Written by Jim Hansen – November 20th, 2020

The sudden and massive shift to a remote work policy across the Department of Defense and the contracting community has created a perfect storm of cyber challenges needing to be addressed. Keenly aware of this, threat actors are taking advantage.

A few months into the COVID-19 crisis, the Pentagon reported a surge in cyberattacks as threat actors sought to exploit more than 4 million employees and contractors who now rely on DoD networks to telework.

Even before COVID-19 struck, security breaches and ransomware attacks on DoD suppliers continued to plague the DoD.

A zero-trust approach, in which no user or device is assumed trustworthy, can be the best defense against these growing threats. Yet according to the 2020 SolarWinds Public Sector Cybersecurity Survey Report, prior to COVID-19, only one-third of federal agencies had a formal zero-trust strategy or were actively implementing one.

With this in mind, let’s look at how a zero-trust security model can augment traditional “perimeter-based” approaches and ways in which the DoD can overcome the perceived challenges to adoption.

What is zero trust?

The concept of zero trust is nothing new. It’s an approach to security centering on the belief organizations shouldn’t automatically trust anyone or any device — inside or outside the network — and is enforced by strict access controls and network monitoring.

Given the proliferation of cloud services and the rising number of endpoints ripe for exploitation, it’s a commonsense approach to cybersecurity designed to prevent hackers from entering the IT infrastructure in the cloud or on premises, and moving laterally across the environment.

Why do defense agencies struggle with zero trust?

As the SolarWinds survey shows, agencies have been taking their time adopting a zero-trust strategy. Unfortunately, this has left them ill-prepared to adjust to the new normal of a distributed enterprise where remote access to cloud and network resources can be hard to monitor and control.

One of the main issues — and misconceptions — inhibiting adoption is perceived cost. Seventy-five percent of those surveyed regard the cost of zero-trust approaches as moderately, very or extremely challenging.

Yet, zero-trust architectures can be surprisingly cost-effective to achieve since they don’t require agencies to “rip and replace” security technologies. Instead, they augment existing investments in security controls such as user monitoring and access-rights management. The problem agencies face is that existing authentications principles have traditionally been deployed “on network” and fail to provide the necessary visibility needed to verify identities and monitor behavior as users connect to cloud and on-premises applications from outside the physical perimeter.

A further challenge is expertise. Seventy-one percent of survey respondents cited a lack of federal IT/security staff knowledge as a major roadblock to zero-trust adoption. Accustomed to keeping systems functioning or securing the perimeter, the right strategy, coupled with a mindset shift, is needed to move from a model based on implicit trust to one of explicit verification — i.e., trust no one.

Enabling a zero-trust strategy

There are no single approaches to zero trust, but there are some key foundational elements to any zero-trust strategy to help ensure the best results — with limited in-house IT resources and expertise.

  1. Ensure security hygiene: Keeping servers and workstations — even remote ones — patched and compliant is a critical but time-consuming task capable of distracting IT resources from more strategic initiatives. But if an agency’s zero-trust strategy is to succeed, basic cyber hygiene must come first. Many of today’s patch and vulnerability management tasks can be made more efficient and accurate through the use of automation.
  2. Monitor for unusual network activity: A key part of any network-monitoring strategy is to monitor for unusual or nefarious activity. Traditional log-management practices have been around for decades and provide quick insight into unusual user activity, excessive login attempts and failures, and other anomalies potentially indicating compromise. To achieve this at scale across hundreds of thousands of users can be difficult. To address this challenge cost-effectively, the DoD can leverage existing investments in security information and event management systems. A SIEM system can monitor critical log data in real time, automate the process of forensic analysis, and proactively detect threats and security issues.
  3. Detect leaked credentials: Data breaches can expose logon credentials on the dark web that can be exploited by bad actors to access and takeover employee accounts and federal IT systems. The DoD must leverage identity-monitoring approaches combining human intelligence and research to find and flag breach data, such as compromised usernames and passwords, so agencies can contain risk during a credential exposure.
  4. Understand and act on high-risk network access: Over time, employees accumulate access to more and more digital resources, yet rarely are these access rights audited or revoked; for instance, if a person no longer needs access to a system or application to do their job. This state is particularly problematic if a user is compromised. At this point, every system they have access to is at risk of being exploited by a threat actor. Zero trust only accomplishes its intended goals when permissions assigned to IT resources are assessed and controlled. A single, centralized access-rights management solution can simplify the process by providing visibility and control over all access privileges within an organization and continuously monitoring the environment for changes.

Zero trust is a long game

The need for anytime, anywhere access to resources and applications is making the Pentagon’s data more vulnerable. IT leaders within the DoD need to know who’s trying to access what resources before they can create appropriate security policies and controls. Being mindful and assuming all users are compromised can better inform these security decisions so that when a threat is detected, response and remediation can happen quickly. At the same time, DoD employees and contractors can access resources securely, wherever they are.

Zero trust isn’t just the answer to the COVID-19 lockdown. Even after the immediate emergency has dissipated, the future of the DoD workspace will change for some time to come. Only by adopting a zero-trust approach can IT leaders get one step ahead of the game and ensure security is balanced with accessibility.