The Department of Defense is working to build a zero-trust security architecture into its networks as millions of employees continue to telework during the coronavirus pandemic.
Zero trust — a system that moves security to every level of a network instead of just at the login or “perimeter” — has been a topic in DOD’s security community for years. But the challenges of the pandemic have pushed the conversion toward action, John Sherman, the DOD’s principal deputy chief information officer, said Tuesday during Red Hat Government Symposium produced by FedScoop.
The desire to move to zero trust has not been uniform, but the potential changes have triggered a “healthy dialog” among DOD technology leaders, Sherman said. He hinted there was dissent among some agencies in DOD over how to make zero trust a reality, but did not elaborate on specifics.
“This crisis has forced us to think differently,” he said of implementing new zero trust principles in networks.
The changes the DOD would need to make include producing greater visibility into its networks, implementing more controlled access points and retraining the security workforce to work in a zero-trust environment. Sherman said he leads a weekly senior-level meeting with counterparts from agencies like the Defense Information Systems Agency (DISA), IT leaders from military services, Cyber Command and others.
“The newness of this concept … has created a healthy dialog in our meetings,” Sherman said. “Innovation is not born out of groupthink.”
Some of the motivation for change, in addition to the many reports that have urged DOD to make the transition to zero trust, has been an increase in phishing attacks during the coronavirus pandemic. With one-third of the DOD workforce working on its new Commercial Virtual Remote telework environment, the so-called attack surface has grown, giving adversaries more opportunities to try and gain access to DOD information.
In a zero-trust environment, successful phishing attacks would not get very far, Sherman asserted. The concept doesn’t allow for any users, credentialed or not, to move freely about in a network without authorization. The idea is to give each user “zero trust” in how they can operate. The first step for implementing the conceptual change to security is with “fine-grained access,” which dramatically limits access to users based on their credentials and need for information.
“This just might be the exact preview of how we will have to operate” in the future, Sherman said.