As cyber threats become more sophisticated, the Defense Department is taking security to the next level with zero trust architecture.

Chris Pymm, zero trust portfolio manager at the Defense Information Systems Agency, said zero trust architecture represents the latest approach to cybersecurity policy, which has evolved over the past few decades at DoD.

“What this does is advances it to the next level,” Pymm said. “Zero trust assumes breach. That’s where the rubber hits the road, from the perspective of our adversary.”

Zero trust adoption represents a shift away from a perimeter defense, or a “castle-moat” approach to cybersecurity that focuses on keeping adversaries out of an agency’s network above all else.

“Zero trust recognizes that you have insiders, number one, in your own organizations. Number two, you have malicious actors that are already in your network,” Pymm said. “So how do you verify you know who’s traversing your network at every point and traversing your data at applications? The prevention of lateral movement is where zero trust takes this to the next level, from a maturation standpoint.”

“Instead of focusing solely on preventing unauthorized access at the perimeter, zero trust emphasizes verifying trust at every stage of access, monitoring who is interacting with data, and preventing unauthorized movement between systems,” he added.

Thunderdome: DISA’s Zero Trust Initiative

DISA’s Thunderdome initiative is bringing military personnel and DoD agencies into compliance with zero trust standards.

“Zero trust is more of a methodology and approach to cybersecurity,” Pymm said. “Thunderdome is the actual implementation and integration of some new tools we’ve brought to the table and some existing tools.”

DISA is working on the physical deployment of devices that enable zero trust network access, ensuring authorized users can securely log in from any location, whether on a military base or working remotely.

“From a network access standpoint, for DISA, we’ll be finished next year with the enablement of zero trust for the technologies that we’ve put in place,” Pymm said. “That will control access, based on the person and the identity of the device.”

DoD faces a deadline of transitioning to a zero-trust cybersecurity framework by the end of fiscal 2027. Pymm said DISA is currently playing a supporting role in implementing zero trust at U.S. Southern Command (SOUTHCOM) and the Coast Guard.

“It’s a long road,” Pymm said. “From an application standpoint, we’re beginning to identify how many applications we have through the systems that we have, and then determining the approach for each one of those applications, depending on where they reside — whether it’s in the cloud, on-premises, or public cloud.”

DISA is also working with defense agencies and field activities as they migrate to DoDnet, a modernized, secure network meant to consolidate and replace multiple legacy networks.

Pymm said the rollout of zero trust across DoD will ensure agency continuity of operations, even the event of a major cyber incident.

“The good thing about the technologies we’re putting out there … is those network configurations and that resilience stays in place, even if they’re not connected to the internet or connected to the network. You’re able to have a last-known good. Then once you restore that access, you’re able to then connect again and pull back those settings you need to access that data,” he said.

Successful deployment of zero trust balances security with ensuring decisionmakers have real-time access to the data they need. Pymm said zero trust architecture puts “additional checks and balances to access to that data, to be able to use it in any place, at any time.”

“That’s really what zero trust is, in my mind – making sure the right people are accessing the right data at the right time, leveraging the transport that you have existing,” he said. “This is not a new transport option, this is the tolls and police force on the highway. This isn’t the highway.”

DoD is also adopting Security Orchestration, Automation, and Response (SOAR) technology to stay on top of emerging threats.

“We’re not developing new technology, and the DoD largely is not either, from the perspective of the zero-trust problem set,” Pymm said. “We’re using industry leaders in this space, leveraging technology and data to make decisions at machine speed to block adversaries or nefarious IP addresses from accessing or exfiltrating data. That’s where the orchestration piece really comes into play here. It’s taking the indicators — those signals that say something might be malicious — and applying them to the rule set you’ve established, automatically tracking it through a ticketing system and making the block when needed.”

‘Mission-critical’ move to zero trust

Richard Breakiron, senior director of strategic initiatives for the Americas Public Sector at Commvault, stressed the importance of zero trust for ensuring data resiliency.

“I’m not going to assume anybody is safe. I am going to assume that they are not, and that a breach has occurred,” Breakiron said. “One of the most critical aspects is knowing where the last good data is, so you can restore operations quickly after an incident.”

David Rubal, the head of U.S. federal business development for AWS Storage at Amazon Web Services, said zero trust balances the need for data access and data security.

“Zero trust has moved from being an IT project to becoming mission-critical,” Rubal said. “It’s a monumental shift in how we think about data protection, not just at the access level, but at the data level itself.”

DoD’s adoption of zero trust architecture is not only about protecting sensitive military data, but also about ensuring that decision-makers have reliable access to data, even in the face of breaches or system failures.

Rubal said zero trust also represents a “monumental and foundational shift in the way we think about data protection and really protecting data wherever it’s sourced.”

“Zero trust isn’t a light switch. It actually means adopting enterprise capabilities and enterprise security postures that fundamentally change, not only protection from the outside, but protection from the inside concurrently, and not really just at the access level, it really is the application at the data level,” he said.

Learning Objectives:

• DISA’s data resilience strategy
• How emerging technologies factor into cyber threats
• Industry analysis