The Pentagon goes all-in on Zero Trust
A recent Pentagon directive requires all networks and organizations in the military and defense sector to be 100 percent Zero Trust-based within four years. Is this a feasible deadline? What are the hurdles to implementation? What will be the benefits?
Steve Judd, a Solutions Architect at Venafi, laid out the many challenges involved in Department of Defense (DoD) projects of this scope. The DOD has somewhere in the region of 2.8 million staff across the Army, Navy, Air Force and numerous other departments. Its networks stretch from the top echelons of command to soldiers in the furthest reaches of field operations, sailors operating in nuclear submarines, pilots operating jet fighters, drones and other advanced military technology.
Judd said that the zero trust requirement means that every actor in your environment, whether human or some kind of machine, needs to have a verifiable identity that it can then offer whenever it requests access to something else in that network.
Learn Network Security Fundamentals
The initial DoD document on zero trust defines the process of zero trust implementation at a very high level and provides some timelines, but they’ve left it up to the departments to figure out how they will achieve the overall goals. After all, this can’t be a one-size-fits-all approach. For example, some mission-critical DoD legacy systems may have little chance of integrating with a cloud-based single sign-on mechanism. Thus, exceptions will be needed. IT must justify why those systems still exist on the network without zero trust and what mitigations need to be implemented.
Some departments will be able to speed ahead quicker than others. But for others, innumerable hurdles await. For example, how do you implement multi-factor authentication (MFA) in a hostile environment such as a conflict zone or behind enemy lines? How about a sniper awaiting authorization on a target with enemy assets all around them? What if they had to access a phone and press the authenticator app to read a message to verify their identity in an area where cell coverage is weak to non-existent?
Want a DoD job? Zero trust implementation experience will be a big plus
This new Pentagon mandate requires a monumental effort across a great many agencies and supply chain partners, as well as a nuanced approach to zero-trust implementation in highly sensitive and front-line military environments. Its sheer size and scope represent an attractive career path for many. Cybersecurity students about to graduate and those in the field looking to transition to this type of federal government work will have an advantage if they focus on open-source and cloud-native technologies. Why?
Learn Network Security Fundamentals
“There are plenty of opportunities in military cybersecurity as so many more people are going to be needed,” Judd said. “Cloud native lends itself to a kind of zero-trust model in terms of the way that you can, for example, provision your software-defined networks.”
DevSecOps is another area with plenty of promise: security professionals who are also platform engineers who can span the different skill sets involved in the DevSecOps discipline. Judd’s background, for example, is mostly in application development. But he moved into platform engineering, and that’s where it became clear the role security plays.
“There is an opportunity for people who maybe don’t see themselves as pure security professionals yet can contribute and make a difference in the cybersecurity and defense space,” Judd said. “A lot of security teams are not that familiar with cloud-native technologies or the cloud in general, so there’s plenty of room for people that can understand both sides.”
There can be a vast disconnect between application developers and security personnel. As a result, promising projects can be stalled for months because the application developer focused on application functionality and left security as an afterthought. The cybersecurity people then get involved, and it takes six months to fix the security holes in the new application before it can be implemented. According to Judd, DevSecOps personnel can play a large part in eliminating such delays or at least greatly reducing them.
“It’s about bringing the security people closer so they deeply understand what you’re trying to do without you having to write a 20-page design document with all of the security mitigations listed.”
Career Tips for cybersecurity beginners
The world of cybersecurity can sometimes appear daunting to those on the outside looking in. Judd suggested some simple and low-cost resources people could access to dip their toes in the water to determine if a cyber career was right for them. For example, plenty of great data is available online on YouTube and other places from major industry conferences such as Black Hat, DEF CON and Cloud Native Securitycon. Many of the best talks from these shows are available in full. They provide plenty of ideas for those entering the field about what security technologies and methodologies are hot and which skills are most in demand.
Judd also recommends investing time in certifications such as Kubernetes, cloud technologies and cybersecurity. “Certification courses provide foundational knowledge such as how a web browser talks to a secure server, how encryption works, and other basic building blocks that lie behind everything.”
Learn Network Security Fundamentals
MFA is another area worthy of study and certification, especially given the zero trust requirements placed on not just the Pentagon but many high-security industries like FinTech and Healthcare. Judd believes this space hasn’t been fully resolved, so there is plenty of room for innovation.
“In IT, more than any other industry, if you want to continue to progress and have an interesting career, you’ve almost got to kind of reinvent yourself every five years,” said Judd. “There are so many technologies that come along that you need to learn, yet a few years later, it is time to move on to the next one.”
If your career plan includes work in the federal security sector, learn about The Pentagon's Plan to implement a Zero-Trust system on this episode of this Cyber Work podcast.