Department of Defense (DOD) Zero Trust Reference Architecture Version 1.0 February 2021 Prepared by the Joint Defense Information Systems Agency (DISA) and National Security Agency (NSA) Zero Trust Engineering Team DISTRIBUTION STATEMENT A. Approved for public release: distribution unlimited. Refer to the Department Chief Information Officer Cybersecurity (DCIO-CS) for other requests that pertain to this document. UNCLASSIFIED UNCLASSIFIED February 2021 Document Approval Document Approved By Date Approved Name: Joseph Brinker FEB 2021 DISA Portfolio Manager, Security Enablers Portfolio (ID2) ii UNCLASSIFIED February 2021 Revision History VERSION DATE PRIMARY AUTHOR(S) REVISION/CHANGE PAGES AFFECTED Added Vocabulary & Updated Joint DISA/NSA Zero Trust 0.8 27 Aug 2020 Template- submitted for internal All Engineering Team DISA/NSA/USCC review Joint DISA/NSA Zero Trust Adjudication of internal feedback and 0.9 04 Nov 2020 All Engineering Team submission to EAEP for review Joint DISA/NSA Zero Trust 0.95 24 Dec 2020 Adjudication of feedback from EAEP All Engineering Team Joint DISA/NSA Zero Trust Final review and classification header 0.96 30 Dec 2020 All Engineering Team update Prepared for DMI EXCOM Approval – Joint DISA/NSA Zero Trust Removed CS RA location description. 1.0 04 Feb 2021 All Engineering Team Removal of CV-3, SvcV8, and SvcV-9 for classification purposes. iii UNCLASSIFIED February 2021 Table of Contents 1 STRATEGIC PURPOSE (AV-1, CV-1, CV-2, OV-1) ................................................... 1 1.1 Introduction ....................................................................................................... 1 1.2 Purpose .............................................................................................................. 1 1.3 Scope ................................................................................................................. 2 1.3.1 Stakeholders ................................................................................................... 2 1.3.2 Architecture Development ............................................................................... 2 1.3.3 Timeframe ....................................................................................................... 3 1.4 Vision and Goals ............................................................................................... 3 1.4.1 Vision and High-Level Goals (CV-1) ............................................................... 3 1.4.2 Strategy ........................................................................................................... 5 1.4.3 Capability Taxonomy (CV-2) ........................................................................... 6 1.5 High Level Operational Concept (OV-1) .......................................................... 7 1.5.1 Decision Points, Components, and Capabilities .............................................. 7 1.6 Intended Uses and Audience ......................................................................... 13 1.7 Assumptions ................................................................................................... 13 1.8 Constraints ...................................................................................................... 14 1.9 Linkages to Other Architectures .................................................................... 14 1.9.1 DOD Cyber Security Reference Architecture (CS RA) Integration ................ 14 1.9.2 DOD ICAM Reference Design (RD) .............................................................. 15 1.9.3 NIST Special Publication 800-207 Zero Trust Architecture ........................... 16 1.10 Tool Environment ............................................................................................ 17 1.11 Maturity Model ................................................................................................. 17 2 PRINCIPLES ............................................................................................................. 18 2.1 Overview .......................................................................................................... 18 2.1.1 Concept and Tenets of Zero Trust ................................................................ 18 2.1.2 Principles, Pillars & Capabilities .................................................................... 19 iv UNCLASSIFIED February 2021 3 TECHNICAL POSITIONS (STDV-1, STDV-2) .......................................................... 21 3.1 Standards Profile (StdV-1) .............................................................................. 21 3.2 Standards Forecast (StdV-2) .......................................................................... 49 4 PATTERNS ............................................................................................................... 55 4.1 Capability Dependencies (CV-4) .................................................................... 55 4.2 Capabilities to Operational Activities Mapping (CV-6) ................................. 57 4.3 Capabilities to Services Mapping (CV-7) ....................................................... 71 4.4 Operational Resource Flow Description (OV-2) ........................................... 78 4.5 Operational Activity Model (OV-5b) ............................................................... 81 4.5.1 Authentication Request Simplified ................................................................ 82 4.5.2 Device Compliance ....................................................................................... 84 4.5.3 User Analytics ............................................................................................... 86 4.5.4 Data Rights Management (DRM) .................................................................. 88 4.5.5 Macro Segmentation ..................................................................................... 90 4.5.6 Micro Segmentation ...................................................................................... 92 4.5.7 Privileged Access .......................................................................................... 94 4.5.8 Application Delivery ...................................................................................... 96 5 VOCABULARY (AV-2) .............................................................................................. 98 5.1 Glossary of Terms ........................................................................................... 98 5.2 Activities Definitions ..................................................................................... 106 5.3 Services Definitions ...................................................................................... 150 5.4 Acronym List ................................................................................................. 155 APPENDIX A: CAPABILITY TAXONOMY & DESCRIPTIONS (CV-2) ........................ 159 APPENDIX B: REFERENCES .................................................................................... 163 v UNCLASSIFIED February 2021 LIST OF TABLES Table 1: Standards Profile (StdV-1) 22 Table 2: Standards Forecast (StdV-2) 49 Table 3: Capability to Operational Activities Model (CV-6) 57 Table 4: Capability to Services Mapping (CV-7) 71 Table 5: Integrated Dictionary (AV-2) 98 Table 6: Activities Definitions (AV-2) 106 Table 7: Services Definition (AV-2) 150 Table A-1: Capability Taxonomy and Descriptions (CV-2) 159 vi UNCLASSIFIED February 2021 LIST OF FIGURES Figure 1: Capabilities Taxonomy (CV-2) 7 Figure 2: High-Level Operational Concept (OV-1) 12 Figure 3: Zero Trust Maturity Model 17 Figure 4: Zero Trust Pillars 20 Figure 5: Capability Dependencies (CV-4) 56 Figure 6: Operational Resource Flow Description – Policy (OV-2) 79 Figure 7: Operational Resource Flow Description – Authentication (OV-2) 80 Figure 8: Operational Activity Model – Authentication Request (OV-5b) 83 Figure 9: Operational Activity Model – Device Compliance (OV-5b) 85 Figure 10: Operational Activity Model – Analytics (OV-5b) 87 Figure 11: Operational Activity Model – Data Rights Management (OV-5b) 89 Figure 12: Operational Activity Model – Macro Segmentation (OV-5b) 91 Figure 13: Operational Activity Model – Micro Segmentation (OV-5b) 93 Figure 14: Operational Activity Model – Privileged Access (OV-5b) 95 Figure 15: Operational Activity Model – Application Delivery (OV-5b) 97 vii UNCLASSIFIED February 2021 1 STRATEGIC PURPOSE (AV-1, CV-1, CV-2, OV-1) 1.1 Introduction “Zero Trust is the term for an evolving set of cybersecurity paradigms that move defenses from status, network-based perimeters to focus on users, assets, and resources. Zero Trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the Internet) or based on asset ownership (enterprise or personally owned).” 1Zero Trust requires designing a simpler and more secure architecture without impeding operations or compromising security. The classic perimeter/defense-in-depth cybersecurity strategy repeatedly shows to have limited value against well-resourced adversaries and is an ineffective approach to address insider threats. The Department of Defense (DOD) next generation cybersecurity architecture will become data centric and based upon Zero Trust principles. Zero Trust supports the 2018 DOD Cyber Strategy, the 2019 DOD Digital Modernization Strategy and the DOD Chief Information Officer’s (CIO) vision for creating “a more secure, coordinated, seamless, transparent,
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages170 Page
-
File Size-