Getting Zero-Trust Products Up to Par

During its move to zero-trust architecture, the military has spent the last few years testing, evaluating and adopting commercial products.

In turn, the private sector is evolving its zero trust-related offerings to better fit the U.S. Department of Defense (DOD), officials said, speaking May 6 at AFCEA International’s TechNet Cyber conference. The event, which is held each year in Baltimore, brings together cybersecurity experts.

The DOD’s new Zero Trust Portfolio Office has set a 2027 end-of-fiscal-year deadline for putting in place a certain level of zero trust-related solutions and security.

At first, things did not go so well, said David Voelker, the lead for the Department of the Navy’s Zero Trust Architecture. Implementation started with the so-called Flank Speed effort.

Companies were not clear about what they could actually offer, and solutions did not quite meet what the Navy and Marine Corps needed in terms of zero trust architecture.

“The biggest challenge, I think, was more than four years ago, when we started engaging with vendors, and we had a newly minted definition of “target” and “advanced” level of zero trust,” Voelker said. “What we found was that many of the vendors were repackaging products that they already had. And the products didn't really map to the target-level zero trust requirements that we needed.”

Today, however, the solutions have allowed the Department of the Navy to meet advanced zero trust requirements on 151 systems under the Flank Speed effort.

From a commercial perspective, Microsoft has come a long way in its cybersecurity journey, shared Ian Leatherman, zero trust strategy lead for Microsoft U.S. Federal. The company started about 10 years ago with zero trust.

“Microsoft was not even using Microsoft products to defend itself when we first started this journey,” Leatherman noted. “We faced the same integration challenges, the same cultural challenges as a company in the early days of zero trust. And like a good tech company, we thought we could solve it strictly with tech. We missed the mark there for a while.”

As such, they moved to having employees involved in cybersecurity and zero trust, and changing the culture around cybersecurity. The company also created its own suite of zero trust tools, called Microsoft Defender.

This enabled the company to robustly support the Department of the Navy in pursuing zero trust under the Flank Speed project.

Randy Resnick, the director of the new Zero Trust Portfolio Office, applauded Microsoft’s advancement. “You have clearly learned a lot in terms of zero trust,” he said to Leatherman.

For Dell, an integrator who worked with more than 75 zero trust-related products from 30 different vendors, integration was a challenge, said Herb Kelsey, lead for Dell’s Project Fort Zero and Dell Federal’s chief technology officer. The range of products included identity, credentialing and privilege access management, micro-segmentation and software-defined networking, amongst others.

The integration process was complex, Kelsey noted, but resulted in an ecosystem where competitors had to collaborate and create products that would work with other companies’ offerings. During the process, companies went out of business, merged or were acquired.

“We have over 30-plus vendors,” Kelsey explained. “We have over 75 products, and the DOD team asks why we had so many vendors, and I said, ‘Why do you have so many requirements?’”

In addition, zero-trust solutions had to be implemented in various platforms, with optionality for cloud and disconnected environments, he stated. This was challenging because vendors usually prioritize cloud strategies over on-premise solutions.

The vendors stayed in financially, Kelsey continued, given the market outside the DOD to which they could also apply their products. “Because zero trust was needed outside of the DOD, it kept the corporate investment,” he said.

Already, some military organizations, like the Department of the Navy, have achieved an advanced level of zero trust, based on the DOD portfolio’s office levels.

Resnick asked Microsoft when similar Flank Speed tools would be available outside of the Navy, for other organizations to achieve advanced levels of zero trust.

“The good news for DOD is that DOD already owns the tools needed here,” Leatherman stated. “DOD owns the tech, and so those configurations are actually getting pushed out in many environments today.”

In addition, Leatherman advised organizations to add in network and endpoint visibility. The Navy, for example, had 500,000 endpoints that they did not have visibility into before zero trust.

“The biggest thing is visibility,” he stressed. “If you aren’t sensoring up everything, regardless of vendor, regardless of location, you can’t detect what is broken. You can’t detect that it is vulnerable or even compromised. That is the single biggest outcome, I think, that we’ve taken from this.”

Leatherman warned, though, that zero trust was not necessarily something that the DOD could just purchase. “It is a hard thing to achieve,” Leatherman said. “It is a culture. It is a mindset. And until every unit commander knows exactly what’s in their environment every day and they can rattle that off from the top of their head, I don’t think you will be able to get to zero trust beyond being ‘yes’ compliant from a configuration standpoint.”

Additionally, Kelsey shared that one of the biggest lessons learned was discovering how visible adversaries were on their networks. In turn, organizations can use the visibility with a call-and-response approach to see adversaries’ approaches, adjust systems and adapt continuously.

“The DOD definition of zero trust is trying to stop the adversary,” Resnick noted. “We want to minimize the adversary's ability to move through the network and limit their freedom of movement and ability to exploit DOD data. That means they can't move laterally. They can’t break out of a micro-segment. They can’t increase privilege escalation.”

TechNet Cyber is organized by AFCEA International. SIGNAL Media is the official media of AFCEA International.