DoD’s Path Forward for Zero Trust

Zero Trust is a security model that has been gaining traction in recent years due to the increasing complexity of IT networks and the need for more robust security measures. Zero Trust is a security approach that does not assume any user or device is trustworthy, even if they are already located within the network perimeter. Instead, all communications are considered suspicious and must be authenticated and authorized before access is granted. This approach helps to protect against malicious actors and accidental data breaches by giving access only after requiring multiple layers of authentication and authorization.

The DoD’s path forward for Zero Trust will be a bumpy one. But not an impossible one. One of the most significant bumps in the road will be getting around outdated hardware and software and helping personnel to understand how and why the traditional perimeter-based security and identity management practices are no longer sufficient. Below, we will discuss some of these challenges.

Never Trust, Always Verify

The Department of Defense (DoD) has been actively adopting zero-trust principles as part of its cybersecurity strategy. To ensure that their networks, hardware, connected devices, and data remain secure, they must implement best practices to maximize the effectiveness of their zero-trust architecture. This paper will discuss five best practices the DoD can implement to strengthen its cybersecurity posture.

Based on approving accesses with government-furnished equipment (GFE), crypto keys, PKI, and other credentialing technologies. The importance of these has not ended. The threat environments have evolved. Today’s cybersecurity threats are working to find and steal legitimate credentials, which include gaining access to networks, codebases, and data within the organization’s environments.

It’s the equivalent of the Wights capturing the dragon Viserion to use him to burn down the Wall in Game of Thrones. Zero Trust leverages layers of security automation and controls with the assumption that insider accesses are already compromised. Hoping is not a strategy to control the threat of loss of data. Neither is it a strategy for administrator control permissions or operations of the system.

5 Best Practices for Implementing Zero Trust

1. Adopt a Context-Aware Security Model

The first best practice the DoD can implement is to adopt a context-aware security model. Context-aware security focuses on understanding the context of a user’s access request to determine the appropriate level of access. This means that the DoD must be able to identify the user, device, and network they are connecting to and from. This will then lead to identifying the application they are trying to access and the requested data.

By having this level of granular detail, the DoD can make more informed decisions about granting access, thus reducing the risk of malicious actors gaining access to the network. In fact, modern ZT capabilities implement this through Automation as code, layered security tooling, and adequately managed ICAM controls.

Reliance on traditional perimeter security practices and malware/virus detection alone is no longer effective as the primary means of securing data and the environment. Cybersecurity threats are originating now through insider-derived access pathways. Moreover, they are hidden within the open-source software code components or integrated into hardware components.

2. Implement Multi-factor Authentication (MFA)

The second best practice the DoD can implement is multi-factor authentication (MFA) for all users attempting to access the network. MFA requires users to provide two or more pieces of evidence to authenticate their identities, such as a password, one-time code, or biometric scan. Moreover, this helps ensure that only authorized users can access the network, as it requires multiple levels of authentication.

3. Establish Least Privilege Access

The third best practice the DoD can implement is establishing the least privileged access for all users and applications. Least privilege access means that users and applications are only given the level of access they need to perform their duties or functions. The DoD must identify the specific roles and responsibilities of each user. They are allowing users only the permissions they need to do their job. This helps to reduce the risk of malicious actors gaining access to sensitive data.

This will ensure they will not have access to more than what they need. This will ensure that they cannot do inappropriate things with their access. David Snowden and Chelsea Manning’s ability to export sensitive intelligence and operational data immediately come to mind. Because their security clearances and accesses allowed them to access SCI and other sensitive intelligence data. The controls within the systems did not have any means to prevent the data’s download, export, and extraction.

4. Monitor Network Traffic

The fourth best practice the DoD can implement is to monitor network traffic. This means the DoD must have a system to monitor all network traffic, both inbound and outbound. This applies to user-driven accesses, application-to-application, and Kubernetes clusters. This helps to detect any suspicious activity. Such as an unauthorized user attempting to gain access to the network or a malicious application trying to exfiltrate data. By monitoring network traffic, the DoD can detect threats before they can cause damage. This will limit the blast radius of malicious or unintentional divergence from standard operations.

5. Implement Automation

The fifth best practice the DoD can implement is to implement Automation. Automation can help to streamline the process of granting access and enforcing security policies. This means the DoD can set up rules and policies automatically. Granting/Denying access based on the user’s context and authentication. This helps reduce the manual work required to manage security policies, as it can be done automatically.

The best way forward for the DoD based on the Current Landscape

We must not think of Zero Trust as throwing out the existing cybersecurity tools, approaches, and practices with the proverbial bathwater. Our traditional cybersecurity approaches are still vital. However, we have moved from the Defense-in-Depth strategy used by UN Forces in Korea, to more of an integrated counterinsurgency campaign. From CONUS-based enterprise solutions to tactical operations centers and systems aboard vehicles, DoD systems broadly apply a “Trust, but Verify” model. They leverage approved credentials to open free-ranging access inside the network’s perimeter.

Zero-trust is a Counterinsurgency (COIN) strategy and a technical solution. ZT is a multi-domain, multi-faceted, coalition-based approach. Traditional cybersecurity lines of effort and practices still play a part, as kinetic force operations still have essential roles in COIN operations. Where military combat in force-on-force operations involved somewhat defined areas of control (perimeters and perimeter defense). Zero Trust recognizes that our systems are more akin now to a presence patrol operating in a crowded city – threats could exist anywhere. The ability to quickly sense, respond, and adapt to changing threat dynamics is critical to strategic success. Traditional controls have failed to keep pace with the movement to the cloud, highly-integrated cyber-physical systems, and audacious and creative adversaries. We can counter threats quickly enough by adopting automated instrumentation and least-privilege controls.

The Plan

A viable plan for implementing a zero-trust strategy in the DoD with outdated equipment would be first to identify all hardware and software that require updating. This will allow us to understand the terrain and operating environments. Conducting a comprehensive risk assessment of the DoD’s existing infrastructure will help provide a starting point solution. Once the risks have been identified, the DoD can create a timeline for updating the outdated hardware and software, increasing instrumentation and Automation, moving to the accredited platform and CI/CD architectures already in place, and invigorating application security.

This timeline should include milestones such as budgeting for and ordering new equipment.

You should also budget to train the staff on new technology and implement security protocols. Additionally, the DoD should consider investing in technology such as VPNs and encryption to protect the organization’s data and leverage existing capabilities like Cloud Native Access Point (CNAP). Finally, the DoD should ensure that all personnel is adequately trained on the new security protocols. Specifically on how to properly use the updated technology. This will all go into a plan specific to the service components’ needs and budgetary constraints.

Takeaways

Alright. That was a lot. I know. But these steps are needed to get the DoD in the right direction. The Department of Defense must implement best practices to maximize the effectiveness of its zero-trust architecture. In fact, by adopting the five best practices mentioned above, the DoD can ensure that its network remains secure and only allows authorized users to access sensitive data. By following these best practices, networks, applications, and the data moving across and within them will remain secure, and malicious actors will be kept in check with a limited blast radius to the damage they can inflict.

There is a long bumpy road ahead, but this is all achievable. The DoD CIO, HON John Sherman, and his team have put together a great plan that will work, but they will need help and guidance along the way. DoD’s Path Forward for Zero Trust will be a long but valuable one to follow as we have recently seen Southwest and the FAA’s software systems going down.