The Pentagon is taking cybersecurity to the next level — and they’re helping organizations of all kinds do the same. Here’s how the U.S. Department of Defense is implementing zero trust and why this matters to all businesses and organizations.
But first, let’s review this zero trust business.
What is Zero Trust?
Zero trust is the most important cybersecurity idea in a generation. But “zero trust” is itself a bit of a misnomer.
It’s not about whether a person or device is trusted. It’s really about no longer using trust or distrust as a test for access. In the perimeter-security past, anyone inside the firewall was assumed to be an authorized user using authorized devices. The zero trust model doesn’t privilege users inside firewalls but instead defaults to no access for each user — to applications, API data, servers and more — unless they can authenticate their devices and themselves each time they connect via dynamic policies that use multifaceted contextual data.
Zero trust demands strong identity and access management systems that minimize effort and inconvenience on the part of users. It calls for the micro-segmentation of networks into smaller zones to contain malicious actors who breach the network. And finally, implementing zero trust is a journey, not a destination, demanding real-time monitoring and threat detection (preferably AI-based) to identify and respond to potential security threats. This can involve the use of security analytics tools, machine learning algorithms and other technologies to identify and respond to potential threats in real-time.
Many people contextualize zero trust as a business enterprise architecture. But the Pentagon’s plans are extremely interesting.
DoD Guidelines and Recommendations
The U.S. Department of Defense (DoD) recently rolled out a zero trust strategy and roadmap that directs future cybersecurity investments by the U.S. military and partners over the next five years. The initiative, in a nutshell, requires a full embrace of zero trust over perimeter security.
The DoD’s conception of their new cybersecurity specifies 45 capabilities — 20 of them connected to the Continuous Diagnostics and Mitigation (CDM) program run by the Cybersecurity and Infrastructure Security Agency (CISA) — organized on seven pillars. The pillars are users, devices, networks and environments, applications and workloads, data, visibility and analytics, and automation and orchestration.
The roadmap doesn’t specify any product, solution or vendor. It leaves that part up to the agencies and military services to choose. Still undetermined are the details for cross-agency coordination, which is necessary in the world’s largest unified military organization.
Only specific agencies will need to maintain what the Pentagon calls an “advanced” level of cybersecurity — agencies like intelligence agencies, special weapons systems and others.
Crucially, the DoD accompanied the strategy with an execution roadmap designed to provide clear, concrete steps.
The Pentagon is also working on zero trust roadmaps for both a “commercial cloud” and “private cloud” that will enable faster implementation of zero trust.
The DoD will probably test its new security approach with the major U.S. cloud providers.
Four Pillars of Zero Trust Adoption
The DoD revealed four strategic goals for achieving the zero trust timeline:
1. Cultural Adoption
The Pentagon intends to make zero trust training and education mandatory for literally all employees. This will focus not only on knowledge but also support for architecture and its methods.
2. Cybersecurity Software, Hardware, Systems and Services
This part aims to implement the practices and infrastructure for zero trust across all systems, new and legacy. Pentagon departments should begin the deployment of zero trust systems by the end of 2023.
3. Technology Acceleration
This strategic goal is simple: Never fall behind again. The intent is to stay ahead of industry advancements — or at least keep up with them.
Complementing training, infrastructure and the goal to stay ahead of security technology trends, the Pentagon also intends to keep pace with policies, processes and funding. Each department must submit zero trust execution plans by late 2023.
How the DoD’s Use of Zero Trust Can Secure Critical Resources
In some ways, the Pentagon is like any business enterprise. It’s got employees working together for a common purpose, communicating, moving around documents, deploying software, provisioning hardware and more. But in others — especially in the cybersecurity requirements behind weapons — it’s totally unlike private businesses. As one extreme example, a cyberattack cannot and must not, under any circumstances, breach weapons systems controlled and maintained by information systems.
Private corporations manufacture all these high-tech weapons systems. And so, the highest levels of security must be deployed at the level of manufacturing, in the supply chain, in transport, in deployment and on an ongoing basis.
This level of security is possible only with total comprehensiveness. Take the example of physical infrastructure that has to be maintained, guarded and moved not by white-collar office workers but by people who work in the field and are on the move. These are the very kinds of people who need training in zero trust security, along with the infrastructure, procedures and policies and all the rest. Every single person involved in critical physical infrastructure has to stay knowledgeable about security.
Another key component of the Pentagon’s plans is the assumption of a radically modernized cloud environment, which the U.S. Army is already implementing. That arm of the military has already moved more than 100 key applications to the cloud, which utilizes zero trust security principles.
The DoD’s zero trust strategy, roadmap and plans will no doubt prove highly valuable not only for offering guidelines and examples for implementation. But it will also drive expertise and new markets for the development of next-generation tools for implementing zero trust.
I write a popular weekly column for Computerworld, contribute news analysis pieces for Fast Company, and also write special features, columns and think piece...