Leveling up: Zero Trust and the U.S. Department of Defense

Mark Cassetta   ·   Wednesday, July 5th, 2023

Recently, the U.S. Department of Defense (DoD) shared that they plan on indoctrinating a Zero Trust strategy by the year 2027 and released a roadmap of what that would look like.

While it is certainly an outcome receiving a lot of attention, it’s worth exploring what lessons non-government organizations can take from the DoD Zero Trust processes and guidelines, as well as other industries where enterprises have seen success in implementing Zero Trust.

Maturity & Zero Trust: What the DoD guidelines say

As the saying goes, nobody is perfect.

There is no silver bullet solution or magic potion that will flawlessly bring success to a Zero Trust implementation, despite the promises of some vendors.

However, we can look to the DoD to see what needs to be done in order to reach Zero Trust maturity.

Within their goal to achieve Zero Trust by the year 2027, the DoD also shared levels of cybersecurity architecture maturity that should be reached within certain years as agencies look to implement Zero Trust.

Enterprises can look to this roadmap to see what they should be moving their focus towards in what order.

But while this is certainly a useful tool, enterprises should be mindful that zero trust is a journey and not a destination. Where an enterprise starts and when they’re ready to improve or advance with Zero Trust will vary. Not everyone will start at zero (no pun intended).

Zero Trust is a process, not a destination

What this means is that there is not a level you need to complete before moving on to the next.

It’s not a video game where you need to get the key to save the princess. It’s a video game where you play multiple missions, sometimes simultaneously, and advance your character along the way.

If enterprises think of it like a final destination, it could take years to see the success. To see the impact of Zero Trust, organizations should zoom in at a smaller scale.

Using our video game analogy, this means that enterprises should focus on the strengthening of their character instead of the sometimes daunting number of missions that need to be accomplished.

Enterprises should focus on the more critical applications before taking on the larger and more important applications.

In other words, you wouldn’t begin at the boss level of a video game before making sure your character has all of the power-ups.

That’s a quick way to not see the success that’s needed to carry on.

NIST: A source of truth for implementing Zero Trust

While this might cause consternation as enterprises struggle with where to begin with Zero Trust, there is a consistent source of truth – The National Institute of Standards and Technology (NIST).

Through their Zero Trust Architecture guidelines, NIST addresses the critical elements at the heart of an effective Zero Trust implementation, which include attribute-based access control (ABAC).

Leveraging ABAC enables enterprises to move from a static to dynamic approach to access, evaluating individual requests in real-time based on a series of attributes that bring clarity to critical questions – who, what, when, where, and why.

This provides greater context and clarity to each access request, which is a critical piece of Zero Trust.

NIST states, “to lessen uncertainties…the focus is on authentication, authorization, and shrinking implicit trust zones while maintaining availability and minimizing temporal delays in authentication mechanisms. Access rules are made as granular as possible to enforce least privileges needed to perform the action in the request.”

In short – additional context ensures the right access is permitted to the right person in the right manner.

Nothing more, nothing less.

While DoD agencies are at varying stages of implementing Zero Trust, there are a handful of other enterprises that have already been successfully implementing Zero Trust for years as a means of adhering to the ever-growing number of federal and global compliance regulations.

The financial industry has been forced to be early adopters of Zero Trust

In today’s day and age, mobile banking has become the norm.

If you were asked to recall the last time you stepped foot inside a bank, it’s possible that it may be almost impossible to do so.

That being said, banks today have to really sell you on their experience through mobile devices. Before mobile banking, they were able to take their time and show you just how secure they were through high tech security inside the building.

But now, they have a matter of seconds to prove to you that no one is getting your information without your knowledge.

At the same time, as a customer, you want to be able to access your own information as you please and it needs to be a smooth and easy process.

If there are issues or delays throughout the use of their mobile applications, customer trust will be lost and the game is over for enterprises in the financial industry.

Because of this, Axiomatics has worked with customers in the financial services industry as they focused more on risk-based decisions and how they affect their customers.

Risk-based decisions and regulations

ABAC enables risk-based decisions for enterprises in any industry, which is a critical step in the Zero Trust journey.

For example, banks operating in Europe must comply with the Personal Data Protection Law, which mandates that all access to personal data records for citizens are subject to the right purpose and should be logged for audit purposes.

Additionally, the law states bank customers must be able to define which employees should be denied access to personal records.

Leveraging an authorization solution enables European banks to support ongoing compliance for the Data Protection Law as well as the General Data Protection Regulation (GDPR) through ensuring proper access – that the right people have the right access to the right information or processes.

While every organization will vary in maturity, the disruption taking place in their market, while regulations only increased, has forced the industry to think differently about security and naturally turn to Zero Trust.

Also, said regulations are constantly being updated which creates an environment of ongoing change; organizations with the ability to securely adapt will be the ones who survive.

Take the next step towards Zero Trust maturity

For more than a decade, Axiomatics has worked with some of the world’s most recognizable brands to help them implement authorization, which is at the heart of a successful Zero Trust strategy.

Download our solution brief to learn more about our approach to enabling Zero Trust within your organization, and request a demo to meet with our experts for a deeper dive into our Orchestrated Authorization solution.