Share post:
The DoD Zero Trust Virtual Symposium just wrapped, comprising three days of in-depth discussion about the current state of Zero Trust (ZT) at the Department of Defense. It’s hard to believe that the prioritization of Zero Trust architecture at the DoD began in earnest just three years ago. Now, ZT is everywhere, and we’re already starting to see the positive outcomes of this mindset shift in military exercises and cross-domain collaboration with allied mission partners.
It’s evident that ZT is making an impact. Across the Zero Trust Symposium, three trends rose to the surface.
1. Zero Trust is changing the culture of cybersecurity.
“Zero Trust is a culture,” said DoD CIO Katie Arrington. ZT “isn’t a framework,” she said, “this is a cultural thing. You’re on the bleeding edge of changing a culture that will be impactful.”
It’s true that Zero Trust, which started as an obscure concept in 2010, and then became a cyber buzzword around 2022, has now crystallized into an urgent imperative for stronger security that relies not just on a strong perimeter, but also on continuous authorization and authentication of any person or non-person entity seeking access to sensitive data, wherever that data is located.
“I would never have guessed that Zero Trust would be such a big thing so quickly, in a global nature,” said Randy Resnick, Director of the DoD’s Zero Trust Portfolio Management Office. Three years ago, Resnick recalls, “ZT was not in anybody’s lexicon when it came to cyber defense… it wasn’t anything that had any energy behind it.”
John Kindervag, the creator of Zero Trust, is just as surprised: “I could not have imagined a day like this, where there was going to be a Department of Defense Zero Trust Symposium with all these august speakers and an entire day talking about it… my mind is blown,” he said.
A lot has changed since Kindervag’s 2010 paper, and even since the DoD published its first Zero Trust Strategy and Roadmap in 2022. ZT has caught on like wildfire — both in the federal government and in the private sector.
“ZT Is Not a Technology Problem”
“Zero trust is not really a technology problem,” said Col. Gary Kipe, Chief of Staff of the DoD CIO ZT Portfolio Management Office. “And if it’s not inherently, fundamentally a technology problem, then it’s not really a technology solution that we’re looking for.”
“So, what is the problem?” Col. Kipe posited. “The problem is a culture problem. The way we think about the environments, the way we think about data, we think about what we’re really trying to defend: Is it the network, or is it data? Or, is it any of that? Is the outcome that we’re really trying to achieve the mission, or is it the machine?”
“The Zero Trust journey, then, really involves this right here — what [we] are doing with 3,000 of our closest ZT friends. It’s thinking more clearly, refining our understanding of what the problem is, and coming up with the solutions as a team. This right here is our culture change. It’s connecting our current and our future states, connecting what we’re doing with why we’re doing it — and those, in and of themselves, [are] the culture change we’re trying to achieve.”
2. Zero Trust is “all about data access.”
“You can think about Zero Trust as a data access cybersecurity strategy,” Resnick said. “If you needed a short sentence about what Zero Trust is, it’s all about data access and who’s allowed to get to what.”
Zero Trust and data-centric security go hand in hand: At the end of the day, it’s about ensuring data is only accessed by the right people (or systems), at the right time, and under the right circumstances. Those person and non-person entities must prove they have the authority to access any given piece of data, and authenticate with the proper credentials to demonstrate their true identity.
The Data Pillar of ZT Architecture
There’s a reason that data is depicted as the central element of the DoD Zero Trust architecture: It’s inextricably woven into every other pillar: User, Device, Network/Environment, Applications/Workload, Visibility/Analytics, and Automation/Orchestration. The graphic below appears in the DoD Zero Trust Reference Architecture and shows the interconnective nature of Data across all pillars. “Protecting data is at the center of ZT goals and is a part of all other resources,” it notes.
“The front line is digital, and data is the territory that we must defend, “ said Kyle Fox, CTO at SOSi. “Eight out of 10 breaches of military systems along the supply chain and key suppliers are not from perimeter compromise, but from, instead, a combination of insider threats and credential compromise. An even bigger threat, and something I’m even more worried about, is manipulation of our data.”
“If we lose confidence in our data, how are we making good decisions?” he asked. The Zero Trust tenet of “assuming breach” represents a different way of thinking about the way we protect data at different locations, at different points in time, both inside and outside the perimeter.
“Going back to the data pillar, I really view this as the cornerstone of the way we should be thinking about doing our systems security engineering,” said Fox. “Data is the critical asset.”
Assigning Relevance to Sensitive Data
Kindervag uses the term “protect surface” to describe the sensitive data, sensitive applications, sensitive assets, or sensitive services that need to be safeguarded. “Early on, we’re going to [learn about] protect surfaces, then we’re going to practice protect surfaces. Then we’re going to go on to our high-value assets… in industry, they often call them the ‘Crown Jewels,’ sometimes the ‘Keys to the Kingdom.’ Then you have things that are less important over time — secondary, tertiary protect surfaces. You’re going to determine what stuff you protect based on relevance,” Kindervag said. He shared the graphic below to illustrate “R Value,” or relevance, as applied to sensitive data.
“Those 30-49 bands, probably, we aren’t going to protect those any differently than we would today, because their relevance is so low, they’re not worth the extra money and effort to do that,” Kindervag said. “So, by assigning each ‘protect surface’ an R Value, we can understand its importance and how much energy we need to put into it.”
3. Zero Trust at the DoD requires public-private sector collaboration.
The momentum garnered around Zero Trust over the past three years has been extraordinary, largely because of the shift to outcomes-based thinking, as well as the collaboration between the public and private sectors.
At the DoD, “We’re not integrators, we’re warfighters,” Resnick said. “Integrating commercial products is not our forte. We need industry to integrate these products together and work company-into-company to get the job done and to deliver us outcomes.”
That’s not to say that the private sector can do it alone: “Zero Trust is something you do, not something you buy,” said Kindervag. “We design from the inside out instead of the outside in… [Historically,] we’ve always designed from the edge inward because that’s how networks were built, but security is different than networking. We need to start with the data or assets we’re going to protect and design outward from there.”
“The overall desired outcome is to achieve Zero Trust; ensure that warfighter capabilities can operate in a cyber-contested domain; deny the adversary; and win every time,” said David Voelker, Department of the Navy CIO ZT Implementation lead.
This outcome is fueled by tight alignment between functions, as well as deep subject matter expertise internally. “We’re really relying on program expertise because the system engineers that have been working in these programs know the valuable items that need to be protected; they can identify where microsegmentation or policy enforcement points need to be placed,” Voelker said. “These policy enforcement points can do detection and control based on the standards in NIST 800-207, and make sure that those things are properly identified… they’re completely defined, and they’re operational. So as the SOC members come in, they can apply the best visibility analytics and define the best playbooks, automated countermeasures for the technical baseline to defend it as best we can.”
This is where public-private partnerships can deliver faster, more efficient outcomes: Bringing speed, cutting-edge technology, and agile processes to the stable, deeply knowledgeable bureaucracy of a large government enterprise creates a valuable, effective mechanism for achieving better outcomes more quickly.
Zero Trust Culture Change Is Well Underway, and Well Worth the Effort
“Zero Trust is really about an outcome,” said Col. Kipe. “That outcome doesn’t happen on its own; it’s a very deliberate effort… the outcome we are working toward is freedom.”
We’re thrilled to see how data-centric security is making powerful changes at the DoD and beyond. The team at Virtru works every day to accelerate winning outcomes for partners in the federal government and the defense industrial base, with solutions powered by the open-standard Zero Trust Data Format.
The journey to Zero Trust is far from complete, but summits like the DoD Virtual Zero Trust Symposium spotlight the admirable progress being made, and the collective journey ahead of us.
Want more takes from our federal team? Subscribe to our newsletter for biweekly coverage + analysis of all things Zero Trust and federal government.
Sign Up for the Virtru Newsletter
