Securing the Defense Digital Landscape: Zero Trust Principles & Partnership

The defense workplace and mission landscape are expanding. The COVID crisis ushered in a new era of remote and hybrid work that has fundamentally changed the digital workplace experience across all industries — Defense & Intelligence included. Defense workers now have new expectations about where and how they work. As an example, “69% of federal employees believe their jobs can be done remotely just as effectively as in face-to-face settings" (Hybrid Work Models in Federal Government | Accenture). Additionally, the confluence of cloud, compute, and connectivity are creating opportunities for mission expansion into what were previously some of the most comms-challenged environments on (and off) the planet.  This expanded digital landscape for defense is ripe with opportunity…but it also presents huge opportunity for adversaries employing integrated offensive tactics and sophisticated cyber effects targeting defense systems, data, and people.

Clearly, the hybrid and remote landscape has expanded network perimeters in an incredible way. As those perimeters expand and boundaries become less defined, the defense ecosystem must take action to properly shore up systems, data, and workers against adversaries aiming to take advantage of this changing digital landscape.

So, what must defense organizations do to defend against these persistent and ubiquitous cyber threats? Implement zero trust architectures and assume breach, with intent to contain cyber threats and minimize the digital blast radius.

The US DoD recently announced a self-imposed 5-year deadline and formal strategy to implement and achieve a zero trust (ZT) posture, grounded in a seven-pillar approach: User, Devices, Applications & Workloads, Data, Network & Environment, Automation & Orchestration, and Visibility & Analytics. Furthermore, the DoD’s shift from a compliance and controls-based approach to an outcomes-focused methodology — meaning the job is done when the adversary stops, not just when the controls are in place — stands out as a best practice. This announcement comes at a critical time, as US and allied defense organizations face nearly half of all global nation-state attacks that occur, according to the Microsoft Digital Defense Report 2022. 

The DoD is establishing a coalition approach for zero trust, looking to cloud venders like Microsoft, Amazon, Oracle, and Google to help the DoD implement this ZT plan in both their on-prem and enterprise cloud environments. See our recent blog post from Microsoft Federal for more details and ways in which Microsoft is engaged to support.

We at Microsoft applaud the DoD’s efforts to modernize its approach to cybersecurity, and we strongly encourage other allied defense organizations and the Defense Industrial Base to implement similar strategies. Strong Public Sector and industry partnerships are critical to success, which is why Microsoft was invited by the DoD to discuss how its Zero Trust definitions would map to new and existing compute environments.

Microsoft is uniquely suited to support defense organizations with their Zero Trust postures, and we are deeply committed to promoting cyber resilience and strengthening the world’s critical infrastructure and cyber defenses. Ultimately, security is a shared responsibility, and we at Microsoft believe we have an important part to play in shoring up national assets and critical infrastructure, and to be a mission partner to allied defense organizations around the world in monitoring, assessing, defending against, and mitigating cyber threats.    

For more information about how to improve Public Sector cybersecurity postures, please check out our recent podcast with Dr. Marcus Thompson, retired Major General and former Head of Information Warfare for the Australian Defense Force.