Zero Trust architecture facilitates secure remote work, by making sure that a vulnerable entry point to a network does not jeopardize other data.
ALBUQUERQUE: In order to protect information as it moves to the cloud, the Pentagon is adopting a set of “Zero Trust” tools and code to keep data safe even if an adversary hacks into the network. The Defense Information Systems Agency plans to start adopting the technologies as soon as companies build Zero Trust into the core of their software, and a new DoD laboratory will verify it.
Traditional cybersecurity is a perimeter-heavy approach, relying on protocols and firewalls to keep bad actors out, and allowing freedom from security checks once inside the network. This approach is easier if the work computers people access are all on physically controlled facilities, like bases or the Pentagon itself, but even then it’s vulnerable to a single disgruntled insider, such as Edward Snowden. With a remote workforce logging in from home, there’s not even a clear perimeter to defend.
“Zero Trust applications are where we see a lot of departmental capabilities moving over the next 12 to 18 months,” said John Hale, chief of cloud services at DISA. “That’s where we can see a lot of help from industry, making sure zero trust capabilities are baked into products from the beginning and not bolted on the end.”
In the strategic plan released by DISA yesterday, Zero Trust is an essential part of the overall picture, tying together all other levels of security and guaranteeing protection throughout networks.The plan states that DISA is working in partnership with the National Security Agency, U.S. Cyber Command, and the DoD Chief Information Officer to “develop a dynamic zero trust lab environment able to replicate existing and near-state technologies to test zero trust capabilities.”
With Zero Trust, users are given only minimal permissions to act once inside the network, and the data itself is repeatedly checked for veracity and authenticity as it is shuffled between computers.
“Think of it as not of protecting the network but of protecting our data on the network,” said Vice Adm. Nancy Norton, the head of DISA, at the 2020 TechNet Cyber conference on December 1st. “What’s most valuable for us every day is the data itself, and whether or not we can exchange the data with the people that we need to exchange it with in a timely manner that’s operationally relevant.”
By ensuring the integrity of the data, it is easier to trust information stored on the cloud, and helps ensure that the people who most need the information can get it without hassle and without fear that it has been compromised.
“If you turn the concept inside-out, you’re protecting the movement of the information that’s required for decision makers,” said Norton.
Once DISA, the NSA, and the rest of DoD have settled on tech that works for adopting Zero Trust, the plan is to roll it out rapidly.
