The future of zero trust is about more than thwarting hackers, officials say

The Defense Department has until 2027 to meet its goal of full zero trust adoption on its networks, but officials said Tuesday they are already eyeing the next evolution of the cybersecurity architecture.

While the primary focus of zero trust, up to this point, has been on recognizing potential cyber breaches and recovering data from them, the promise of the capability goes beyond that, said Army Deputy Director of cybersecurity Nathan Colodney Tuesday. 

"Perhaps instead of focusing on data breach and recovery, we have more points for analysis and we should be able to look at the attack or at least predict with predictive modeling where our adversary is going to come," said Colodney, speaking at the Palo Alto Networks Ignite Public Sector conference. "And if we can reduce the number of attacks that way and reduce the number of points in which we have to recover, we'd be more successful."

The DOD has been actively pursuing success in zero trust, recently updating its plan to transfer its zero-trust network access architecture pilot known as Thunderdome into a full production program to deploy it across the department. 

That move is expected to coincide with the Pentagon's strategy to shift the entirety of the department to zero trust by 2027. But while Chris Pymm, the Defense Information Systems Agency's Thunderdome portfolio manager, acknowledged the accomplishments of the program, he said it's one piece of an overall zero trust environment that the DOD will need. 

"It gives you a view of what the user has rights to and what the device [that they are on] looks like and I think that's foundational to get to a point of zero trust, but it's not the comprehensive answer for this," he said. "You have to bring other things like [identity, credentialing and access management], endpoint [security] and cyber analytics into that equation."

Pymm said that the DOD has a target on the wall to achieve the seven pillars in its zero trust strategy by 2027, but that's not an end goal, rather it's part of an ongoing evolution that the department will have to continuously adapt to. 

Those seven pillars touch on monitoring users, devices, applications and workloads, data, network and environment and automation and orchestration on the network, but John Davis, public sector vice president for Palo Alto Networks, said zero trust success may well be defined by the seventh pillar: visibility and analytics.

"That's where you are going to find out if all other things you are doing, even if you perform them correctly, the outcomes are going to be measured in that final pillar," he said. 

That visibility may not only extend to access management, but also to the vulnerabilities that may be inherent in shadow information technology tools that remain unidentified on the network. 

Nicole Thompson, a senior engineer for Directorate for Digital Services' Pentagon program, said at the event that an open source software tool developed with the Cybersecurity and Infrastructure Security Agency dubbed Crossfeed was deployed during Operation Warp Speed to help pull in data feeds from partners working on developing and administering COVID vaccines, but ultimately ended up identifying a wealth of unknown software on DOD networks. 

"What we ended up finding through that tool was a lot of shadow IT that had been deployed through the years and then people had left the organization and nobody else knew it was there," she said. "And often those were very similar subnets to the ones where the vaccine work was happening and nobody knew that was there, which meant nobody was patching it, nobody was updating it."

Ultimately, Davis said the DOD's ongoing success with zero trust, and its broader cybersecurity will hinge on its ability to make its systems interoperable across the enterprise, including the Armed Forces, and its growing use of automation and advanced software analytics.

"We still largely fight these sophisticated and automated software-based threats with people and human decision-making, that's never going to scale," he said. "You will never have enough people with the talent to do it. We've got to fight machines with machines. We've got to fight software with software."