Zero Trust: Why It’s Time to Get Behind the DoD Strategy

Last year, the U.S. Department of Defense (DoD) published a 104-page zero trust reference architecture, followed by a 29-page zero trust strategy. The detailed documents underscore the weaknesses of the traditional, perimeter-based and defense-in-depth approaches to cybersecurity that many public- and private-sector enterprises continue to follow. They also demonstrate the DoD’s deep commitment to zero trust as the model that will enable it to improve security and resiliency in the face of persistent adversaries, even as the Department’s IT infrastructure grows in complexity and the DoD as a whole continues to evolve into a more agile, mobile, and cloud-supported workforce.

The DoD’s staunch commitment to zero trust–supported with a detailed timeline for agencies to achieve specific zero trust security goals by the end of September 2024 and be fully operational by 2027–stands in stark contrast to zero trust adoption within the private sector. According to Gartner®, less than 1% of large enterprises have a mature zero trust program in place today, and even by 2026, Gartner predicts that number will only reach 10%.1 ​​Despite three years of breathless prophecies about the COVID-19 pandemic, digital transformation, and cloud adoption being catalysts for zero trust implementation, adoption continues to lag. ExtraHop believes the DoD’s policy and accelerated timeline for zero trust will change that.

The DoD follows the NIST definition of zero trust:

Zero trust is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the Internet) or based on asset ownership (enterprise or personally owned).2**

In fairness, it’s no wonder so few organizations have made much progress with zero trust and that it’s taking an executive order from the White House, a federal zero trust strategy, and other efforts to spark movement in this direction. After all, zero trust represents a huge paradigm shift in security, is notoriously complex to implement, can’t be purchased in a single off-the-shelf security technology solution, and requires massive culture change, not to mention significant investment and budget.

But as a security strategy and architecture, the DoD clearly believes that zero trust represents the United States’ best defense against highly motivated adversaries, and at ExtraHop, we do, too. That’s why ExtraHop is committed to helping customers implement and support zero trust, is aligning with the DoD’s strategy and reference architecture, and seeking ways to reduce technical, financial, and operational barriers to implementation for organizations across sectors: because if zero trust is good enough for the DoD, it ought to be good enough for you and me. We believe both the Federal and DoD zero trust strategies will be a forcing function for many organizations across the public and private sectors.

Bottom line: It’s going to take the DoD’s thorough and rigorous approach to zero trust to protect our nation’s economic and national security interests from adversaries who are dead set on attacking our values, undermining our way of life, and destroying the value and trust that private enterprises have taken years to build for customers and shareholders.

ZT is a cybersecurity strategy and framework that embeds security principles throughout the [DoD] Information Enterprise (IE) to prevent, detect, respond, and recover from malicious cyber activities. This security model eliminates the idea of trusted or untrusted networks, devices, personas, or processes, and shifts to multi-attribute-based confidence levels that enable authentication and authorization policies based on the concept of least privileged access.

ZT focuses on protecting critical data and resources, not just the traditional network or perimeter security. ZT implements continuous multi-factor authentication, micro-segmentation, encryption, endpoint security, automation, analytics, and robust auditing to Data, Applications, Assets, Services (DAAS).3

Cybersecurity Is National Security

Over the past 10 years, cyber operations targeting private-sector enterprises have grown more centrally strategic to U.S. adversaries. DDoS attacks on banks, ransomware attacks on gas and food suppliers, APTs lurking on our electric grids, and cyber espionage targeting manufacturers’ and tech companies’ intellectual property allow adversaries to knit chaos into the very fabric of our country–disrupting our economy and supply chains so slowly that the threshold to elicit a kinetic response from our military arrives too late. Attacks on the private sector, whether they’re carried out by state-sponsored actors or groups only loosely affiliated with hostile nation states, present an effective means for our adversaries to project power and chip away at our flourishing digital ecosystem that influences our economy and our society. These activities leave the U.S. private sector with little choice but to step up and recognize the role its cybersecurity plays in U.S. national and economic security.

Simply stated: Cybersecurity is national security, and every cyberattack on an American bank, hospital, public school, tech company, petrol supplier, or food supplier is ultimately an attack on our own country, even if it doesn’t meet the threshold to merit a military response.

The Standard for Zero Trust

The DoD zero trust reference architecture provides the private sector with a clear blueprint for better deterring, detecting, and defending against damaging cyberattacks, and ExtraHop is committed to supporting it through existing product capabilities, future enhancements, and ongoing partnerships. We believe partner ecosystems that bring together the myriad of security technology and services providers required to support a zero trust security architecture will be critical to reducing barriers to implementation and simplifying and accelerating adoption.

As it stands, the ExtraHop Reveal(x) network detection and response platform currently supports 23 capabilities across all seven of the DoD zero trust pillars. Reveal(x) provides packet-level visibility across the entire network, including users, devices, and applications. By continuously monitoring all traffic and establishing baselines, Reveal(x) can identify suspicious or malicious activity in real time. This visibility allows you to “never trust, always verify” without slowing down crucial business processes.

ExtraHop’s support for the DoD’s zero trust strategy and reference architecture is one more example of our long-standing commitment to the Federal government and national security interests. A few weeks before the Biden administration announced in early August plans to restrict U.S. investment in China, ExtraHop CEO Patrick Dennis announced that ExtraHop will not do business in or with China due to the cyber and geopolitical threats it poses. In June, ExtraHop participated in the DoD’s 10th Cyber Shield training exercise.

As a retired U.S. Air Force Colonel, the matter of protecting our nation, our freedoms, values, markets, and way of life from all manner of attack is deeply personal to me. The DoD zero trust strategy will compel private-sector enterprises that do business with the DoD to also implement zero trust. I’m proud to be part of a company that shares the mission of protecting our country from adversaries and has made and continues to make deep and meaningful commitments to carrying it out.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

1. Gartner Press Release, “Gartner Predicts 10% of Large Enterprises Will Have a Mature and Measurable Zero-Trust Program in Place by 2026,” January 23, 2023. https://www.gartner.com/en/newsroom/press-releases/2023-01-23-gartner-predicts-10-percent-of-large-enterprises-will-have-a-mature-and-measurable-zero-trust-program-in-place-by-2026
2. NIST SP 800-207 Zero Trust Architecture, August 2020.
3. Department of Defense (DoD) Zero Trust Reference Architecture Version 2.0, July 2022.