Defense Innovation Board wants to help DOD understand zero trust
The Pentagon’s technology advisory board is urging the military to implement zero trust architecture (ZTA) for network access, and it has produced a new document on how and where the increasingly popular mode of security can be a good fit.
The Defense Innovation Board approved the white paper “The Road to Zero Trust (Security)” unanimously during a quarterly public meeting in Silicon Valley on Wednesday. It describes what is involved in a zero trust paradigm, covers how the Department of Defense can implement the tech and offers questions that can be asked “to see if your organization is effectively implementing ZTA.”
The paper notes the DOD’s reliance on a perimeter-based approach to cybersecurity — once a user has access to a network they generally have access to much of what’s on the network, even if it’s not related to their job. Zero trust architecture, meanwhile, requires that users and their devices be authenticated at the application or service level. The emphasis is on ensuring that users only have access to what they truly need.
The report by board members Kurt DelBene, Milo Medin and Richard Murray uses an analogy of a house versus an apartment building:
In your house, there are only a handful of entrances and a handful of familiar people with keys to those entrances. For these reasons, you probably don’t lock all the doors inside your house because you have faith in the “perimeter security” (in this case, locked doors leading to the outside with a select list of people with access). In an apartment building, there are many more points of entry and a longer list of people with access, which decreases your familiarity with other access holders and increases the risk of unauthorized access. For this reason, you likely lock the door to your apartment instead of just relying on the perimeter security of the apartment building, because you have less certainty that every person in the building has authorization to be there.
With cyberattacks increasing in sophistication and intensity, DelBene said Wednesday in introducing the paper, “the traditional notion of perimeter-based security is no longer sufficient.”
With zero trust “there is no trust within the network,” he said. “You assume that the network is going to be breached.” This means validating that users or devices have proper credentials to access the information they are trying to access, every time they try to access it. It also means encrypting data both at rest and in transit.
“DoD is ready for implementation [of zero trust architecture],” the report states. While the defense agency’s siloed network systems can cause many modernization troubles, it’s not an issue for ZTA. “Zero trust solutions can start within a single organization or cross-organizational application, and rapidly drive all users and devices that interface with that organization or application to come into compliance and register their attributes for authentication and authorization,” the report argues. The report advocates for an incremental approach to implementation, something others in government have recommended as well.
After voting to approve the report, though, DIB Chairman Eric Schmidt offered a directive for what’s to come from the board on zero trust and a word of caution — implementing ZTA at DOD is going to be hard.
“I really do want you now to then take the next step of understanding what does the implementation look like,” he said. “Because I think the implementation for the DOD is going to be much more difficult than corporations, and every company I know of has struggled mightily with these issues.”