Why is the US DoD taking a Zero Trust Approach?

Recently the US Department of Defense (DoD) cyber-perimeter had been breached by state-sponsored and individual hackers . Vulnerabilities exposed by data breaches inside and outside the DoD demonstrate the need for a more robust cybersecurity framework that facilitates risk-based protection.In October 2022, it released the “DoD Zero Trust Strategy” and road map. The strategy included four key goals: Zero Trust Cultural Approach, DoD Information Systems Secured and Defended, Technology Acceleration, and Zero Trust Enablement. The department plans to implement Zero Trust capabilities outlined in the strategy by FY2027.

What is Zero Trust?

Let’s look at the concept of Zero Trust in detail. The Zero Trust approach goes beyond the traditional perimeter approach. This is not about whether a person or a device can be trusted. In the past, anyone inside the organization's perimeter or firewall was considered the authorized user who can access all the information within the organization.In contrast, the Zero Trust approach doesn’t privilege users inside the firewall but provides no access to users unless they can authenticate themselves each time they connect. It uses strong identity and access management systems to contain malicious actors within or outside the organization. This is a vital step to protect military secrets and ensures only the right users have access to confidential information.You must remember, Zero Trust is not an application or a device, rather it is a process including real-time monitoring and threat detection. It uses multi-factor authentication, micro-segmentation, advanced encryption, endpoint security, analytics, and robust auditing to fortify data, applications, assets, and services to deliver cyber resiliency.

The goals of DoD’s Zero Trust Adoption

As mentioned above, the DoD has released four strategic goals to achieve Zero Trust.

Cultural Adoption – DoD intends to make Zero Trust training and education mandatory for all employees. They should know, understand, commit to, and should be trained to embrace Zero Trust throughout the organization.

DoD Information Systems Secured and Defended – This includes cybersecurity practices to affect Zero Trust in new and legacy systems.

Technology Acceleration – The intent is to stay abreast of recent technological advancements and make rapid deployment.

Enablement – Department and component-level processes, policies, and funding are synchronized with Zero trust principles and approaches.

How Zero Trust enables DoD to protect its assets

Though the US DoD functions like any other business organization, in many ways it differs from the rest, especially in the cybersecurity requirements behind weaponry. It must not, under any circumstances, allow cybersecurity breaches in any of its weapon's systems designed, controlled, and maintained with information systems.Not only that, the DIB (Defense Industrial Base) companies manufacturing high-tech weapons systems must ensure the highest level of security. Apart from manufacturing, supply chain and third-party vendors must ensure information is always secure. This level of security is possible only with comprehensiveness. Another key area of concern is the cloud environment. It must ensure that all information in the cloud is secure.Thus, the DoD’s Zero Trust strategy will offer new guidelines and implementation methodology. It will also drive expertise and new markets for the development of next-generation tools required for implementing Zero Trust.

The seven foundation pillars for Zero Trust Security Model and Architecture are:

Users

Devices

Applications and Workloads

Data

Network and Environment

Automation and Orchestration

Visibility and Analytics

The DoD Seven Zero Trust Pillars

Strategic Outcomes of Zero Trust

Allow users to access required data from anywhere, from any authorized and authenticated user and device, fully secured.
Secure and protect information systems facilitating the department’s evolution into a more agile, more mobile, cloud-supported workforce.
Reduce attack surface risk profiles through protective actions enabled by micro-segmentation of the DoD Information Enterprise.
Threats to the cloud, Artificial Intelligence, Command, Control, Communications, Computers, and Intelligence are remediated through risk-based cybersecurity protocols and policies.
Effective damage containment, mitigation, and remediation when a device, network, user, or credential is compromised.
Consistent, aligned, and effectively resourced Zero Trust capabilities for advanced cybersecurity operations.
A resilient DoD Information Enterprise that recovers rapidly from attacks and minimizes damage through enablement of Zero Trust.

Conclusion

The DoD's Zero Trust strategy, roadmap and procedures offer guidelines and examples of implementation. However, executing and achieving the objectives of Zero Trust requires the coordinated efforts of not only the DIB but also third-party vendors, suppliers, and even those involved on a small scale.