The Department of Defense’s (DoD’s) Zero Trust Strategy and Roadmap outlines how it will move beyond traditional network security methods, like perimeter and physical equipment defenses to shore up systemwide network security. The current approach involves NIPR, the Non-Classified Internet Protocol Router Network, a private IP network owned by DoD to exchange unclassified information, and SIPR, the Secure Internet Protocol Router used for classified information. Facing a much greater threat footprint and more sophisticated network penetration strategies, military leaders recognize the need to augment NIPR and SIPR with a cybersecurity framework that will reduce the attack surface, enable risk management and effective data-sharing in partnership/coalition environments, and quickly contain and remediate adversary activities.
The intent behind Zero Trust is to no longer assume that the network is the ultimate source of trust. Rather, just because someone or something is on the network doesn’t mean they can be trusted: even the network itself cannot be trusted. And tying network or information access to a physical location, like with the practice of using a Sensitive Compartmented Information Facility (SCIF), does not enable DoD to enhance the way it exchanges data securely beyond those ‘containers’ in remote, limited, congested or contested environments.
But what does it mean to be “trusted?” And what characteristics denote that something or someone is not worthy of trust? These are the big questions under consideration right now.
With Zero Trust, only a person’s validated identity determines access. If the security structure is based on identity, then access can be granted wherever the user may be. If there is question or doubt, more identity confirmation tests can be applied to increase confidence.
Over the last few years, we’ve all been introduced to Zero Trust strategies by banking and financial apps that apply multi-factor authentication, including biometrics (the use of our faces or fingerprints for identity verification), location, patterns of use and more. The military has additional verification options at the ready. DoD can leverage backend credentials such as device information, time zones, tokens (like Common Access Cards and others) and IP addresses––details that come together to build an even higher degree of trust and confirm “you are who you say you are.”
Yet, deploying Zero Trust across dynamic, global military environments has far reaching implications. First, it will require a significant cultural change as DoD shifts its network security strategy from “trust but verify” to what DoD Chief Information Officer John Sherman described as “never trust, always verify.” Second, while Zero Trust ensures security, it also creates friction––which can affect time and efficiency. Any identity verification solution deployed cannot be so cumbersome that it impedes mission readiness or prompts users to circumvent the process altogether.
All of this is to say, Zero Trust is a philosophy that provides a structure, but not a checklist. As such, it is not bound by a specific technology; it offers inherent flexibility to accommodate innovation and change. That’s great news since DoD has some aggressive goals. As Federal News Network reported, some of the initial “target” capabilities the Pentagon expects to deploy Department-wide include user inventories, federated identity credential and access management solutions, endpoint detection and response tools, and software defined networking. Network security experts and industry leaders like Hughes are eager to work with DoD to help answer these big questions and scope out implications for U.S. forces and commands, so DoD can achieve its Zero Trust goals by fiscal 2027.