By Kathryn Daily, CISSP, CAP, RDRP
If you follow any cybersecurity news, I am sure you have heard about zero trust architecture (ZTA). Historically, the authorization process has existed primarily at the perimeter of the network. In zero trust architectures, authorization happens across the surface of the network. Essentially, zero trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access.
In February of 2021, DISA and NSA put out the Department of Defense (DoD) Zero Trust Reference Architecture. It was publicly released in May of 2020. Within this document, DISA/NSA identify 5 high-level goals for the ZTA implementation, to wit:
- Modernize Information Enterprise to Address Gaps and Seams.
It’s no secret that DoD IT has been underfunded and over time has become completely decentralized as each service/agency fits their networks and IT assets to meet their specific mission needs and budgetary constraints. The ZT RA aims to resolve these gaps in command configuration and processes by establishing an inclusive, responsive, and near-real time common operating picture. - Simplify Security Architecture.
Rather than trying to secure circuits with crypto devices, enclaves with firewalls, data centers with DMZ security stacks, and operating systems with HBSS, ZTA instead focuses on the interaction between the user (the point of entry/exit of most data) and the application software (the source/destination of most data). - Produce Consistent Policy.
Historically DoD networks have been configured and managed inconsistently through waivers and exceptions that have left the security of DoD systems porous and ineffective. By pushing to the Zero Trust Reference Architecture DoD-wide, security should be improved through consistently applied polices across environments to maximize effectiveness. - Optimize Data Management Operations.
Mission success and advanced analytics rely on consistently structured and tagged data. While standards and policies have always existed, they have been inconsistently implemented. By standardizing data management operations, organizations can better leverage the benefits of cloud computing, data analytics, machine learning and artificial intelligence. It will also enhance interoperability between applications, organizations and with external partners. - Provide Dynamic Credentialing and Authorization.
DoD ICAM (Identity, Credential, and Access Management) Reference Design aims to rectify outdated authentication and authorization processes by focusing authorizing access to resources at the point in time the entity requests access to the resource based on the digital policy rule for the resource and authorization and environment attribute values.
Likewise, for Federal Civil Agencies, President Joe Biden issued an Executive Order that mandated civil agencies to create plans for the adoption of zero-trust architectures within 60 days of the issuance of the EO in an effort to push the modernization of federal cybersecurity following major software exploits, most notably by SolarWinds. Unlike the DoD, the federal Executive Order does not provide a consistent framework to implement ZTA within the Federal Civil Agencies. Many agencies are leveraging the NIS SP 800-207, while others are basing their approach on the Forrester Zero Trust Model, Garner’s Continuous Adaptive Risk and Trust Assessment, Garter’s Secure Access Service Edge, or have completely created their own implementation.
It is my hope that the Federal Civil Agencies will either create a standardized approach to the adoption of Zero Trust Architecture or at least adopt the DoD ZTA RA in order to ensure that policies are applied consistently throughout the fed.
To view the DoD Zero Trust Reference Architecture, visit the Library page at https://dodcio.defense.gov