The value of a validated Zero Trust solution

Zero Trust is a must, but implementing it using an ad-hoc approach is counterproductive.

By Herb Kelsey, Industry CTO – Government, Dell Technologies 

Given the constant, daily news headlines, seemingly no industry is immune to cyberattack nightmares. The issue is that enterprises and vendors alike are addressing the symptoms with a set of “single-purpose” security products, which don’t alleviate the underlying problem. Just like one could take a variety of over-the-counter medications to treat their symptoms to feel better temporarily, if the root cause is something that calls for an antibiotic or prescribed treatment plan by a doctor, the issue will never resolve. The good news is that there is now a clear path to a course of action from one of the world’s leading experts in data security.

In my blog on the benefits of Zero Trust, I discuss how it offers a comprehensive and adaptable framework that can better protect organizations from the growing threats they face.

Zero Trust as a concept has been around for a while and since its inception, it has expanded in scope. However, there has hardly been any clarity on how to build a validated Zero Trust enterprise network. That lack of clarity has led to many organizations implementing a self-defined, ad hoc approach made up of an assortment of single-purpose solutions. Such a self-styled approach has limitations, is not scalable and often makes their environment even more susceptible to security gaps and vulnerabilities.

A more holistic approach is to set validated Zero Trust as the destination for your organization. This approach not only implements the U.S. Department of Defense’s (DoD) Zero Trust reference architecture, but also passes their stringent requirements through assessment testing. Plus, it helps to alleviate enterprises from the burden of the integration challenge.

The limitations of self-defined Zero Trust

Many enterprises and vendors take a siloed or self-defined approach—as mentioned previously—meaning they focus on just one of the seven critical Zero Trust pillars (illustrated below) at a time.

DoD Zero Trust Strategy
Figure 1 The seven pillars of Zero Trust broken down into 45 capabilities

Many of these enterprises and vendors frequently begin with the user pillar, which, while seemingly practical, can be risky. Prioritizing federated user identity without first securing data and automating threat response may inadvertently simplify a hacker’s task of attacking the entire enterprise.

The old adage that you’re only as strong as your weakest link holds particularly true in the context of Zero Trust. As such, integrating a solution across all seven pillars is paramount—and most self-styled Zero Trust solutions fall short of this goal.

The advantages of validated Zero Trust solutions

Validated Zero Trust’s core principle is security by design and policy automation. It operates under the assumption that adversaries have already infiltrated the system. Validated Zero Trust aims to protect the broader enterprise by restricting user actions or access at any given time.

DoD Zero Trust Strategy
Figure 2 The 152 activities involved in a Validated Zero Trust Approach

The U.S. Department of Defense (DoD) a global authority on data security, unveiled its Zero Trust Strategy in 2022. Today, this framework serves as the gold standard. It emphasizes integration across all seven pillars, creating multiple policy checkpoints and automatically granting or denying requests based on user behavior patterns.

The DoD’s roadmap breaks down each of the seven pillars into a Zero Trust reference architecture with 45 capabilities. These are further categorized into 152 Zero Trust activities to enable the DoD to regulate compliance with the Zero Trust strategy at two levels of maturity: Target and Advanced. “Advanced” maturity means that the entire set of 152 activities has been met and “Target” means at least 91 of the activities have been met.

One of the most promising tenets of the DoD framework is that it anticipates and allows for future evolution—a must, given how fast things evolve in the world of cybersecurity and ransomware.

A clear path to validated Zero Trust

The DoD has outlined three potential courses of action (COA) for implementing the Zero Trust strategy: upgrading existing systems, utilizing public clouds and constructing a private cloud. Based on the department’s expert analysis, the private cloud route, known as COA-3, is quicker to market and offers the most versatility for implementing a variety of use cases. In October 2022, Dell Technologies announced its Zero Trust Center of Excellence at DreamPort. The company’s participation and leadership in this initiative form the foundation of COA-3. This Center of Excellence will use the DoD Zero Trust Reference Architecture and coordinate across an extensive partner ecosystem to provide a validated Zero Trust private cloud. The end goal is to help accelerate adoption and alleviate integration and orchestration burdens for customers across a huge range of industries and use cases.

The necessity for Zero Trust is undeniable, but attempting to implement it using an ad hoc, fragmented approach is counterproductive. An integrated solution that covers all seven pillars can help prevent your enterprise from falling victim to cyberattacks.

Click here to learn more about the benefits of Zero Trust. Herb Kelsey will be hosting a session on Zero Trust Demystified at Dell Technologies World 2023.  If you are attending, and you need help curating your security experience, Dell’s Security Journey offers a roadmap of essential security discussions.