Zero Trust - The Department of Defense Releases its Playbook

The U.S. Department of Defense (DoD) recently issued a Zero Trust strategy and roadmap. Even though the term Zero Trust has been overused (and even misused) for many years now, the underlying principals such as network segmentation, end-to-end encryption, and security automation are sound practices and are more important than ever in times with increasing volume and sophistication of attacks on our IT infrastructure. The model developed by the DoD is probably the most comprehensive look at all those principals. It shows the interdependencies of those concepts and how to practically implement these various technologies across the infrastructure and organization. They even consider the organizational impact on the operations and user community. The following summarizes this approach that could also be a helpful model for other industries which may not be as expansive as the DoD.

The DoD Approach

The DoD was aware that shielding its warfighters and operations from highly advanced assaults and opponents demanded not only a technological alteration, but also a comprehensive change in culture and processes. The DoD Zero Trust Strategy acknowledges the need for investments and projects in infrastructure, leadership, personnel, buildings, and regulations and educational systems, stating that, “the journey to Zero Trust requires all DoD Components to adopt and integrate Zero Trust capabilities, technologies, solutions, and processes across their architectures, systems, and within their budget and execution plans.” The objective is to build a sustainable, resilient, as well as verifiable and secure environment in a maximum of five years. The plan provides the essential resources and commands for prompt performance but acknowledges that the structure and the methods will need to grow and adjust over time. In addition, vendors will have to work together to achieve attainable results.

The federal government and Department of Defense have launched an extensive array of strategies, architecture frameworks, and regulations that are aimed at turning the concept of Zero Trust into a reality. The two primary documents are the DoD Zero Trust Reference Architecture Version 2.0 and the DoD Zero Trust Strategy.

The Seven Pillars – Tying it all Together

Version 2 of the Zero Trust Reference Architecture, created by DISA and NSA, has identified seven significant components (called pillars) that must be considered for a successful Zero Trust integration. These include user, device, application and workloads, data, network and environment, automation and orchestration, and visibility and analytics. These seven pillars provide the foundations for a Zero Trust Security Model and the DoD Zero Trust Architecture.

Figure 1 - DoD Zero Trust Pillars
Source: Department of Defense (DoD) Zero Trust Reference Architecture Version 2.0

The following briefly describes the concept of each one the seven pillars:

1. User: Authentication of people and non-person entities such as HVAC sensors is necessary, and access is only given for a particular session depending on the user, method of access, and resources used. Permissions are provided to the necessary resources and real-time monitoring of all user activities alongside end-to-end encryption further adds to the security.
   
   
2. Devices: The term "Devices" encompasses all systems that can be accessed by users, networks, servers, and storage systems. That requires the recognition and legitimization of any and every device. Constant surveillance through automated asset and patch management ensures that the appropriate software is up to date, has the latest patch, and that all safety protocols are current. Endpoint security also requires security and device management, such as UEM and MDM, and EDR and XDR applications for endpoint and extended detection and response.
   
   
3. Applications & Workloads: Securing applications and the processing environment they are operated in, regardless whether physical or virtual, is the focus of the "Applications and Workloads" section. This involves protecting hypervisors, containers, and virtual machines, either in a cloud setting or local setting. Going beyond the operation process itself, it also means ensuring development and integration approaches are secure and safe across the entire delivery chain.
   
   
4. Data: The information consumed by any application or user is known as "data". End-to-end encryption is essential for data sent across the network and stored on any device. It’s also necessary to label the data to identify its content and classify it, allowing for data access control, monitoring, rights management, and loss prevention.
   
   
5. Network & Environment: The concept of "Network and Environment" provides the means to divide, manage, and separate the interconnection of all gadgets, either managed directly by the business or through third-party providers at a detailed level. Software Defined Networking (SDN) allows for programable, and adaptable network configuration in order to accomplish micro-segmentation. This contrasts with the current macro-segmentation established by technologies such as Virtual Private Networks (VPNs) that are validated often provide access to all resources on the network.
   
   
6. Automation & Orchestration: The concept of “Automation and Orchestration” recognizes that automation is essential for quick access to resources and a timely security response, using domain controllers for the control of the device and network infrastructure. Automating processes that were previously handled manually guarantees that necessary patch levels are remediated automatically, encryption is applied, and potentially suspicious or non-compliant activities are blocked based on AI/ML- derived behavior analysis. This requires close cooperation between already deployed IT management infrastructures like SIEMs, SOARs, element managers, and domain controllers via standard APIs.
   
   
7. Visibility and Analytics: The IT team must have visibility and analytics to thoroughly inspect complex networks and easily make modifications without the thread of introducing new vulnerabilities into the infrastructure. This should allow network administrators to view all events, activities, and behaviors, and use AI/ML to obtain improved visibility and immediate response times. This requires logging all internet traffic, inspecting user and entity behavior, collecting and evaluating events and alerts, and incorporating threat intelligence from external sources to just mention a few.

A Rapid Implementation Timeline

The DoD crafted a plan for capabilities operational by 2027, with more complex capabilities for a more all-encompassing solution by 2032. This is a very ambitious plan, mirroring the pressing nature of the escalating threats that malicious actors are causing to our infrastructure.

By 2023, the goal is to have the architecture in place, along with outreach to DoD, federal, and industry partners. By 2024 interoperability needs to be established for existing and new systems. Finally, the targeted capabilities are projected to be implemented by the end of FY 2027.

Figure 2 - DoD Zero Trust Capability by Pillar by Fiscal Year
Source: DoD Zero Trust Strategy: DoD Zero Trust Capability by Pillar by Fiscal Year

A Joint Effort – DoD and Industry working closely together

The Department of Defense emphasizes in its report that Zero Trust is an ongoing, dynamic process which includes more than just technology. It demands attention to personnel, protocols, resources, control, and risk management. This is a comprehensive effort which reflects the importance and immediacy of the situation. It also offers vendors an opening to speed up their product development through early contracts and for the rest of the industry to gain insights from this undertaking.

Achieving all the objectives laid out in the DoD’s Zero Trust Strategy will require a coordinated effort of the entire defense community. Each Department has a role to fill in order to ensure the success of Zero Trust, and all departments need to embrace the culture of Zero Trust. This may be a huge task, but the good news is that the DoD has already made significant progress towards a full adoption of Zero Trust. The future for Zero Trust adoption looks bright, and with the frameworks and processes in place, it can become a reality.

Learn more about the DoD’s Zero Trust Strategy