A Unified DOD Zero-Trust Approach Begins with Existing Technologies

The agency must inventory its assets before consolidating identity, credential and access management solutions.

LISTEN

Your browser doesn’t support HTML5 audio

The Department of Defense should prioritize reusing cybersecurity technologies it has already invested in within zero-trust architectures to stretch its funding, says Petko Stoyanov, global CTO of Forcepoint.

Congress isn’t likely to substantially increase the Pentagon’s 12 percent share of the federal budget to buy new zero-trust tools, so it needs to improve the integration of existing ones instead, Stoyanov says.

Unlike the Cybersecurity and Infrastructure Security Agency (CISA), which provided a prescriptive zero-trust framework for civilian agencies to use, DOD is leaving it up to its branches to choose from among 45 capabilities across the model’s seven pillars. The Pentagon is doubling down on orchestration and analytics capabilities in particular, into which its IT infrastructure will feed.

“I think the biggest challenge DOD will have is making sure that we have that balance between what we reuse versus what we buy net new,” Stoyanov says. “And then, that will drive the consolidation.”

 

Barriers to a Unified Security Approach

Part of the problem is that some of the missions of different military branches and units are very specific and require zero-trust solutions tailored to, for example, airplanes or tanks, Stoyanov adds.

While intelligence sharing between branches will lead to synergies over time, that’s not how things have played out to date.

“I'm seeing the federal civilian side setting up groups for knowledge sharing,” Stoyanov says. “I'm not seeing that in DOD.”

EXPLORE: Why the Navy is expanding its AI capabilities.

The Pentagon also lacks an agency such as CISA driving network visibility efforts departmentwide as part of an initiative like the Continuous Diagnostics and Mitigation program.

Civilian agencies’ cloud platforms, data centers and computers can connect to networks, but the DOD has more hard assets, such as airplanes, that can’t do so for security reasons. That’s one of the reasons the Pentagon has more than 10,000 networks, the infrastructure for which needs consolidating, Stoyanov says.

Between his Common Access Card and usernames and passwords for various systems, Stoyanov says, he had to keep track of five user accounts while he was a federal employee. DOD applications must operate across those different infrastructures.

Click the banner below to learn how federal agencies are implementing zero trust architecture.

Inventorying DOD’s Assets Is the Next Step

Tailoring zero trust to the military’s specialized missions will be driven by industry, Stoyanov says. For instance, the Navy will need contractors to help tackle the problem of carrying out hardware refreshes and software updates on ships every six to 12 months when they make land, he says.

The DOD’s first step is to inventory existing technologies and determine how many users it has, as well as where its data and apps reside. Only then can the Pentagon set about consolidating identity, credential and access management solutions, Stoyanov says.

LEARN MORE: How the DOD’s cyber workforce implementation plan will target talent gap.

The recent leak of highly classified DOD documents detailing U.S. eavesdropping on allies, intercepted communications and Ukrainian military weaknesses raises concerns around the department’s timeline for inventorying its IT assets.

“We still have lots of assets that are unclassified but might have sensitive data on them,” Stoyanov says. “There are data loss technology tools that could be deployed to not only scan individual workstations but scan infrastructures, scan cloud environments and figure out how we solidly get ahold of some of these spills before they happen and prevent them and guide users.”