The Pentagon and the Biden administration have set clear goals for what zero trust cybersecurity should look like across federal networks.
But with successful implementation of zero trust spread across seven pillars, it’s important to recognize where the Defense Department is making the most progress, said Dave Zukowski, director of defense solutions at Akamai Defense.
“The progress this year has been mostly on the understanding side. What all the department has started to realize is, ‘We’ve got a lot of the foundational underpinnings already in place. We’ve got stuff we’ve been doing. We’re starting to understand what the tenets are of zero trust,’ ” Zukowski said during Federal News Network’s DoD Cloud Exchange 2023.
While DoD is laying out a common set of zero trust goals for its service branches to achieve, Zukowski noted that the services are competing for limited funds to make implementation a reality.
Why collaboration makes sense
“Structurally, they have to get to a point where we can compete, but we should be competing together. We should be competing to fight the enemy not necessarily ourselves,” he said.
That cooperation is critical to ensure the military services aren’t duplicating efforts to reach zero trust compliance.
“Because zero trust is a holistic architecture, we’ve got teams in place that are working on one part of it. But in order for their part to work, they’re relying on three or four other parts,” Zukowksi said. “Rather than work with a team that’s doing those three or four other parts, they start building them out themselves. What we end up with is some pretty significant overlap.”
To drive continued growth toward DoD’s zero trust goals, Zukowksi said the department should set clear benchmarks.
“Measurement, in general, drives behavior, and I think if we’re not careful, we’re going to drive the wrong behavior,” he said. “If we’re measuring the Department of the Army, or the Department of the Air Force, at the top level of their maturity toward zero trust, without understanding their roadmap, we could look and see, ‘Well, 99 out of your 100 networks are nowhere near compliant.’ ”
Zukowski said those types of metrics focused on DoD’s legacy networks will lead to spending too much time “to fix what we already know is broke” and detract from the bigger picture of migrating the department’s networks to a less trusted and more monitored environment.
“DoD as a whole is working on doing measurements. … They very specifically don’t want to drive the wrong behavior, but I think they need to understand the architectural roadmaps more and that each department is going to measure themselves differently,” he said. “That difference is going to matter greatly when you start rolling up these metrics. We’ve got to understand how they want to measure themselves.”
Cloud One leads by example on zero trust
Zukowksi pointed to the Air Force’s Cloud One project as a case study on how to successfully implement zero trust.
“Cloud One was designed from the ground up to be zero trust–ready,” he said. “They used all the tenets of zero trust to build and design it and start migrating applications.”
The Air Force ensured the success of these efforts by making centralized funding available for its component offices to move to the cloud.
“Part of that was to say, ‘Hey system owner, we know you don’t have the funding to both operate your current environment, maintain your software updates for your current systems, and now we’re asking you to migrate to the cloud,’ ” Zukowski said. “These programs now had a big carrot: We can get to the cloud, and somebody else is going to pay for it. Part of that carrot was, if you’re going to come to the cloud, you’re going to follow these enterprise rules. There’s going to be ruthless governance at the top.”