Building on DOD’s Proven Model for Zero-Trust Security
On the heels of the cybersecurity EO, DOD defined its approach to a zero-trust architecture the following year. The department identified seven pillars: users, devices, networks/IT environments, applications and workloads, automation and orchestration, and visibility and analytics, with data as the central pillar.
From there, DOD outlined technical and operational capabilities as well as the activities that make zero trust possible for each of the pillars.
“While many public agencies and private sector organizations talk about zero-trust principles and guidance, the Department of Defense went many steps further and defined how to do it,” Kelsey says. “And, having proven it out, now they’re giving it to the world.”
EXPLORE: Here are three key considerations for achieving a zero-trust framework.
Dell used DOD’s zero-trust architecture as the cornerstone of its Zero Trust CoE. Built in collaboration with CyberPoint International and the Maryland Innovation Security Institute, the center affords agencies the opportunity to understand how zero trust can be implemented in their IT environment.
The company additionally launched Project Fort Zero, a Dell-led industry initiative with more than 30 partners designed to accelerate organizations’ paths to zero trust by delivering a fully configured, end-to-end solution. The product will be validated by DOD and made available to both private and public sector entities.
“Project Fort Zero formalizes the technical work that we’ve been doing with DOD over the past 18 months,” Kelsey says. “It ensures that our work in zero trust isn’t a one-off activity or single moment in time; it establishes an opportunity for continuous innovation, from prototyping a product to making it generally available.”
Click the banner below to learn how Backup as a Service boosts data protection.
A Zero-Trust Environment That Applies Security Policies
A major benefit of a zero-trust architecture is the ability to manage technology through overarching policies. That way, it’s not up to the individual software engineer — or even the end user — to make those decisions, Kelsey says.
Storage is a good example.
Most agencies take several steps to protect data: encrypt data at rest, require users to verify their identity before accessing data and restrict the global regions where data can be stored. Zero trust implements these policies in a controlled and systematic way, ensuring that device management or identity and access management rules are applied whenever a user stores data.
“A zero-trust architecture automates the application of these storage policies; you can implement the policies once, then test and verify them,” Kelsey says. “Through the automation within a zero-trust architecture, executives and boards can feel confident that their security and governance policies are implemented throughout their environment.”
LEARN MORE: How to get zero trust architecture right for security and governance.
A policy-based approach also helps agencies adapt to ever-changing security needs. This is a welcome contrast to the more traditional approach of optimizing infrastructure, which likely will require updates as policies change. A zero-trust architecture is designed and implemented with the expectation of policy changes.
Still, that can be a lot for agencies to manage on their own, especially as their zero-trust architectures expand to include potentially hundreds of products from dozens of companies. Here the Zero Trust CoE can play a valuable role in helping agencies handle the moving parts, Kelsey says.
“We can manage the partner ecosystem fairly naturally; we can take on the integration burden and the vendor management burden,” he says. “That helps agencies, as they can see how our approach to zero trust is going to evolve and how they can take advantage of new technology.”
Brought to you by: