Moving beyond the perimeter

For decades, network security operated on a simple assumption: everything inside the network was trustworthy. We built walls – firewalls, intrusion detection systems – to keep the bad guys out. But that model is crumbling. The rise of remote work, the explosion of cloud services, and increasingly sophisticated attackers have rendered the traditional perimeter largely meaningless.

The problem isn't just that the perimeter has expanded; it's that the concept of a defined perimeter is becoming obsolete. Data now lives everywhere – in data centers, in the cloud, on employee devices. Attackers don’t need to "break in" anymore; they often just exploit a compromised user or device already inside the network.

Zero Trust is a fundamental shift in thinking. It operates on the principle of "never trust, always verify." Every user, every device, every application – regardless of location – must be authenticated and authorized before being granted access to resources. It's not a product you buy off the shelf, but a strategic approach to building a more resilient security posture. It assumes breach, meaning it's designed to minimize the damage when – not if – an attacker gets inside.

Zero Trust Network Security: Comparing traditional perimeter security to a modern approach.

How the DoD handles zero trust

The Department of Defense (DoD) is moving toward zero trust because of a mandate to speed up security adoption. Their Phase One implementation guideline outlines how they plan to handle their infrastructure.

Their primary goals are to improve cybersecurity posture, reduce attack surface, and enhance data protection. The DoD recognizes that traditional perimeter-based security is insufficient to protect against modern threats. They're specifically focused on securing access to data and applications, regardless of location. This is a particularly challenging task given the DoD’s reliance on legacy systems and diverse environments.

The DoD’s approach differs from many enterprises in its scale and complexity. They’re dealing with millions of users, countless devices, and a highly heterogeneous IT environment. Their phased implementation focuses on identifying critical data and applications, then gradually implementing Zero Trust controls around those assets. While most organizations can take a more agile approach, the DoD’s experience demonstrates that even the largest organizations can benefit from, and are actively pursuing, Zero Trust.

Microsegmentation as a foundation

Microsegmentation is arguably the most important technical component of a Zero Trust architecture. It’s the practice of dividing a network into small, isolated segments, each with its own security policies. Think of it as building internal firewalls within your network.

Why is it so important? Because it limits the blast radius of a breach. If an attacker compromises one segment of the network, they can’t easily move laterally to other segments. This prevents a small breach from escalating into a catastrophic one. It's a core principle of containing threats.

There are several approaches to microsegmentation. Software-defined networking (SDN) allows you to dynamically create and manage network segments. Traditional firewalls can also be used, but managing a large number of firewall rules can become complex. Newer technologies, like workload-aware microsegmentation, automatically create security policies based on application dependencies.

Implementing microsegmentation in legacy environments can be challenging. It often requires significant changes to network infrastructure and application configurations. Organizations often start by microsegmenting their most critical assets and gradually expanding coverage over time. It's not about simply adding more firewalls; it's about creating granular security policies that are tailored to the specific needs of each segment.

DoD Zero Trust Implementation Timeline (Based on media.defense.gov)

Zero Trust Strategy Released

March 2, 2022

The Department of Defense (DoD) released its Zero Trust Strategy, outlining a comprehensive approach to modernizing cybersecurity and establishing a Zero Trust architecture across its information systems. This strategy prioritizes a shift away from traditional perimeter-based security.

Phase 1: Laying the Foundation (2023)

2023

Phase 1 focused on foundational elements. Key activities included deploying multi-factor authentication (MFA) across the enterprise, enhancing endpoint detection and response (EDR) capabilities, and implementing strong identity governance. The goal was to establish visibility into users, devices, applications, and data.

Phase 2: Expanding Zero Trust Capabilities (2024)

2024

Phase 2 centered on expanding Zero Trust capabilities beyond initial deployments. This involved micro-segmentation of networks, implementing least privilege access controls, and increasing automation in security operations. Focus was placed on protecting critical data and systems.

Phase 3: Accelerating Zero Trust Adoption (2025)

2025

Phase 3 aims to accelerate the adoption of Zero Trust principles across the DoD. This includes scaling successful pilot programs, integrating Zero Trust into the System Development Life Cycle (SDLC), and fostering a Zero Trust culture within the organization. Continuous monitoring and improvement are key components.

Phase 4: Achieving Zero Trust Maturity (2026 and Beyond)

2026

Phase 4 focuses on achieving a mature Zero Trust posture. This involves fully automating security processes, leveraging advanced analytics and threat intelligence, and continuously adapting to evolving threats. The DoD aims for a dynamic and resilient Zero Trust environment.

Continued Investment & Refinement

2026 - 2027 (Projected)

Ongoing investment in Zero Trust technologies and refinement of implementation strategies based on lessons learned and emerging threats. This includes adapting to new technologies like cloud computing and 5G.

Monitoring and analytics

Zero Trust isn't a "set it and forget it" approach. Continuous monitoring, threat detection, and security analytics are essential for maintaining a strong security posture. You need to constantly monitor your network for suspicious activity and respond to threats in real-time.

Tools like Security Information and Event Management (SIEM) systems collect and analyze security logs from various sources. User and Entity Behavior Analytics (UEBA) uses machine learning to detect anomalous behavior that may indicate a threat. These tools can help you identify and respond to attacks that would otherwise go unnoticed.

Automation plays a crucial role in this process. Automated threat response can help you quickly contain breaches and minimize damage. For example, you can automatically isolate a compromised device or block a malicious IP address. The goal is to reduce the time it takes to detect and respond to threats, minimizing the potential impact.

Security in a multi-cloud setup

Many organizations are now using multiple cloud providers – a strategy known as multi-cloud. This adds complexity to security because each cloud provider has its own security controls and policies. Zero Trust principles still apply, but you need to ensure consistent security across all cloud environments.

Cloud Access Security Brokers (CASBs) can help you enforce security policies across multiple cloud applications. They provide visibility into cloud usage and can detect and prevent unauthorized access. However, CASBs are just one piece of the puzzle. You also need to ensure that your identity and access management (IAM) systems are integrated with all of your cloud providers.

A unified policy engine is essential for effective Zero Trust in a multi-cloud setup. This allows you to define and enforce consistent security policies across all of your cloud environments, regardless of the underlying infrastructure. Without a unified approach, you risk creating security gaps and inconsistencies.

Zero Trust Implementation: SIEM/UEBA Data Source Integration Checklist

  • Endpoint Logs: Ensure comprehensive logging from all endpoints (servers, desktops, laptops, mobile devices) including event logs, process execution data, and file system activity. This provides visibility into user and application behavior at the device level.
  • Network Traffic Data: Integrate network flow data (e.g., NetFlow, sFlow, IPFIX) and full packet capture (PCAP) where feasible. Analyze traffic patterns for anomalies, lateral movement, and communication with known malicious destinations.
  • Identity and Access Management (IAM) Logs: Collect logs from all IAM systems, including authentication servers, directory services (e.g., Active Directory, LDAP), and privileged access management (PAM) solutions. Monitor for unusual login attempts, permission changes, and account activity.
  • Application Logs: Gather logs from critical applications and services. Focus on authentication, authorization, and data access events. These logs reveal how applications are being used and potential vulnerabilities.
  • Threat Intelligence Feeds: Integrate threat intelligence feeds (e.g., indicators of compromise - IOCs, domain reputation lists, IP address blacklists) to correlate internal events with known external threats. Prioritize feeds relevant to your industry and threat landscape.
  • Data Source Normalization: Standardize log formats and data schemas across all integrated sources to facilitate effective correlation and analysis within the SIEM/UEBA system.
  • Baseline Behavior Establishment: Utilize UEBA capabilities to establish baseline behavior for users, devices, and applications. This is crucial for identifying deviations that may indicate malicious activity.
Congratulations! You have completed the checklist for integrating key data sources into your SIEM/UEBA system, a crucial step towards implementing a Zero Trust Network Security Architecture.

Where implementation usually fails

Implementing Zero Trust isn’t easy. Organizations often face a number of hurdles, including legacy systems, organizational silos, and skill gaps. Many organizations have invested heavily in traditional security technologies, and it can be difficult to justify the cost of replacing them.

Organizational silos can also hinder implementation. Security teams, IT teams, and business units often operate in isolation, making it difficult to coordinate efforts. A successful Zero Trust implementation requires collaboration across all departments. A lack of skilled personnel is another common challenge. Zero Trust requires expertise in areas like identity management, network security, and cloud security.

Start small and focus on high-risk areas. Don’t try to implement Zero Trust across your entire organization at once. Begin with a pilot project, such as securing access to your most critical data. This will allow you to learn from your mistakes and refine your approach before scaling up.

What to expect by 2026

Over the next few years, I expect to see continued adoption of Zero Trust, driven by the increasing frequency and sophistication of cyberattacks. CrowdStrike’s 2026 Global Threat Report indicates a growing reliance on AI-powered attacks, making proactive security measures like Zero Trust even more critical.

We’ll likely see increased use of AI and machine learning in Zero Trust security, automating threat detection and response. Identity-centric security will become even more important, with a focus on verifying user identity throughout the entire session. We can also expect to see greater convergence of Zero Trust with other security frameworks, such as Secure Access Service Edge (SASE), which combines network security functions with wide area network capabilities.

Zero trust is a practical step toward a resilient network. While the setup is difficult, the reduction in risk and better data protection are the primary reasons to start.

Zero Trust: Your Questions Answered