TĐH: Traditional cybersecurity strategies are no longer sufficient for today’s cyberwar. The Zero Trust strategy is a new concept in cyberwar. To help understand this concept, I post here a paper by the US Department of Defense entitle “DOD Zero Trust Strategy.” This concept will involve not just DOD or military institutions, but also many private enterprises and individuals. Indeed, it involves the entire nation. I select the DOD presentation to post because, by nature of its job, DOD is probaly concerned about cybersecurity more than anyone else. Below is the Foreword of the DOD paper.
DOD ZERO TRUST STRATEGY
Our adversaries are in our networks, exfiltrating our data, and exploiting the Department’s users. The rapid growth of these offensive threats emphasizes the need for the Department of Defense (DoD) to adapt and significantly improve our deterrence strategies and cybersecurity implementations. Defending DoD networks with high-powered and ever-more sophisticated perimeter defenses is no longer sufficient for achieving cyber resiliency and securing our information
enterprise that spans geographic borders, interfaces with external partners, and support to millions of authorized users, many of which now require access to DoD networks outside traditional boundaries, such as work from home. To meet these challenges, the DoD requires an enhanced cybersecurity framework built upon Zero Trust principles that must be adopted across the Department, enterprise-wide, as quickly as possible as described within this document.
This urgency means that our colleagues, our warfighters, and every member of DoD must adopt a Zero Trust mindset, regardless of whether they work in technology or cybersecurity or the Human Resource department. This “never trust, always verify” mindset requires us to take responsibility for the security of our devices, applications, assets, and services; users are granted access to only the data they need and when needed. We all must play a role in combating our adversaries by acting quickly and correctly to address security threats wherever and whenever they arise.
Zero Trust is much more than an IT solution. Zero Trust may include certain products but is not a capability or device that may be bought. The journey to Zero Trust requires all DoD Components to adopt and integrate Zero Trust capabilities, technologies, solutions, and processes across their architectures, systems, and within their budget and execution plans. Perhaps most importantly, they must also address Zero Trust requirements within their staffing, training, and professional development processes as well.
This Zero Trust strategy, the first of its kind for the Department, provides the necessary guidance for advancing Zero Trust concept development; gap analysis, requirements development, implementation, execution decision-making, and ultimately procurement and deployment of required ZT capabilities and activities which will have meaningful and
measurable cybersecurity impacts upon adversaries. Importantly, this document serves only as a strategy, not a solution architecture. Zero Trust Solution Architectures can and should be designed and guided by the details found within this document.
In January 2022, the Department established the DoD Zero Trust Portfolio Management Office (ZT PfMO) within the DoD CIO, to orchestrate the DoD efforts outlined in this DoD Zero Trust Strategy document and to accelerate ZT adoption through several courses of action. Recognizing that the starting point for Zero Trust and maturity levels varies between components, Components October 21, 2022 must align their ZT solution architectures and execution plans accordingly to this strategy so that overall DoD Enterprise ZT outcomes are achieved and in alignment to the DoD ZT PfMO schedule.
We must adapt, remain agile, and execute on synchronizing Zero Trust efforts across and throughout the Department. If we do not do this together, our teammates’ vulnerabilities will remain exposed and open to attack, which makes all of us less strong. We need to make certain that when malicious actors attempt to breach our Zero Trust defenses; they can no longer roam freely through our networks and threaten our ability to deliver maximum support to the warfighter.