Your quick reference guide to align enterprise cybersecurity with DoD’s shift to Zero Trust
Since its inception in 2010, Zero Trust Architecture has taken the cyber defense world by storm as a way to account for the evolving threat landscape and changing cloud and hybrid IT environments that function without a precise network perimeter. Consequently, over the last two years or so, there’s been an influx of strategic guidance, policy, execution roadmaps, and other cybersecurity risk management resources surrounding the Department of Defense’s (DoD) transformational shift to a “Zero Trust.”
As with many cybersecurity hot topics, the initiative is often laced with vast marketing promises and relentless attempts to communicate the ever-increasing need to buy a tool (“silver bullet”) to solve the problem or, in this case, get to Zero Trust security.
With the Department navigating the Zero Trust waters and unpacking the myriad of capabilities and activities necessary to formulate a robust implementation plan (due to the DoD CIO by October 2023), BreakPoint Labs offers clear, actionable steps for any organization to self-evaluate its current program and begin its journey towards achieving a Zero Trust Architecture.1
Leverage Existing Cyber Defense and Security Investments
Avoid falling prey to the solicitation of purchasing a new, shiny Zero Trust capability, especially early on in the process. The DoD defines the Zero Trust baseline as one that “leverages its current infrastructure and environment using Brownfield approach.”
In other words, it retains key elements of the existing perimeter-based methodology and applies them within the modernized Zero Trust model. Considering the depth and breadth that consists of more than 45 capabilities and 152 activities that comprise the DoD Zero Trust Strategy, there’s ample opportunity to put existing investments to work within the new paradigm.2
Assess the Terrain: Inventory Users, Devices, Applications, and Data
A foundational step to Zero Trust is understanding who and what is on the network. At the most basic level, you can’t protect and defend components unmanaged or unaccounted for.
Establishing and validating a current, accurate inventory of all users, including person and non-person entities, is critical to ensuring those with access to resources are vetted and registered from an authoritative source.
In addition to users, organizations must inventory devices to validate what systems are authenticated, authorized, and connected to other network resources. While creating or verifying an inventory seems administrative, doing so in a trusted, standardized, and data-driven manner will pay dividends in the later stages of the Zero Trust journey.
Select and Implement Authoritative Source for Identity, Credential, and Access Management (ICAM)
With an understanding of who and what is on the network, an organization can designate Identity, Credential, and Access Management (ICAM) solutions to serve as an authoritative source for identities and subsequent authentication and authorization decisions.
Before the release of the Zero Trust Strategy in 2020, the DoD released an ICAM Strategy (if you’re seeking yet another strategy) focused on “the creation of digital identities and maintenance of associated attributes, credential issuance for person/non-person entities, authentication using the credentials, and making access management control decisions based on authenticated identities and associated attributes.”
The need for a well-defined and well-informed ICAM solution is apparent. It’s essentially the “quarterback” of the Zero Trust architecture responsible for many downstream decisions on user authentication and authorization.
Select and Implement Authoritative Source for Comply-to-Connect (C2C)
Like user identities, devices must also be pinpointed and inspected before accessing network resources. Ensuring systems are not only what they say they are but also verifying they satisfy a minimum baseline of vulnerability or patch management levels — letting you drastically reduce risk within the environment.
Comply-to-Connect (C2C) capabilities have advanced significantly in recent years, especially considering the increased use of remote access during and following the COVID-19 pandemic.
C2C allows for real-time inspection of devices and comprehensive policy decisions that best suit the needs of the organization and its users. A well-instrumented C2C solution will be a critical source for device authentication decisions.
Integrate and Orchestrate
With the foundational building blocks of a Zero Trust Architecture in place, organizations can begin to focus on interoperability, automation, and analytics. Using application programming interfaces (APIs), organizations can automate repetitive, predictable processes, including:
- Network segmentation
- Security updates and playbooks
- Incident response workflows
As Zero Trust implementations mature, organizations will transform into data-rich environments that conduct cybersecurity monitoring through various information logs such as user, device, applications, and network activity — offering limitless options for behavioral analytics to characterize, monitor, and continuously evaluate the enterprise cybersecurity posture.
Set the Expectation: Zero Trust Is a Journey
The adoption of Zero Trust principles does not happen overnight. It takes careful, deliberate planning and continuous incremental improvements to execute the framework fully.
As DoD seeks to implement distinct Zero Trust capabilities and activities by Fiscal Year 2027, the Department’s own Zero Trust Portfolio Management Office has recognized the need to “make it simpler, while still maintaining the ability…to stop the adversary.”
The key considerations and actionable steps described will jumpstart any organization’s journey toward achieving a Zero Trust Architecture.
Disclaimer of Endorsement
The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise does not constitute or imply its endorsement, recommendation, or favoring by BreakPoint Labs, LLC.
1. DoD Zero Trust Strategy Placemats, retrieved from https://dodcio.defense.gov/Portals/0/Documents/Library/ZT-StrategyPlacemats.pdf. ↩
2. DoD Zero Trust Capability Execution Roadmap, retrieved from https://dodcio.defense.gov/Portals/0/Documents/Library/ZTCapabilitiesActivities.pdf. ↩