Skip to content
All posts

ZERO TRUST, MAXIMUM SECURITY

Picture of Greg Zacharski By  Greg Zacharski  ·  2 minute read

The days of “trust, but verify” are over. In terms of cybersecurity for the Department of Defense (DoD) and its contractors, the new maxim is “never trust, always verify.”

In contrast to the classic Perimeter Defense, which allows for trusted users and networks, the Zero Trust security framework takes nothing (and no one) for granted. All users, devices, applications, and any other entities needing access to a company’s systems—whether from inside or outside the network—must be authenticated, authorized, and continuously validated in order to achieve and maintain access. Nothing is trusted by default, and each entity is granted only the minimum privileges needed to perform their required tasks. Moreover, the company’s environment itself cannot be assumed trustworthy; Zero Trust assumes that the environment has already been breached, that malicious actors are at work from within, and security procedures are deployed accordingly.

It's All About Implementing – Zero Trust Overlays

According to the DoD, “Implementing zero trust requires rethinking how to use existing infrastructure to implement security by design in a simpler and more efficient way.” To that end, the DoD has recently published its “Zero Trust Overlays” document, which provides specifics on implementing a Zero Trust cybersecurity model.

“The document offers a fairly comprehensive approach to Zero Trust,” said Greg Zacharski, Director of Strategic Business Development for CyberNINES. “And while the approach is specific to the DoD Information Network (DODIN), the principles can translate to any network.”

The DoD’s Zero Trust architecture is based on the following tenets:

  • Assume a Hostile Environment. Malicious actors are presumed to exist both inside and outside the environment. Therefore, treat any entity trying to gain access as untrusted.
  • Presume Breach. Assume that an adversary is present in the environment and defend your resources accordingly.
  • Never Trust, Always Verify. Deny access by default. Authenticate every entity and authorize only the least required privileges.
  • Scrutinize Explicitly. Ensure that access to resources is conditional and can dynamically change based on an entity’s actions and confidence levels resulting from those actions.
  • Apply Unified Analytics. Apply unified analytics for data, applications, assets, services (DAAS) to include behavioristics and log each transaction.

The document provides a series of overlays—specifications that can be used to enhance an organization's existing security controls as that organization moves toward a Zero Trust security framework. The overlays were created for NIST 800-53 but can also be used for NIST 800-171, which is derived from NIST 800-53. They can be applied to seven foundational areas, known as pillars, including user, device, application/workload, data, network/environments, automation/orchestration, and visibility/analytics. For each pillar, the document includes several capabilities to be implemented, along with a suggested phased approach to achieve these capabilities over time.

You Might Also Enjoy…

The full document can be viewed at the following link:

Zero Trust Overlays (defense.gov)

Related topics:

MITRE Breach Shows Cyberattacks Can Happen to Anyone—Even the Best

10 Things to Know about Social Engineering

*NIST SP 800-171 Version 2 vs. Current:

MEMORANDUM FOR (osd.mil)