Discover more from Last Week As A vCISO
I Read The DoD Zero Trust Doc, Here's What You Need To Know...
Are you still stuck managing IP Allow/Deny lists? If so, it's 2023, and this is for you.
In October 2022, the DoD published a strategy document regarding Zero Trust, which was the cleared for public release in November 2022.
I read the entire document, and here are my takeaways.
Also, I have a story in the end of what a Zero Trust world looks like.
Culture Was A HUGE Component
I couldn’t help but notice how many times “culture” was mentioned in the document. It was so ubiquitous in the document, that I had to do a word count. It was mentioned 17 times!
Not only that, but so was the word “adopt”. 🤔
Interestingly enough, Cultural Adoption was mentioned several times.
Culture As A Strategy
Not only that though, but it was a major part of the strategy and plan! One out of four of the primary goals (25%) was dedicated to culture.
Improving culture is the story of our lives in the cybersecurity world. I even published something about it recently, and make it a finding in my gap assessment if I find systemic failures in security.
To best understand why this is so important, fundamental, and pivotal (you see what I’m trying to do here? 😁), here is a quote that best sums it up…
“How the Department protects and secures the DoD IE is not solvable by technology alone; it requires a change in mindset and culture, rom DoD leadership down to mission operators, spanning all users of the DoD IE.”
This is similar to the “security is everyone’s job” speeches we give, or “you need executive buy-in” every major initiative must have.
Some other notable quotes from the culture strategy:
“Increased commitment to cybersecurity”
“All DoD personnel are aware, understand, commit to, and trained to embrace a ZT (Zero Trust) mindset and culture and support integration of ZT technologies in their environment…”
I mean if you changed Zero Trust to any religious or political ideology you would think this is the writing of someone standing on the corner with a huge sign trying to change the world and warn them of impending doom.
Last Week As A vCISO is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.
Zero Trust Is An Ultra-Marathon
The first time I heard about ultra marathons I was blown away. These are races that can go over 100 miles, and sometimes span the most treacherous terrains. Almost superhuman, but people do it. So keep this in mind when you hear “marathon”... how long the marathon is, is a matter of perspective.
Zero Trust is a long haul approach, with multiple mile-markers (levels) to it.
Think of it this way…
Having 8 character passwords is like filling out the entry form.
12 Character password using NIST guidelines, 5k race
Enabling 2FA is like finishing a 10k race.
Context Aware & FIDO2 access is finishing the NYC marathon
I’ve written Zero Trust Roadmaps before broken down into 4 levels, but there is no one size fits all.
Resource: Sample Zero Trust Roadmap
Zero Trust Levels
The DoD broke it down into two levels:
They’re estimating Four (4) Years to reach Target Zero Trust (FY ‘27). Depending on how you view it, that can seem aggressive or too long, especially if you look at what constitutes Target Trust Level in their chart below.
Zero Trust Is Continuous
So one great quote from the document (think back to Marathon length) is…
“Reaching an ‘advanced’ state (Advanced ZT) does not mean an end to maturing ZT…”
I love this quote. People looking to engage security are often for a quick fix or pass to their security issues, however, security is a long game.
Greenfield vs Brownfield
I do want to call out that this document is geared for Brownfield “changing existing” approaches. If you have a greenfield opportunity, now is the best time to take advantage of some Zero Trust ideology.
The Land Of Oz In Zero Trust Is Paved With Gold
Ok, so for the curmudgeons out there that don’t like to use the word Zero Trust, maybe it’s because it seems too obscure. So let’s paint a picture of what it looks like exactly.
If you’ve read James Clear’s Atomic Habits, you’ll know that the dopamine hit comes before the reward, not after. So let’s paint a good picture of what “good” looks like so we can get everyone salivating and onboard!
So what does Zero Trust look like exactly?
Want more like this? Subscribe!👇🏼
Black and White Cybersecurity
Well, let’s start with what’s it’s not.
IP Allow/Deny Lists
Master keys to the kingdom
Unfettered super admin access to everything
VPN access to vast networks and machines
Here’s an excellent quote from the document:
“Traditional perimeter or "castle-and-moat" security approaches based on conventional authentication and authorization models do not work effectively to thwart current (and future) cyber-attack vectors”
Full Color Cybersecurity
Policy based access control
Contextually Aware Access Control
OAUTH and OIDC
IMAX 3D Cybersecurity
Here is what Zero Trust fully working is (in addition to everything previously):
Attribute Based Access Control
Behavioral Access Control
Dynamic Secrets Management
Dynamic authorization services throughout
Here’s the big picture of storyline of Zero Trust in Action:
Engineer X is working on project A from Bali. To get into company systems, they must authenticate with 2 certificates. One on their machine, and the other tied to them personally. To unlock the personal certificate they use fingerprint or a Yubikey to authenticate.
After the system authenticates the user, they still need to be authorized. The systems check with a policy engine to see what services are allowed. They see the user is tagged with Project A, so all Project A resources are made available to them via a dynamic tunnel from their machine. The tunnel uses the certificates on the machine to re-authenticate the user. The system rechecks authorizations every 5 minutes with refresh tokens.
Say an attacker can FULL access to their machine. Let’s say they steal the machine certificate somehow and their personal certificate from memory (even though the cert should be closed after auth, but humor me). The attacker then tries to impersonate the user with mentioned credentials. However when trying to re-authenticate, the system notices an active session already in place. In addition, the system realizes that the machine they are coming from has a different fingerprint then the past 5-10 logins. Not to mention, there isn’t a need for another session.
The login is blocked or asked to re-authenticate directly with a FIDO2 method (fallback). The user and security also receive a notification from the system of the new login attempt (they are not asked to allow since the user can err).
Drink The Koolaid
For many of us talking about Zero Trust for years, it’s been a little fatiguing. Maybe we should start saying AI enabled security?
If you are serious about security AND want to save yourself some headache (who wants to manage IP allow lists), then move towards any modern technology that incorporates Zero Trust philosophies.