Navy moving toward zero-trust network, with pandemic as pivot point

Written by Jackson Barnett
OCT 15, 2020 | FEDSCOOP

The Navy is using disruption from the coronavirus pandemic as fuel to change its cybersecurity architecture, propelling itself toward a zero-trust model to better defend its networks, the department’s top IT official announced Thursday.

By moving to zero trust, the Navy will assume what prior reviews of its cybersecurity have shown: that its networks inevitably are penetrated. What’s different about zero trust is that — as the name suggests — the network operates as if there already are intruders inside and thus strictly limits access to information beyond a user’s specified purview.

The shift was announced by Navy Chief Information Officer Aaron Weis during the Nutanix Cloud Together Summit 2020 produced by FedScoop.

“It is an exciting time as priorities have shifted,” for how the department has moved forward with modernizing its IT during the pandemic, Weis said. The Navy rolled out a telework platform in the early days of the maximum work-from-home posture, which it is now transitioning to an “enduring telework capability” with Microsoft Office, along with the rest of the Department of Defense. The disruption also pushed the service further toward using single-tenant cloud services.

Weis said that the transition to zero trust will not happen overnight. There will be a period where the current model of trying to build defenses at the perimeter — “defense in depth” as the DOD calls it — will remain in place as the transition begins. Zero rust requires the monitoring of all traffic on a network, not just at the edge when users log in — a posture that take more resources. The Navy also will need time to rearrange networks to follow the model.

“That is something that is starting, but it won’t happen overnight,” Weis said.

The idea is not new. The architecture was first envisioned in 2010 and several studies, including one from Congress and the Defense Innovation Board, have found the model would be beneficial for network security. A review of the hack of the Office of Personnel Management suggested government networks use the model, with some movement towards them only recently staring to gain momentum.



Leave a Reply