Understanding the limits of zero trust

Zero-trust architecture has been top-of-mind for the federal government, especially as we approach the one-year countdown for the White House’s zero-trust mem...

Zero-trust architecture has been top-of-mind for the federal government, especially as we approach the one-year countdown for the White House’s zero-trust memorandum deadline.

The importance of zero trust for the federal government cannot be understated. And yet, agencies, especially Defense Department agencies, recognize that it is by no means a silver bullet and that there are limitations. For example, zero trust alone is not sufficient for sharing data between security classification levels – something that is particularly important for the DoD as it works to link all U.S. military branches together. This was reiterated in the recently released National Cybersecurity Implementation Plan.

 Collaboration across security classification levels or domains

Working across the DoD’s physical and virtual environments of land, sea, space and cyber domains has been a main goal of the Pentagon in recent years, with billions of dollars invested in its Joint All-Domain Command and Control (JADC2) initiative. JADC2 aims to connect and oversee all branches of the military beneath a single secure digital infrastructure to enable the rapid exchange of mission-critical information.

It can be tempting to assume that applying zero-trust principles to all information to separate data at different classification levels on the same network is sufficient for JADC2. But the reality is that zero trust does not provide the requisite security mechanisms to separate data at different classification levels.

Layering in cross-domain solutions

For an initiative like JADC2 to be successful, zero-trust principles must be combined with cross-domain solutions. Cross-domain solutions are essentially zero trust gateways, designed specifically to adhere to the National Security Agency’s Raise the Bar guidance. While zero trust can help ensure the right data gets passed to the right people, cross-domain solutions must be layered in to inspect, sanitize and validate all data transfers that take place between classification levels.

Without cross-domain solutions, frustrations are likely to arise between collaborating teams. Additionally, users are more likely to take risky, unapproved shortcuts in the name of federation under a zero-trust model. Layering in cross-domain solutions is essential for mitigating these risks, while allowing more interoperability and collaboration between partners.

Cross-domain solutions in practice

For warfighters especially, having timely access to information is of the utmost importance. As the DoD strives for collaborati0n and real-time data analysis across multiple networks and classification levels, cross-domain solutions must play a leading role.

In simplest terms, cross-domain technologies are essential to JADC2 because they can connect government systems without sacrificing speed or security. Consider an example in which intel data is coming from a higher classification level. While warfighters need to know the information, they don’t need to know the highly classified aspects of where it came from or how it was gathered. To ensure the seamless transfer of data to lower classifications levels, cross-domain solutions are required, as they strip out sensitive information that shouldn’t be shared or needed.

Additionally, cross-domain solutions let agencies take open-source intelligence information from unclassified sources and push it up to higher classification levels. Cross domain solutions take this data and sanitize it to prevent any malware from entering our classified networks. Without secure data-sharing capabilities, warfighters may find themselves making decisions based on incomplete information. For DoD agencies looking to embrace zero trust without impacting their JADC2 goals or compromising their security posture, layering in cross-domain technology is non-negotiable.

The bottom line

After a recent leak of national security documents, Pentagon Chief Information Officer John Sherman said that the breach could have been easier to discover had a zero-trust approach been instituted. While that’s likely correct, zero trust alone is not enough to protect against external and internal threats.

The importance of cross domain solutions, particularly for federated activity, continues to be emphasized across government, as we saw with the NSA release of a directive in March requiring federal agencies to use cross-domain solutions for the transfer of information between classification levels. The NSA’s recently released report on advancing zero trust maturity specifically said that “zero trust mechanisms do not remove requirements for cross-domain solutions, especially when information sensitivity differences create excessive risk or maturity levels vary widely.”

The bottom line is that zero trust should be thought of as a starting line, not the finish line. In the wake of efforts like JADC2, the ability to securely share data between classification levels is as important as strict access control.

George Kamis is chief technology officer for global governments and critical infrastructure at Forcepoint.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories