• U.S. Defense Department officials intend to complete an initial zero trust architecture by year's end to improve cybersecurity, according to Vice Adm. Nancy Norton, USN, director, Defense Information Systems Agency.
     U.S. Defense Department officials intend to complete an initial zero trust architecture by year's end to improve cybersecurity, according to Vice Adm. Nancy Norton, USN, director, Defense Information Systems Agency.

DOD to Offer Zero Trust Architecture This Year

The Cyber Edge
July 15, 2020
By George I. Seffers
E-mail About the Author

Data-centric security marks a new paradigm.

The U.S. Defense Department by the end of the calendar year will release an initial zero trust architecture to improve cybersecurity across the department, says Vice Adm. Nancy Norton, USN, director, Defense Information Systems Agency, and commander, Joint Force Headquarters-Department of Defense Information Network.

Norton’s agency, commonly known as DISA, is working with the National Security Agency, the Department of Defense (DOD) chief information officer and others on what she calls an initial “reference” architecture for zero trust, which essentially ensures every person wanting to use the DOD Information Network, or DODIN, is identified and every device trying to connect is authenticated.

“DISA is working with NSA and the ZT [zero trust] team to develop the initial zero trust reference architecture that will be out sometime later this year, and the Army will be able to use that, as well as DOD components, to guide them along the way in best practices for zero trust architecture,” she said while addressing the audience for the Army’s virtual 2020 Signal Conference, hosted by AFCEA.

Zero trust is expected to eliminate the traditional network-centric security model for the department. “This paradigm shift from a network-centric to a data-centric security model will affect every arena of our cyber domain, focusing first on how to protect our data and critical resources and then secondarily on our networks,” she said. “Under our traditional defense-in-depth approach, we have tried to make the DODIN trusted and safe territory. Under our new zero trust model, we will always assume that our internal networks are as hostile as external networks.”

The shift to a zero trust architecture will be a significant change for the department. “This changes a fundamental premise that denies all [network access]  and allows by exception rather than allowing all and denying by exception,” Adm. Norton added.

The change is needed because the Defense Department is constantly inundated with cyber attacks. “State and non-state actors try to attack our networks every day, and that attack surface spans the world across every service, combatant command and warfighting domain. This is a no-fail mission for our nation and its warfighters,” she declared. “Joint Force Headquarters-DODIN directs the defensive actions for millions of events across the attack surface of our DOD networks every day. Clever adversaries try to steal our credentials, escalate privileges and exfiltrate our data. That’s why we’re embracing zero trust—to prevent data breaches.”

And the old, network-centric model is no longer enough, she indicated. “In the traditional perimeter or castle-and-moat approach to defending our networks, if our adversaries make it across the moat, they have free reign inside the castle. We are working to end that.”

The initial reference architecture is being built and tested in the Joint Interoperability Test Command Laboratory and will be used to “align core capabilities needed for zero trust and guide our lab testing,” she said.

While specific products that represent portions of the department’s current enterprise network capabilities will be tested to support reference architecture development, the objective is to develop a vendor-agnostic solution. “This work will inform and guide the department’s efforts to evolve toward a next-generation architecture. It will align cybersecurity and IT efforts to optimize tailorable, risk-based decisions based on performance and security. It also will serve as a framework and architecture to guide cultural change in how we operate and defend our information environment.”

The new architecture will take advantage of existing capabilities while incorporating new principles, analytics, policies, devices and automation. “It won’t replace many of our current systems, tools or technologies, but it will enable us to take a more holistic approach to integrating, augmenting and optimizing existing functionality to evolve our enterprise architecture,” Adm. Norton explained.

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.


Share Your Thoughts:

My former work at including the deployment of Zero Trust environments solved many of the foundational vulnerabilities of the current world wide web.

ZT is the bedrock of any cyber security solution both for sheer reduction of threat surfaces, productivity and the ability to engage AI to isolate or destroy cyber infections.

Sorry - I left out my former company in my post so it would appear disjointed.

Bottom line is that ZT is without a doubt shall become the cornerstone of any cyber program. It's implementation at Layer 2 / 3 without impacts to data allowed me to control every single system communication via authenticated identity, as well as the ability to identify all inbound and outbound activity. The bonus of all authenticated communication provided an opportunity to forge forward both on the control of analyst manpower due to reduced loads and the ability to look forward at automation of cyber infection control.

Share Your Thoughts: