that entails both the adoption of new technology and a cultural shift.

To support this shift, the DOD stood up a Zero Trust Portfolio Management Office, helmed by National Security Agency veteran Randy Resnick and tasked with developing and aligning zero-trust efforts across the department.

The DOD’s execution roadmap, released in January, details how specific capabilities and activities must align with its maturity model by 2027. The roadmap outlines a target level that all DOD agencies must achieve within the next five years and an advanced level that certain ones must reach.

While the roadmap offers detailed, iterative timelines with zero trust as the North Star, the current course of action focuses on what zero trust should look like as opposed to how it must be achieved. It offers no constraints on the tools or methods used.

With that in mind, here are three key considerations for branches of the DOD working to achieve a zero-trust framework.

Click the banner below to learn how federal agencies are implementing zero trust architecture.

Leverage Existing Cybersecurity Investments

By leaving the selection of tools to the discretion of each branch, the DOD is allowing for greater flexibility without sacrificing security. One reason for such an approach is to take into consideration limitations around budgets and acquisitions.

Branches can and must leverage existing cybersecurity investments as they work toward the maturity model, especially considering that most already have been applying zero-trust principles in pockets.

As the DOD explains in its roadmap, “there is one destination (zero trust) with many paths.” To that end, DOD’s zero-trust strategy details 45 capabilities that can be broken down into seven categories, or pillars: user, device, application and workload, data, network and environment, automation and orchestration, and visibility and analytics.

As branches dig into each pillar, they should ask themselves what technology already exists that can be used to meet this goal. For the user, device and application pillars, taking an inventory is the first step and is slated to happen this fiscal year or next.

EXPLORE: How agencies can best foster a security culture.

Identify and Categorize Users, Data and Applications

After taking an inventory of existing technology, the DOD must ensure it can identify and categorize users, data and applications across networks.

The DOD has more than 10,000 networks, each with its own identity solutions, physical security, segmentation and firewalls. A true culture of zero trust requires tagging all traffic to see beyond what’s happening on any single network.

Regarding users, zero trust entails enforcing the principle of least privilege, which limits employee access to only the data and applications they need to do their jobs. In this context, users refer to both individuals and nonhuman entities, such as applications talking to each other across environments.

Concerning data, agencies must track it not just at rest but in motion. This requires tagging all DOD data — determining its level of sensitivity to be secret, top-secret or mission-specific — and thinking of it as a system rather than a repository.

Altogether, identifying and categorizing data, users and apps across networks will allow branches to use artificial intelligence and machine learning to analyze and remediate risky behavior. For users, behaviors can be monitored so that risk is quantified, and any deviation from the norm is flagged and addressed without having to shut down the entire network. This level of targeted security is far more effective than the perimeter-based methods the DOD is phasing out.

DIVE DEEPER: How agencies are stepping up on their journey to zero trust.

Digital Rights Management Supports the Mission Anywhere

One reason the DOD is moving away from a perimeter-based model is because security in that context often entails locking down the entire network or overly restricting access to essential data, thereby hurting employees’ ability to do their jobs. Zero trust eliminates this perimeter, in part so the mission can happen anywhere: on the ground, in the air or in space.

A stated benefit of the DOD Zero Trust Strategy is the “the ability of a user to access required data from anywhere, from any authorized and authenticated user and device, fully secured.” Another is to support a “more agile, more mobile, cloud-supported workforce.”

Whether the branches choose to implement a holistic security solution or various point solutions, they must still preserve open yet secure communication to prevent silos. To ensure the mission can happen anywhere, branches must synchronize zero-trust enablement, deployment, components and policies across multiple clouds and myriad devices.

Remote access itself represents a big cultural shift for the DOD, while zero trust is the natural sequel. Branches must prioritize digital rights management for data — limiting access to only the intended recipients — and encryption.

Again, branches of the DOD have already been doing this in pockets. Now, it’s time to integrate existing capabilities to achieve the target level of zero trust in the stated timeline.

For any department, making a cultural shift regarding cybersecurity can seem daunting, but the DOD is balancing an aggressive timeline with a reasonable amount of flexibility. Similarly, its branches must balance being able to support missions anywhere without leaving its systems vulnerable to attack.

Arsenii Palivoda/Getty Images