What to Know About the Pentagon’s New Push for Zero Trust
The Pentagon is taking cybersecurity to the next level — and they’re helping organizations of all kinds do the same. Here’s how the U.S. Department of Defense is implementing zero trust and why this matters to all businesses and organizations.
But first, let’s review this zero trust business.
Zero trust is the most important cybersecurity idea in a generation. But “zero trust” is itself a bit of a misnomer.
It’s not about whether a person or device is trusted. It’s really about no longer using trust or distrust as a test for access. In the perimeter-security past, anyone inside the firewall was assumed to be an authorized user using authorized devices. The zero trust model doesn’t privilege users inside firewalls but instead defaults to no access for each user — to applications, API data, servers and more — unless they can authenticate their devices and themselves each time they connect via dynamic policies that use multifaceted contextual data.
Zero trust demands strong identity and access management systems that minimize effort and inconvenience on the part of users. It calls for the micro-segmentation of networks into smaller zones to contain malicious actors who breach the network. And finally, implementing zero trust is a journey, not a destination, demanding real-time monitoring and threat detection (preferably AI-based) to identify and respond to potential security threats. This can involve the use of security analytics tools, machine learning algorithms and other technologies to identify and respond to potential threats in real-time.
Many people contextualize zero trust as a business enterprise architecture. But the Pentagon’s plans are extremely interesting.
The U.S. Department of Defense (DoD) recently rolled out a zero trust strategy and roadmap that directs future cybersecurity investments by the U.S. military and partners over the next five years. The initiative, in a nutshell, requires a full embrace of zero trust over perimeter security.
The DoD’s conception of their new cybersecurity specifies 45 capabilities — 20 of them connected to the Continuous Diagnostics and Mitigation (CDM) program run by the Cybersecurity and Infrastructure Security Agency (CISA) — organized on seven pillars. The pillars are users, devices, networks and environments, applications and workloads, data, visibility and analytics, and automation and orchestration.
The roadmap doesn’t specify any product, solution or vendor. It leaves that part up to the agencies and military services to choose. Still undetermined are the details for cross-agency coordination, which is necessary in the world’s largest unified military organization.
Only specific agencies will need to maintain what the Pentagon calls an “advanced” level of cybersecurity — agencies like intelligence agencies, special weapons systems and others.
Crucially, the DoD accompanied the strategy with an execution roadmap designed to provide clear, concrete steps.
The Pentagon is also working on zero trust roadmaps for both a “commercial cloud” and “private cloud” that will enable faster implementation of zero trust.
The DoD will probably test its new security approach with the major U.S. cloud providers.
The DoD revealed four strategic goals for achieving the zero trust timeline:
The Pentagon intends to make zero trust training and education mandatory for literally all employees. This will focus not only on knowledge but also support for architecture and its methods.
This part aims to implement the practices and infrastructure for zero trust across all systems, new and legacy. Pentagon departments should begin the deployment of zero trust systems by the end of 2023.
This strategic goal is simple: Never fall behind again. The intent is to stay ahead of industry advancements — or at least keep up with them.
Complementing training, infrastructure and the goal to stay ahead of security technology trends, the Pentagon also intends to keep pace with policies, processes and funding. Each department must submit zero trust execution plans by late 2023.
In some ways, the Pentagon is like any business enterprise. It’s got employees working together for a common purpose, communicating, moving around documents, deploying software, provisioning hardware and more. But in others — especially in the cybersecurity requirements behind weapons — it’s totally unlike private businesses. As one extreme example, a cyberattack cannot and must not, under any circumstances, breach weapons systems controlled and maintained by information systems.
Private corporations manufacture all these high-tech weapons systems. And so, the highest levels of security must be deployed at the level of manufacturing, in the supply chain, in transport, in deployment and on an ongoing basis.
This level of security is possible only with total comprehensiveness. Take the example of physical infrastructure that has to be maintained, guarded and moved not by white-collar office workers but by people who work in the field and are on the move. These are the very kinds of people who need training in zero trust security, along with the infrastructure, procedures and policies and all the rest. Every single person involved in critical physical infrastructure has to stay knowledgeable about security.
Another key component of the Pentagon’s plans is the assumption of a radically modernized cloud environment, which the U.S. Army is already implementing. That arm of the military has already moved more than 100 key applications to the cloud, which utilizes zero trust security principles.
The DoD’s zero trust strategy, roadmap and plans will no doubt prove highly valuable not only for offering guidelines and examples for implementation. But it will also drive expertise and new markets for the development of next-generation tools for implementing zero trust.
I write a popular weekly column for Computerworld, contribute news analysis pieces for Fast Company, and also write special features, columns and think piece…
4 min read – As with many other aspects of life and business, 2022 held fewer overall surprises in cybersecurity than in recent years — thank goodness. Instead, many trends brewing over the past few years began to take clearer form. Some were unexpected,…
5 min read – 2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets…
3 min read – As threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. The numerous cases headlining the news today demonstrate that no organization is immune from the risks of a breach. What is an Incident…
Every security officer wants to minimize their attack surface. One of the best ways to do this is by implementing a least privilege strategy. One report revealed that data breaches from insiders could cost as much as 20% of annual revenue. Also, at least one in three reported data breaches involve an insider. Over 78% of insider data breaches involve unintentional data loss or exposure. Least privilege protocols can help prevent these kinds of blunders. Clearly, proper management of access…
Cybersecurity at U.S. federal agencies has been running behind the times for years. It took an executive order by President Joe Biden to kickstart a fix across the agencies. The government initiative also serves as a wake-up call to enterprises lagging in getting zero trust up and running. Several organizations, including the Office of Management and Budget (OMB), the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) responded to the president’s order with detailed…
During the pandemic, businesses and consumers saw firsthand what happens when infrastructure fails. In 2019, the global critical infrastructure protection (CIP) market size was valued at $96.30 billion. It is predicted to grow to $154.59 billion by 2027, with a CAGR of 6.2%. On top of that, each time an organization in a critical sector is the victim of any type of cybersecurity incident resulting in data loss, the event counts as a critical infrastructure data breach. Let’s take a…
In recent years, the mindset for cybersecurity has shifted. It isn’t a matter of if a company has a breach, but rather when a company has a breach. With the increase in cybersecurity incidents, most if not all companies will be victims of a data breach at some point. However, the latest research shows that organizations using zero trust can save more than $1 million during a breach. Record High Costs for Data Breaches According to the 2022 IBM Cost of…
Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats.
