Zscaler Announces Intent to Acquire Airgap Networks to extend Zero Trust SASE

Learn More

What Is Zero Trust for the Department of Defense?

Zero trust for the Department of Defense is a DoD information enterprise secured by a fully implemented, department-wide zero trust cybersecurity framework. The journey to zero trust requires all DoD Components to adopt and integrate zero trust capabilities, technologies, solutions, and processes across their architectures, systems, and within their budget and execution plans. In January 2022, the Department established the DoD Zero Trust Portfolio Management Office (ZT PfMO) within the DoD CIO to orchestrate the DoD efforts outlined in the DoD Zero Trust Strategy document and to accelerate ZT adoption through several courses of action.

Watch the video

What Is the DoD Zero Trust Strategy and Approach?

The DoD Zero Trust Strategy document is designed to provide guidance to the military departments (MILDEPs) and DoD agencies for deploying and measuring the success of their zero trust designs. The document states:
“This Zero Trust Strategy defines an adaptive approach for how DoD must champion and accelerate the shift to a zero trust architecture and framework…The intent of the strategy is to establish the parameters and target levels necessary to achieve zero trust (ZT) adoption across systems and networks.”

One of the defined strategic goals lays out high-level capability roadmaps for the DoD, including seven DoD Zero Trust pillars, 45 different core capabilities that map to those pillars, and three different target levels. Each defense agency has unique scenarios to consider, so it's crucial to have a cross-functional team to help map out the zero trust capability model. This model can serve to get everyone aligned, to understand the current mode of operation and map out the future mode of operation.

"With zero trust, we are assuming that a network is already compromised. And through recurring user authentication and authorization, we will thwart and frustrate an adversary from moving through a network and also quickly identify them and mitigate damage and the vulnerability they may have exploited."

Randy Resnick, CIO, Zero Trust Portfolio Management Office

What Are the 4 Goals of the DoD’s Zero Trust Strategy?

The original DoD strategy for implementing the Joint Information Environment (JIE) noted the following goals and benefits of a single security architecture (SSA):

  • Collapsing network security boundaries
  • Standardizing management, operational, and technical security controls
  • Reducing the Defense Department’s external attack surface

It turns out that zero trust security aligns perfectly with the above. This is because “never trust, always verify” is a key maxim of a zero trust framework. To understand why, let’s look at the long-established model of firewall-based network security.

Traditional firewall approaches to cybersecurity assume that access requests from outside the network perimeter aren’t inherently trustworthy, but anything from inside is. This further assumes firewalls can effectively block external threats and that none are already inside the network’s defenses, which is simply not the case.

Cybercriminals take advantage of assumed trust to circumvent defenses and deliver ransomware and other advanced malware, exfiltrate sensitive data, and more. Zero trust counteracts the risk of assumed trust by recognizing that any entity could be compromised. The DoD has outlined four concrete goals when it comes to zero trust:

  1. Zero Trust Cultural Adoption 
    - A cybersecurity-minded culture and workforce that embraces ZT
    - Increased collaboration and productivity
    - Increased commitment to cybersecurity
  2. DoD Information Systems Secured and Defended 
    - Secured communications at all operational levels
    - Improved systems performance
    - Interoperable & secured data
    - Automated cyber and AI operations
  3. Technology Acceleration 
    - Continually updated & advanced ZT enabled IT
    - Reduced silos
    - Simplified architecture
    - Efficient data management
  4. Zero Trust Enablement 
    - Enhanced operations and support performance
    - Consistent, aligned, and effectively resourced ZT supporting functions
    - Speed of ZT acquisition-to-deployed capability

What Are the 7 Pillars of Zero Trust?

The seven pillars are:

- User: Implement continuous verification of user identities and privileges employing multifactor authentication and behavioral analytics to detect potential unauthorized access attempts.

- Device: Enforce security policies that ensure only compliant devices can access DoD systems, with dynamic security posture checks before and during access.

- Application and Workload: Secure applications by applying rigorous testing, secure coding practices, and microsegmentation to limit lateral movement within networks. 

- Data: Classify data according to sensitivity and use encryption, both at rest and in transit, to ensure that data is accessed only by authorized users and systems.

- Network and Environment: Segment networks and deploy threat intelligence monitor and control network traffic based on granular security policies. 

- Automation and Orchestration: Utilize automated security policy enforcement and rapid orchestration of security responses to detected incidents, reducing the time to remediation. 

- Visibility and Analytics: Leverage comprehensive data analytics tools to gain insight into network operations and user behavior, enabling detection of anomalies and potential threats. 

Each capability can progress at its own pace and may be further along than others, and at some point, cross-pillar coordination (emphasizing interoperability and dependencies) is needed to ensure compatibility. This allows for a gradual evolution to zero trust, distributing costs and effort over time. As far as the Department of Defense is concerned, it may take longer for them to stand up some pillars versus others, due to a long-standing commitment to legacy systems.

What Are the Basics of Zero Trust and What Is its Roadmap?

When it comes to the DoD and zero trust, some pillars have a more narrowly defined vision than others, as DoD understands that it is priming its innovation engine to steer the world's largest globally dispersed mobile workforce away from legacy principles and technologies. As such, some of DoD's zero trust pillar activities allow Mission Owners, COCOMS, and Service Branches to apply zero trust principles and supporting technologies in a unique fashion to support their unique mission sets.

There are two levels of “readiness” when it comes to each pillar of zero trust—Target and Advanced. Each level denotes the technologies for each pillar around which the DoD can implement into a zero trust architecture with an appropriate amount of risk. There is, however, some overlap between these two levels, and this overlap has been denoted in the graphic below along with the specific capabilities that align to each pillar and level to which that capability can be carried out.

Why Is Zero Trust Important?

For decades, organizations built and reconfigured complex, wide-area hub-and-spoke networks. In these environments, users and branches connect to the data center by way of private connections. To access applications they need, the users have to be on the network. Hub-and-spoke networks are secured with stacks of appliances such as VPNs and “next-generation” firewalls, using an architecture known as castle-and-moat network security.

This approach served organizations well when their applications resided in their data centers, but now—amid the growing popularity of cloud services and rising data security concerns—it’s slowing them down.

Today, digital transformation is accelerating as organizations embrace the cloud, mobility, AI, automation, the internet of things (IoT), and operational technology (OT) to become more agile and competitive. Users are everywhere, and organizations’ data no longer sits exclusively in their data centers. To collaborate and stay productive, users want direct access to apps from anywhere, at any time, and chief information officers (CIOs) are making this a priority.

Routing traffic back to the data center to securely reach applications in the cloud doesn’t make sense—not only from an efficiency perspective, but from a risk management perspective, as well. That’s why organizations are moving away from the hub-and-spoke network model in favor of one that offers direct connectivity to the cloud: a zero trust architecture.


What Are the 3 Basic Tenets of DoD Zero Trust?

Based on a simple ideal—never trust, always verify—zero trust begins with the assumption that everything on the network is hostile or compromised, and access is only granted after user identity, device posture, and business context have been verified and policy checks enforced. All traffic must be logged and inspected, requiring a degree of visibility traditional security controls can’t achieve.

A true zero trust approach is best implemented with a proxy-based architecture that connects users directly to applications instead of the network, enabling further controls to be applied before connections are permitted or blocked.

Before establishing a connection, a zero trust architecture subjects every connection to a three-step process:

  1. Verify identity and context. Once the user/device, workload, or IoT/OT device requests a connection, irrespective of the underlying network, the zero trust architecture first terminates the connection and verifies identity and context by understanding the “who, what, and where” of the request.
  2. Control risk. Once the identity and context of the requesting entity are verified and segmentation rules are applied, the zero trust architecture evaluates the risk associated with the connection request and inspects the traffic for cyberthreats and sensitive data.

Enforce policy. Finally, a risk score is computed for the user, workload, or device to determine whether it’s allowed or restricted. If the entity is allowed, the zero trust architecture establishes a secure connection to the internet, SaaS app, or IaaS/PaaS environment.

DoD Zero Trust Implementation

Zero trust transformation takes time, but for the Department of Defense (and the public sector as a whole) to survive and thrive, there is an element of zero trust cultural adoption that needs to be readily accepted. Within that, successful transformation has three core elements:

  • Knowledge and conviction—understanding the new, better ways you can use technology to reduce costs, cut complexity, and advance your objectives.
  • Disruptive technologies—moving on from legacy solutions that don’t hold up after all the ways the internet, threats, and workforces have changed in the last three decades.
  • Cultural and mindset change—driving success by bringing your teams along. When IT professionals understand the benefits of zero trust, they start driving it, too.

It’s important to recognize that change can be uncomfortable, especially if your architecture and workflows are deeply entrenched. Working in phases helps to overcome this, which is why Zscaler breaks down the journey to zero trust into four steps:

  1. Empower and secure your workforce
  2. Protect your data in cloud workloads
  3. Modernize your IoT/OT security
  4. Engage your customers and suppliers securely

By reaching each of these goals one by one—transforming your network and security along the way—you’ll attain a zero trust architecture that securely connects users, devices, and applications over any network, wherever they are.

How Zscaler Helps Organizations Adopt Zero Trust

Zscaler enables the public sector to fully embrace the cloud and modernize IT by leveraging zero trust—securely connecting users to applications regardless of device, location, or network. Through the power of our Zero Trust Exchange™ platform, Zscaler gives government organizations the power to:

Eliminate cyberthreats

Apply zero trust principles as well as AI-powered cyberthreat and data loss prevention services with the world’s most comprehensive cyberthreat protection solution—halting cybercriminals by eliminating the attack surface, preventing compromise, stifling lateral movement, and stopping data loss.

Protect their data

Prevent sensitive data loss from users, SaaS apps, and critical infrastructure in public cloud(s) due to accidental exposure, theft, or ransomware—Zscaler provides cloud DLP, cloud access security broker (CASB), security posture management, and browser isolation.

Improve user experience

Enable employees and third parties to access apps securely from anywhere—with the visibility and control to optimize their digital experience from device to ISP to cloud proxy to app and back without the need for firewalls, VPNs, backhauling, or siloed management tools.

Reduce cost and complexity

Eliminate legacy security and networking technology costs associated with firewalls, VPNs, and the additional overhead that comes with keeping them up to date, laying the groundwork for a future-ready cybersecurity strategy.

Want to learn how Zscaler is helping federal and government organizations modernize securely? Visit our Public Sector page to find out.

Suggested Resources


Why Is a Cultural Shift Required For the DoD to Adopt Zero Trust?

Zero trust requires a cultural shift and operational alignment of what IT security really means. People are starting to understand that IT security is not just a supporting function but a domain in itself, and zero trust is a critical strategy in this domain. 

The future of IT security is about maneuvering within the domain of cyber warfare. This realization is changing the place of IT security at the table of senior leadership, and the adoption of the term zero trust is driving this cultural shift.


Is Zscaler DoD Impact Level 5 Certified?

Yes. On October 28, 2021, the DoD granted Zscaler Private Access™ (ZPA™) a Provisional Authorization To Operate (P-ATO) at Impact Level 5 (IL5), as published in the Department of Defense Cloud Computing Security Requirements Guide (DoD CC SRG).  

Government agencies and their contractors can use the Zscaler Zero Trust Exchange platform for systems that manage their most sensitive Controlled Unclassified Information (CUI) as well as unclassified National Security Systems (NSSs).