Make Zero Trust All It Can Be: Tips from the U.S. Army

Network security is a big concern for the U.S. Army, which is why its 2022 Cloud Plan includes Zero Trust Architecture (ZTA) as one of seven strategic objectives for the next year. It’s yet another example of how the American government and its departments are deploying Zero Trust strategies to secure data, networks, and people. 

Most of us don’t have to worry about rival nations attacking our networks, or consider how to provide Zero Trust access to documents in a war zone. Nevertheless, there are a number of lessons anyone can take from this, dare I say it, military-grade Zero Trust approach.

What is ZTA?

Zero Trust isn’t a single product or set of products. It’s a holistic approach that encompasses a wide range of security considerations. As the Army explains in its cloud plan, Zero Trust Architecture (ZTA) is “a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy.” 

In addition, ZTA is “based on an acknowledgement that threats exist both inside and outside traditional network boundaries.” 

That last sentence is a massive switch from the traditional fortress approach where you have a well-defined perimeter, and then it’s the job of the security team to keep the bad guys on the other side of that perimeter. 

In today’s world, that’s simply not possible. The traditional perimeter is disintegrating into a collection of cloud services, and a few key databases running at company headquarters. 

That’s why Zero Trust does away with this antiquated approach and takes the more proactive approach that says, “never trust, always verify.” 

Lesson 1

A Zero Trust Architecture allows the Army to utilize transport mechanisms such as the commercial cloud global backbone.

The public Internet really is the new corporate network thanks to an explosion of cloud services, and remote workers all around the globe. Now, people need a secure method for connecting to company resources and cloud services from home, the airport, a local cafe, or another country. 

Perimeter 81 aids these needs with a fully encrypted and secure global private backbone that provides secure tunnels between any endpoint, and resources in any physical location or cloud.
This is also where Zero Trust Network Access comes in. Combining the principles of Zero Trust with a cloud-based business VPN, ZTNA moves users to all application locations while prioritizing security and performance.

The Zero Trust piece of ZTNA means that you don’t just sign-in with your credentials and then get free access to whatever it is you need. It means that users have permission only to see and use what they need for their job, and that they access those resources in an expected manner. Perimeter 81’s device posture check (DPC) feature, for example, can require that users have a custom security certificate present on their machine, or that they access resources from certain global locations within a defined timeframe. Admins can also set policies that demand DPC requirements continue to be met for the duration of a user’s login session.

Compare that to the legacy VPN approach where people sign-in, and then that’s pretty much it. They now have free access to the company network and everything contained therein. This is an outdated strategy that makes it much easier for threat actors to achieve lateral movement.

Lesson 2

The secure access objects will be protected resources governed by the ZTA protection surface to include applications, services, APIs, operations, and data.

What does your organization need to secure with a Zero Trust strategy? Even if your answer is “everything” there will be resources that require the absolute highest security you can achieve, while others are better served with less intense security to enable better day-to-day workflows for users.

Email, for example, may be important, but people need to check it from their phones meaning it requires different Zero Trust protections than a code base or financial documents. 

A key part of any Zero Trust strategy is figuring out what needs protection in the first place. Most of this will be obvious such as company data centers and popular cloud services. Then there are less clear considerations such as third-party access and remote employee access to sensitive systems on unmanaged devices–two use cases that are well served by ZTNA Agentless Access

Lesson 3

Determine secure access enforcement points including…micro-segmentation of applications.

Once you know what will be protected by Zero Trust principles you have to decide what access will look like for different groups. This is part of the “magic sauce” of Zero Trust. Not everyone needs access to the same resources, but groups of people often do. One of the major principles of Zero Trust Network Access is to first deny access to everyone and then open up access slowly at a granular level by giving access permissions to specific users or groups of users. 

It does take a little time to map out exactly who needs what, but in the long run restricting access only to those who really need it will benefit the entire organization. That’s especially true if the worst happens and malicious actors obtain employee login credentials.

Lesson 4

A heavy emphasis on security orchestration and automation to automatically enforce and modify policies.

The whole point of using a computer is to automate repetitive tasks, or at least it should be. That’s why Perimeter 81’s solution offers several ways to make life easier for IT managers. First, our single pane of glass management dashboard means administrators can set policies for entire groups, and then add people to those groups for one-click enforcement of group-based Zero Trust policies. Centralized management also means that any changes are propagated and updated automatically throughout the network including PoPs and client devices. 

We also have robust APIs for teams with orchestration needs such as provisioning users and groups, billing operations, and monitoring network health. 

Lesson 5

Determine the cloud-based security solutions that will contribute to the global cloud ZTA, including existing and new solutions.

Choosing the right security solution for your Zero Trust needs is an important step. We recommend that whichever Zero Trust solutions you use they meet several criteria. 

Your Zero Trust solution should be cloud based, which is especially important for Zero Trust Network Access since it enables better connectivity performance for users. A cloud-based solution also scales more easily than hardware appliances where oversubscription is always problematic. 

Second, choose a converged solution that brings multiple security tools under one umbrella. This makes it much easier to deploy, configure, manage, and monitor the state of your network, and identify and solve security issues when they arise. 

Finally, choose a service that supports single sign-on identity providers with multi-factor authentication (MFA). Using an SSO makes managing groups and users much easier, and MFA is a crucial security step to protect user accounts from threat actors. 

Perimeter 81 Wants You

If you’re looking for a cloud-based converged security solution, look no further than Perimeter 81. We converge ZTNA, a Secure Web Gateway, and Firewall-as-a-Service into a unified solution managed from a single pane of glass.

We also support many of the major identity providers including Google, Jumpcloud, Microsoft’s Azure Active Directory, Okta, and OneLogin. We also have SCIM support, and SAML 2.0 for companies that use multiple providers. 

Book a demo today to see how Zero Trust Network Access can start you on a journey to better network security that serves users and protects resources.