I Read The DoD Zero Trust Doc, Here's What You Need To Know...

Are you still stuck managing IP Allow/Deny lists? If so, it's 2023, and this is for you.

In October 2022, the DoD published a strategy document regarding Zero Trust, which was the cleared for public release in November 2022.

I read the entire document, and here are my takeaways.

Also, I have a story in the end of what a Zero Trust world looks like.

Let others know about Zero Trust!

Culture Was A HUGE Component

I couldn’t help but notice how many times “culture” was mentioned in the document. It was so ubiquitous in the document, that I had to do a word count. It was mentioned 17 times!

Not only that, but so was the word “adopt”. 🤔

Interestingly enough, Cultural Adoption was mentioned several times.

Culture As A Strategy

Not only that though, but it was a major part of the strategy and plan! One out of four of the primary goals (25%) was dedicated to culture.

Improving culture is the story of our lives in the cybersecurity world. I even published something about it recently, and make it a finding in my gap assessment if I find systemic failures in security.

To best understand why this is so important, fundamental, and pivotal (you see what I’m trying to do here? 😁), here is a quote that best sums it up…

This is similar to the “security is everyone’s job” speeches we give, or “you need executive buy-in” every major initiative must have.

Some other notable quotes from the culture strategy:

I mean if you changed Zero Trust to any religious or political ideology you would think this is the writing of someone standing on the corner with a huge sign trying to change the world and warn them of impending doom.

Zero Trust Is An Ultra-Marathon

The first time I heard about ultra marathons I was blown away. These are races that can go over 100 miles, and sometimes span the most treacherous terrains. Almost superhuman, but people do it. So keep this in mind when you hear “marathon”... how long the marathon is, is a matter of perspective.

woman running during daytime

Zero Trust is a long haul approach, with multiple mile-markers (levels) to it.

Think of it this way…

  • Having 8 character passwords is like filling out the entry form.

  • 12 Character password using NIST guidelines, 5k race

  • Enabling 2FA is like finishing a 10k race.

  • Context Aware & FIDO2 access is finishing the NYC marathon

I’ve written Zero Trust Roadmaps before broken down into 4 levels, but there is no one size fits all.

Zero Trust Levels 

The DoD broke it down into two levels:

  • Target

  • Advanced

They’re estimating Four (4) Years to reach Target Zero Trust (FY ‘27). Depending on how you view it, that can seem aggressive or too long, especially if you look at what constitutes Target Trust Level in their chart below.

Zero Trust Is Continuous

So one great quote from the document (think back to Marathon length) is…

I love this quote. People looking to engage security are often for a quick fix or pass to their security issues, however, security is a long game.

Greenfield vs Brownfield

I do want to call out that this document is geared for Brownfield “changing existing” approaches. If you have a greenfield opportunity, now is the best time to take advantage of some Zero Trust ideology.

The Land Of Oz In Zero Trust Is Paved With Gold

Ok, so for the curmudgeons out there that don’t like to use the word Zero Trust, maybe it’s because it seems too obscure. So let’s paint a picture of what it looks like exactly.

If you’ve read James Clear’s Atomic Habits, you’ll know that the dopamine hit comes before the reward, not after. So let’s paint a good picture of what “good” looks like so we can get everyone salivating and onboard!

So what does Zero Trust look like exactly?

Black and White Cybersecurity

Well, let’s start with what’s it’s not.

It’s not:

  • IP Allow/Deny Lists

  • Static Passwords

  • Shared logins

  • Master keys to the kingdom

  • Unfettered super admin access to everything

  • VPN access to vast networks and machines

  • RBAC

Here’s an excellent quote from the document:

Let other people know about Zero Trust! Let’s create a safer world.

Full Color Cybersecurity

  • Policy based access control

  • Contextually Aware Access Control

  • FIDO2

  • Single Logout

  • OAUTH and OIDC

IMAX 3D Cybersecurity

Here is what Zero Trust fully working is (in addition to everything previously):

  • Data tagging

  • Attribute Based Access Control

  • Behavioral Access Control

  • Dynamic Secrets Management

  • Dynamic authorization services throughout

Here’s the big picture of storyline of Zero Trust in Action:

Engineer X is working on project A from Bali. To get into company systems, they must authenticate with 2 certificates. One on their machine, and the other tied to them personally. To unlock the personal certificate they use fingerprint or a Yubikey to authenticate.

After the system authenticates the user, they still need to be authorized. The systems check with a policy engine to see what services are allowed. They see the user is tagged with Project A, so all Project A resources are made available to them via a dynamic tunnel from their machine. The tunnel uses the certificates on the machine to re-authenticate the user. The system rechecks authorizations every 5 minutes with refresh tokens.

Attack Scenario

Say an attacker can FULL access to their machine. Let’s say they steal the machine certificate somehow and their personal certificate from memory (even though the cert should be closed after auth, but humor me). The attacker then tries to impersonate the user with mentioned credentials. However when trying to re-authenticate, the system notices an active session already in place. In addition, the system realizes that the machine they are coming from has a different fingerprint then the past 5-10 logins. Not to mention, there isn’t a need for another session.

The login is blocked or asked to re-authenticate directly with a FIDO2 method (fallback). The user and security also receive a notification from the system of the new login attempt (they are not asked to allow since the user can err).

Drink The Koolaid

For many of us talking about Zero Trust for years, it’s been a little fatiguing. Maybe we should start saying AI enabled security?

If you are serious about security AND want to save yourself some headache (who wants to manage IP allow lists), then move towards any modern technology that incorporates Zero Trust philosophies.

Fin. 🎤

Join the conversation

or to participate.