Zero Trust Security Architecture in Military Cyber Environment
Summary
- Zero Trust Architecture (ZTA) is rooted in the principle of “never trust, always verify.” Zero Trust design aims to protect modern cyber environments and enable digital transformation by using strong authentication methods, leveraging network segmentation, preventing lateral movement, providing Layer 7 threat prevention, and simplifying granular, “least access” policies.
- ZTA is replacing the previous trust on domain ownership and airgap isolation in access management as part of information security.
- The military has adopted or is adopting the new foundation for security trust as they proceed with digital transformation.
What is a Zero Trust Security Architecture?
Information security architecture is about trust. The military has a long tradition of trusting an entity if it is a part of the owned domain (SIPRNET), physically separated from others (AIR GAP), situated in a know location (Camp), the user represents a trusted organization or uses authorized terminal (Workstation in a Command Post).
Unfortunately, the digital transformation of military enterprises is not possible based on these old trusts (Snowden , Teixeira , data breaches doubled in 2022 in DoD ) but require access from mobile terminals (no place), Adhoc networks (no domain), quickly changing roles (no organization) and via a variety of terminal (no workstation). Therefore, it is hard to establish the foundation for trust when everything can change. Hence, A zero-trust architecture (ZTA) is an enterprise cybersecurity architecture based on no-trust principles designed to prevent data breaches and limit internal lateral movement.
The NIST SP800-207 and the CISA ZT Maturity Model v2 are the most used references for the ZTA. They also provide examples of migration roadmaps from perimeter trust towards zero trust. The following principles define the zero-trust approach:
- Every access request starts from a position of zero trust (applies to all entities - humans, devices, services).
- Authorization is granted based on dynamic context (risk-based), ideally per request.
- Assume a breach - of user ID (including machine or application service ID), access device, or transport network.
Naturally, the above level of untrust requires 24/7 monitoring and a thorough understanding of one’s information and computing assets. Therefore, a consolidated cloud computing architecture usually enables Zero Trust and helps build Digital Trust.
The NIST SP800-207defines seven tenets for ZTA as follows:
- All data sources and computing services are considered resources.
- All communication is secured regardless of network location.
- Access to individual enterprise resources is granted on a per-session basis.
- Access to resources is determined by dynamic policy.
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
- All resource authentication and authorization are dynamic and strictly enforced before access.
- The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture.
How are Military Organizations Proceeding with ZTA?
Typically, military organizations are found somewhere along the evolutionary path of information security. Depending on their position, they can proceed with small steps or take a revolutionary leap to enable the full features of digital transformation. For example, Table 1 provides a view of what is going on in military information security.
Armed Force |
Areas of
ZTA Application |
Plans
for the Future |
FIN |
2008 secured Internet service within a Confidential
domain[1] 2009 Secret session over untrusted networks
with trusted terminal 2015 Any confidentiality level session over
any access network on any available terminal[2] |
N/A |
US |
2021 Executive order to USG to move to Zero
Trust Architecture[3] 2022 US DoD Path to Zero Trust Architecture
(ZTA)[4] |
FOC 2027 for cloud-based services JADC2 will be based on ZTA[5] |
5 Eyes |
2023 Aligning the 5 Eye Nations ZTA
approaches[6] |
N/A |
EUMS |
2022 Regulations for a high common level of
cyber security, digital operational resilience, and resilience of critical
entities [7] |
N/A |
[1] https://www.is.fi/digitoday/art-2000001436589.html
[2] https://www.defmin.fi/files/1834/tietojohtaminen.pdf
[3] https://www.strongdm.com/blog/zero-trust-executive-order-14028
[4] https://www.defense.gov/News/News-Stories/Article/Article/3229211/dod-releases-path-to-cyber-security-through-zero-trust-architecture
[5] https://defensescoop.com/2023/04/12/army-at-the-crawl-phase-in-journey-to-zero-trust
[6] https://www.cybersecurityconnect.com.au/defence/8574-five-eyes-alliance-discusses-zero-trust-cybersecurity
[7] https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/
Link to original article in Adobe https://acrobat.adobe.com/link/track?uri=urn:aaid:scds:US:a62996a1-24a6-3cfc-b69c-c7b5fde8088e