S
Steve Faehl
Thread author
The Department of Defense (DoD) Zero Trust Strategy1 and accompanying execution roadmap2 sets a path for achieving enterprise-wide target-level Zero Trust by 2027. The roadmap lays out vendor-agnostic Zero Trust activities that DoD Components and Defense Industrial Base (DIB) partners should complete to achieve Zero Trust capabilities and outcomes.
Microsoft commends the DoD for approaching Zero Trust as a mindset, not a capability or device that may be bought.1 Zero Trust can’t be achieved by a single technology, but through tight integration between solutions across product categories. Deciphering how security products achieve Zero Trust based on marketing materials alone is a daunting task. IT leaders need to select the right tools. Security architects need to design integrated solutions. Implementers need to deploy, configure, and integrate tools to achieve the outcomes in each Zero Trust activity.
Today, we are excited to announce Zero Trust activity-level guidance for DoD Components and DIB partners implementing the DoD Zero Trust Strategy. To learn more, see Configure Microsoft cloud services for the DoD Zero Trust Strategy.
In this blog, we’ll review the DoD Zero Trust Strategy and discuss how our new guidance helps DoD Components and DIB partners implement Zero Trust. We’ll cover the Microsoft Zero Trust platform and relevant features for meeting DoD’s Zero Trust requirements, and close with real-world DoD Zero Trust deployments.
The DoD released its formal Zero Trust Strategy in October 2022.1 The strategy is a security framework and mindset that set a path for achieving Zero Trust. The strategy outlines strategic goals for adopting culture, defending DoD Information Systems, accelerating technology implementation, and enabling Zero Trust.
The DoD Zero Trust Strategy includes seven pillars that represent protection areas for Zero Trust:
In January 2023, the DoD published a capabilities-based execution roadmap for implementing Zero Trust.2 The roadmap details 45 Zero Trust capabilities spanning the seven pillars. The execution roadmap details the Zero Trust activities DoD Components should perform to achieve each Zero Trust capability. There are 152 Zero Trust activities in total, divided into Target Level Zero Trust and Advanced Level Zero Trust phases with deadlines of 2027 and 2032, respectively.
The Zero Trust activity-level guidance we’re announcing in this blog continues Microsoft’s commitment to supporting DoD’s Zero Trust strategy.3 It serves as a reference for how DoD Components should implement Zero Trust activities using Microsoft cloud services. Microsoft product teams and security architects supporting DoD worked in close partnership to provide succinct, actionable guidance side-by-side with the DoD Zero Trust activity text and organized by product with linked references.
We scoped the guidance to features available today (including public preview) for Microsoft 365 DoD and Microsoft Azure Government customers. As the security landscape changes, Microsoft will continue innovating to meet the needs of federal and DoD customers.4 We’re excited to bring entirely new Zero Trust technologies like Microsoft Copilot for Security and Security Service Edge to United States Government clouds in the future.5
Look out for announcements in the Microsoft Security Blog and check Microsoft’s DoD Zero Trust documentation to see the latest guidance.
Microsoft is proud to be recognized as a Leader in the Forrester Wave™: Zero Trust Platform Providers, Q3 2023 report.6 The Microsoft Zero Trust platform is a modern security architecture that emphasizes proactive, integrated, and automated security measures. Microsoft 365 E5 combines best-in-class productivity apps with advanced security capabilities that span all seven pillars of the DoD Zero Trust Strategy.
Zero Trust Rapid Modernization Plan
Read more
Microsoft 365 is a comprehensive and extensible Zero Trust platform.8 It’s a hybrid cloud, multicloud, and multiplatform solution. Pre-integrated extended detection and response (XDR) services coupled with modern cloud-based device management, and a cloud-based identity and access management service, provide a direct and rapid modernization path for the DoD and DIB organizations.
Read on to learn about Microsoft cloud services that support the DoD Zero Trust Strategy.
Figure 1. Microsoft Zero Trust Architecture.
Microsoft Entra ID is an integrated multicloud identity and access management solution and identity provider. Microsoft Entra ID is tightly integrated with Microsoft 365 and Microsoft Defender XDR services to provide a comprehensive suite Zero Trust capabilities including strict identity verification, enforcing least privilege, and adaptive risk-based access control.
Microsoft Entra ID is built for cloud-scale, handling billions of authentications every day. It uses industry standard protocols and is designed for both Microsoft and non-Microsoft apps. Establishing Microsoft Entra ID as your organization’s Zero Trust identity provider lets you configure, enforce, and monitor adaptive Zero Trust access policies in a single location. Conditional Access is the Zero Trust authorization engine for Microsoft Entra ID. It enables dynamic, adaptive, fine-grained, risk-based, access policies for any workload.
Microsoft Entra ID is essential to the user pillar and has a role in all other pillars of the DoD Zero Trust Strategy.
Microsoft Intune is a multiplatform endpoint and application management suite for Windows, MacOS, Linux, iOS, iPadOS, and Android devices. Microsoft Intune configuration policies manage devices and applications. Microsoft Defender for Endpoint helps organizations prevent, detect, investigate, and respond to advanced threats on devices. Microsoft Intune and Defender for Endpoint work together to enforce security policies, assess device health, vulnerability exposure, risk level, and configuration compliance status. Conditional Access policies requiring a compliant device help achieve comply-to-connect outcomes in the DoD Zero Trust Strategy.
Microsoft Intune and Microsoft Defender for Endpoint help achieve capabilities in the device pillar.
GitHub is a cloud-based platform where you can store, share, and work together with others to write code. GitHub Advanced Security includes features that help organizations improve and maintain code by providing code scanning, secret scanning, security checks, and dependency review throughout the deployment pipeline. Microsoft Entra Workload ID helps organizations use continuous integration and continuous delivery (CI/CD) with GitHub Actions.
GitHub and Azure DevOps are essential to the applications and workloads pillar.
Microsoft Purview is a range of solutions for unified data security, data governance, and risk and compliance management. Microsoft Purview Information Protection lets you define and label sensitive information types. Auto-labeling within Microsoft 365 clients ensure data is appropriately labeled and protected. Microsoft Purview Data Loss Prevention integrates with Microsoft 365 services and apps, and Microsoft Defender XDR components to detect and prevent data loss.
Microsoft Purview features align to the data pillar activities.
Azure networking services include a range of software-defined network resources that can be used to provide networking capabilities for connectivity, application protection, application delivery, and network monitoring. Azure networking resources like Microsoft Azure Firewall Premium, Azure DDoS Protection, Microsoft Azure Application Gateway, Azure API Management, Azure Virtual Network, and Network Security Groups, all work together to provide routing, segmentation, and visibility into your network.
Azure networking services and network segmentation architectures are essential to the network pillar.
Automate threat response with playbooks in Microsoft Sentinel
Learn more
Microsoft Defender XDR is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response actions. It correlates millions of signals across endpoints, identities, email, and applications to automatically disrupt attacks. Microsoft Defender XDR’s automated investigation and response and Microsoft Sentinel playbooks are used to complete security orchestration, automation, and response (SOAR) activities.
Microsoft Defender XDR plays a key role in automation and orchestration and visibility and analytics pillars.
Microsoft Sentinel is a cloud-based security information and event management (SIEM) you deploy in Azure. Microsoft Sentinel operates at cloud scale to accelerate security response and save time by automating common tasks and streamlining investigations with incident insights. Built-in data connectors make it easy to ingest security logs from Microsoft 365, Microsoft Defender XDR, Microsoft Entra ID, Azure, non-Microsoft clouds, and on-premises infrastructure.
Microsoft Sentinel is essential to automation and orchestration and visibility and analytics pillars along with any activities requiring SIEM integration.
The DoD is embracing Zero Trust as a continuous modernization effort. Microsoft has partnered with DoD Components for several years, onboarding Microsoft 365 services, integrating apps with Microsoft Entra, migrating Azure workloads, managing devices with Microsoft Intune, and building security operations around Microsoft Defender XDR and Microsoft Sentinel.
One such example is the United States Navy’s innovative Flank Speed program. The Navy’s large-scale deployment follows Zero Trust capabilities put forth in the DoD’s strategy. These capabilities include comply-to-connect, continuous authorization, least-privilege access, and data-centric security controls.9 To date, Flank Speed has onboarded more than 560,000 users and evaluated the effectiveness of its robust cybersecurity tools through Purple Team assessments.10
Another example is Army 365, the United States Army’s Microsoft 365 environment.11 Army 365 has onboarded more than 1.4 million users and migrated petabytes of data.12 The secure collaboration environment incorporates Zero Trust principles in a secure collaboration environment with identity and device protections and includes support for bring your own device (BYOD) through Azure Virtual Desktop.13
Learn how to configure Microsoft cloud services for the DoD Zero Trust Strategy.
Learn more
Microsoft commends the DoD for approaching Zero Trust as a mindset, not a capability or device that may be bought.1 Zero Trust can’t be achieved by a single technology, but through tight integration between solutions across product categories. Deciphering how security products achieve Zero Trust based on marketing materials alone is a daunting task. IT leaders need to select the right tools. Security architects need to design integrated solutions. Implementers need to deploy, configure, and integrate tools to achieve the outcomes in each Zero Trust activity.
Today, we are excited to announce Zero Trust activity-level guidance for DoD Components and DIB partners implementing the DoD Zero Trust Strategy. To learn more, see Configure Microsoft cloud services for the DoD Zero Trust Strategy.
In this blog, we’ll review the DoD Zero Trust Strategy and discuss how our new guidance helps DoD Components and DIB partners implement Zero Trust. We’ll cover the Microsoft Zero Trust platform and relevant features for meeting DoD’s Zero Trust requirements, and close with real-world DoD Zero Trust deployments.
Microsoft supports the DoD’s Zero Trust Strategy
The DoD released its formal Zero Trust Strategy in October 2022.1 The strategy is a security framework and mindset that set a path for achieving Zero Trust. The strategy outlines strategic goals for adopting culture, defending DoD Information Systems, accelerating technology implementation, and enabling Zero Trust.
The DoD Zero Trust Strategy includes seven pillars that represent protection areas for Zero Trust:
- User
- Device
- Applications and workloads
- Data
- Network
- Automation and orchestration
- Visibility and analytics
In January 2023, the DoD published a capabilities-based execution roadmap for implementing Zero Trust.2 The roadmap details 45 Zero Trust capabilities spanning the seven pillars. The execution roadmap details the Zero Trust activities DoD Components should perform to achieve each Zero Trust capability. There are 152 Zero Trust activities in total, divided into Target Level Zero Trust and Advanced Level Zero Trust phases with deadlines of 2027 and 2032, respectively.
The Zero Trust activity-level guidance we’re announcing in this blog continues Microsoft’s commitment to supporting DoD’s Zero Trust strategy.3 It serves as a reference for how DoD Components should implement Zero Trust activities using Microsoft cloud services. Microsoft product teams and security architects supporting DoD worked in close partnership to provide succinct, actionable guidance side-by-side with the DoD Zero Trust activity text and organized by product with linked references.
We scoped the guidance to features available today (including public preview) for Microsoft 365 DoD and Microsoft Azure Government customers. As the security landscape changes, Microsoft will continue innovating to meet the needs of federal and DoD customers.4 We’re excited to bring entirely new Zero Trust technologies like Microsoft Copilot for Security and Security Service Edge to United States Government clouds in the future.5
Look out for announcements in the Microsoft Security Blog and check Microsoft’s DoD Zero Trust documentation to see the latest guidance.
Microsoft’s Zero Trust platform
Microsoft is proud to be recognized as a Leader in the Forrester Wave™: Zero Trust Platform Providers, Q3 2023 report.6 The Microsoft Zero Trust platform is a modern security architecture that emphasizes proactive, integrated, and automated security measures. Microsoft 365 E5 combines best-in-class productivity apps with advanced security capabilities that span all seven pillars of the DoD Zero Trust Strategy.
“Single products/suites can be adopted to address multiple capabilities. Integrated vendor suites of products rather than individual components will assist in reducing cost and risk to the government.”
—Department of Defense Zero Trust Reference Architecture Version 2.07
Zero Trust Rapid Modernization Plan
Read more
Microsoft 365 is a comprehensive and extensible Zero Trust platform.8 It’s a hybrid cloud, multicloud, and multiplatform solution. Pre-integrated extended detection and response (XDR) services coupled with modern cloud-based device management, and a cloud-based identity and access management service, provide a direct and rapid modernization path for the DoD and DIB organizations.
Read on to learn about Microsoft cloud services that support the DoD Zero Trust Strategy.
Figure 1. Microsoft Zero Trust Architecture.
Microsoft Entra ID is an integrated multicloud identity and access management solution and identity provider. Microsoft Entra ID is tightly integrated with Microsoft 365 and Microsoft Defender XDR services to provide a comprehensive suite Zero Trust capabilities including strict identity verification, enforcing least privilege, and adaptive risk-based access control.
Microsoft Entra ID is built for cloud-scale, handling billions of authentications every day. It uses industry standard protocols and is designed for both Microsoft and non-Microsoft apps. Establishing Microsoft Entra ID as your organization’s Zero Trust identity provider lets you configure, enforce, and monitor adaptive Zero Trust access policies in a single location. Conditional Access is the Zero Trust authorization engine for Microsoft Entra ID. It enables dynamic, adaptive, fine-grained, risk-based, access policies for any workload.
Microsoft Entra ID is essential to the user pillar and has a role in all other pillars of the DoD Zero Trust Strategy.
Microsoft Intune is a multiplatform endpoint and application management suite for Windows, MacOS, Linux, iOS, iPadOS, and Android devices. Microsoft Intune configuration policies manage devices and applications. Microsoft Defender for Endpoint helps organizations prevent, detect, investigate, and respond to advanced threats on devices. Microsoft Intune and Defender for Endpoint work together to enforce security policies, assess device health, vulnerability exposure, risk level, and configuration compliance status. Conditional Access policies requiring a compliant device help achieve comply-to-connect outcomes in the DoD Zero Trust Strategy.
Microsoft Intune and Microsoft Defender for Endpoint help achieve capabilities in the device pillar.
GitHub is a cloud-based platform where you can store, share, and work together with others to write code. GitHub Advanced Security includes features that help organizations improve and maintain code by providing code scanning, secret scanning, security checks, and dependency review throughout the deployment pipeline. Microsoft Entra Workload ID helps organizations use continuous integration and continuous delivery (CI/CD) with GitHub Actions.
GitHub and Azure DevOps are essential to the applications and workloads pillar.
Microsoft Purview is a range of solutions for unified data security, data governance, and risk and compliance management. Microsoft Purview Information Protection lets you define and label sensitive information types. Auto-labeling within Microsoft 365 clients ensure data is appropriately labeled and protected. Microsoft Purview Data Loss Prevention integrates with Microsoft 365 services and apps, and Microsoft Defender XDR components to detect and prevent data loss.
Microsoft Purview features align to the data pillar activities.
Azure networking services include a range of software-defined network resources that can be used to provide networking capabilities for connectivity, application protection, application delivery, and network monitoring. Azure networking resources like Microsoft Azure Firewall Premium, Azure DDoS Protection, Microsoft Azure Application Gateway, Azure API Management, Azure Virtual Network, and Network Security Groups, all work together to provide routing, segmentation, and visibility into your network.
Azure networking services and network segmentation architectures are essential to the network pillar.
Automate threat response with playbooks in Microsoft Sentinel
Learn more
Microsoft Defender XDR is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response actions. It correlates millions of signals across endpoints, identities, email, and applications to automatically disrupt attacks. Microsoft Defender XDR’s automated investigation and response and Microsoft Sentinel playbooks are used to complete security orchestration, automation, and response (SOAR) activities.
Microsoft Defender XDR plays a key role in automation and orchestration and visibility and analytics pillars.
Microsoft Sentinel is a cloud-based security information and event management (SIEM) you deploy in Azure. Microsoft Sentinel operates at cloud scale to accelerate security response and save time by automating common tasks and streamlining investigations with incident insights. Built-in data connectors make it easy to ingest security logs from Microsoft 365, Microsoft Defender XDR, Microsoft Entra ID, Azure, non-Microsoft clouds, and on-premises infrastructure.
Microsoft Sentinel is essential to automation and orchestration and visibility and analytics pillars along with any activities requiring SIEM integration.
Real-world pilots and implementations
The DoD is embracing Zero Trust as a continuous modernization effort. Microsoft has partnered with DoD Components for several years, onboarding Microsoft 365 services, integrating apps with Microsoft Entra, migrating Azure workloads, managing devices with Microsoft Intune, and building security operations around Microsoft Defender XDR and Microsoft Sentinel.
One such example is the United States Navy’s innovative Flank Speed program. The Navy’s large-scale deployment follows Zero Trust capabilities put forth in the DoD’s strategy. These capabilities include comply-to-connect, continuous authorization, least-privilege access, and data-centric security controls.9 To date, Flank Speed has onboarded more than 560,000 users and evaluated the effectiveness of its robust cybersecurity tools through Purple Team assessments.10
Another example is Army 365, the United States Army’s Microsoft 365 environment.11 Army 365 has onboarded more than 1.4 million users and migrated petabytes of data.12 The secure collaboration environment incorporates Zero Trust principles in a secure collaboration environment with identity and device protections and includes support for bring your own device (BYOD) through Azure Virtual Desktop.13
DoD Zero Trust Strategy and Roadmap
Learn how to configure Microsoft cloud services for the DoD Zero Trust Strategy.
Learn more
Last edited by a moderator: