2023-05-27

 Zero Trust Security Architecture in Military Cyber Environment


Summary

  • Zero Trust Architecture (ZTA) is rooted in the principle of “never trust, always verify.” Zero Trust design aims to protect modern cyber environments and enable digital transformation by using strong authentication methods, leveraging network segmentation, preventing lateral movement, providing Layer 7 threat prevention, and simplifying granular, “least access” policies. 
  • ZTA is replacing the previous trust on domain ownership and airgap isolation in access management as part of information security.
  • The military has adopted or is adopting the new foundation for security trust as they proceed with digital transformation.

What is a Zero Trust Security Architecture?

Information security architecture is about trust. The military has a long tradition of trusting an entity if it is a part of the owned domain (SIPRNET), physically separated from others (AIR GAP), situated in a know location (Camp), the user represents a trusted organization or uses authorized terminal (Workstation in a Command Post). 

Unfortunately, the digital transformation of military enterprises is not possible based on these old trusts (Snowden , Teixeira , data breaches doubled in 2022 in DoD ) but require access from mobile terminals (no place), Adhoc networks (no domain), quickly changing roles (no organization) and via a variety of terminal (no workstation). Therefore, it is hard to establish the foundation for trust when everything can change. Hence, A zero-trust architecture (ZTA) is an enterprise cybersecurity architecture based on no-trust principles designed to prevent data breaches and limit internal lateral movement. 

The NIST SP800-207  and the CISA ZT Maturity Model v2  are the most used references for the ZTA. They also provide examples of migration roadmaps from perimeter trust towards zero trust. The following principles define the zero-trust approach:

  1. Every access request starts from a position of zero trust (applies to all entities - humans, devices, services).
  2. Authorization is granted based on dynamic context (risk-based), ideally per request.
  3. Assume a breach - of user ID (including machine or application service ID), access device, or transport network. 

Naturally, the above level of untrust requires 24/7 monitoring and a thorough understanding of one’s information and computing assets. Therefore, a consolidated cloud computing architecture usually enables Zero Trust and helps build Digital Trust. 

The NIST SP800-207defines seven tenets for ZTA as follows:

  1. All data sources and computing services are considered resources.
  2. All communication is secured regardless of network location.
  3. Access to individual enterprise resources is granted on a per-session basis.
  4. Access to resources is determined by dynamic policy.
  5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets. 
  6. All resource authentication and authorization are dynamic and strictly enforced before access. 
  7. The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture.

How are Military Organizations Proceeding with ZTA?

Typically, military organizations are found somewhere along the evolutionary path of information security. Depending on their position, they can proceed with small steps or take a revolutionary leap to enable the full features of digital transformation.  For example, Table 1 provides a view of what is going on in military information security.

Armed Force

Areas of ZTA Application

Plans for the Future

FIN

2008 secured Internet service within a Confidential domain[1]

2009 Secret session over untrusted networks with trusted terminal

2015 Any confidentiality level session over any access network on any available terminal[2]

N/A

US

2021 Executive order to USG to move to Zero Trust Architecture[3]

2022 US DoD Path to Zero Trust Architecture (ZTA)[4]

FOC 2027 for cloud-based services

JADC2 will be based on ZTA[5]

5 Eyes

2023 Aligning the 5 Eye Nations ZTA approaches[6]

N/A

EUMS

2022 Regulations for a high common level of cyber security, digital operational resilience, and resilience of critical entities  [7]

N/A



[1] https://www.is.fi/digitoday/art-2000001436589.html

[2] https://www.defmin.fi/files/1834/tietojohtaminen.pdf

[3] https://www.strongdm.com/blog/zero-trust-executive-order-14028

[4] https://www.defense.gov/News/News-Stories/Article/Article/3229211/dod-releases-path-to-cyber-security-through-zero-trust-architecture

[5] https://defensescoop.com/2023/04/12/army-at-the-crawl-phase-in-journey-to-zero-trust

[6] https://www.cybersecurityconnect.com.au/defence/8574-five-eyes-alliance-discusses-zero-trust-cybersecurity

[7] https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/


Link to original article in Adobe https://acrobat.adobe.com/link/track?uri=urn:aaid:scds:US:a62996a1-24a6-3cfc-b69c-c7b5fde8088e