This year’s Cybersecurity Executive Order (EO) set the stage for civilian agencies to accelerate adoption of a Zero Trust security framework, but the EO is also helping to hasten the movement to Zero Trust for the DoD. Given the threat landscape – increasingly sophisticated threats, a highly dispersed workforce, and an expanding attack surface – agencies need a framework or strategy but also specific tactics to proactively address threats before they can wreak havoc within their environments and have real-world impacts. It is too late to chase the attacker through the network.
The Department of Defense’s (DoD) new portfolio management office (PMO) for Zero Trust is taking an enterprise approach to accelerating Zero Trust. To make progress, both the DoD and the broader cyber community need to be very specific and focused. Historically, it can take several months, or even years, to make meaningful progress on new initiatives or projects. In the cyber world, this is too long – how many cyberattacks can happen in this time span? We cannot afford another SolarWinds-type of an attack where attackers move laterally without opposition.
Two things must happen. First, the DoD must have a sense of urgency around updating the Zero Trust Reference Architecture. Currently DISA is working on the DoD Zero Trust Reference Architecture v.2.0. This must be the unifying roadmap as the PMO works across agencies and commands with interoperability as the goal. Many commands and DoD agencies currently use elements of this reference architecture, but it is not yet entirely cohesive.
Next, the PMO must identify key pillars within the Zero Trust Reference to help teams prioritize what’s most important and make quick, meaningful progress. For example, gaining an understanding through a map or discovery of how applications and workloads communicate is an important initial step in any Zero Trust strategy. Additionally, micro-segmentation is a crucial piece of a Zero Trust architecture because it stops attacks from spreading laterally to reach critical assets. However, the DoD needs to make a very conscious attempt to differentiate between network segmentation, which is focused on network security, and ‘host-based’ micro-segmentation, which is based on application security. The latter is specifically called out by DISA, ‘architect from the inside out’.
Making the visibility of the network and then the security of high-value assets a priority, the DoD can improve its cybersecurity posture quickly. Swift progress is critical to ensure resiliency across the government.