March 18th, 2025
0 reactions

Embracing Zero Trust: Never Trust, Always Verify

Ehud Itshaki, Principal Product Manager, Microsoft Security
Ehud Itshaki, Principal Product Manager, Microsoft Security
Abract iconography of security shield.

Microsoft’s 2024 Digital Defense Report found that between July 2023 and July 2024, Microsoft customers faced an astounding 600 million attacks daily from both cybercriminals and nation-state actors.

In this high-risk and rapidly evolving environment, individuals and organizations must not only strengthen digital defenses at every level but also foster a deep and enduring commitment to cybersecurity. Zero Trust offers a powerful and proactive architecture that redefines how organizations safeguard their data and systems.

In 2021, the U.S. federal government began transitioning to a Zero Trust approach to security. The U.S. Department of the Navy (DON) has been a pioneer in successfully adopting this model across its Flank Speed cloud service. I recently joined Tamanu Lowkie, DON CISO Zero Trust Assistant Lead, Office of the DON CIO/CISO, and Scoop News Group SVP and Executive Editor Billy Mitchell for a conversation about the Navy’s successful Zero Trust adoption and how other government entities can follow suit.

How Flank Speed Adopted Zero Trust

Flank Speed is the U.S. Navy’s Program Executive Office Digital (PEO Digital) Impact Level 5 (IL5) unclassified Microsoft Azure and Microsoft 365 (M365) cloud implementation. In October 2024, PEO Digital announced that after vigorous purple team testing Flank Speed achieved full compliance with all 91 Target Zero Trust Activities identified by the U.S. Department of Defense (DoD), three years ahead of a DoD fiscal year 2027 deadline. Flank Speed also met 60 of 61 Advanced Zero Trust activities.
space
For Tamanu Lowkie, this transition to a Zero Trust security model was successful, in part, because of rigorous testing conducted in close partnership with Microsoft. “The success with Zero Trust for the Navy comes from knowing your partners and being able to test with your partners,” said Lowkie.
space
There is no shortage of authored guidance from the U.S. Government (DoD ZT strategy, CISA ZT maturity model) for implementing Zero Trust security models. Meanwhile, vendors, including Microsoft, have their own Zero Trust models and respective guidance. With the U.S. Navy, our goal was to lead with empathy, see the Zero Trust journey from the U.S. Navy’s perspective, and map Microsoft’s security capabilities to the requirements prescribed by DoD’s Zero Trust strategy.
space
The collaboration with DoD and U.S. Navy enriched our view resulting in comprehensive guidance to configure Microsoft cloud services for the DoD ZT strategyfor all 152 DoD ZT activities. This guidance was instrumental in providing evidence of how each activity can be achieved using Microsoft Security products, to fully validateFlank Speed’s compliance with DoD’s Zero Trust strategy.

Scaling this Approach

Creating an execution plan – a mapping of technical capabilities to specific security requirements – is critical before starting any implementation. For government agencies, creating such a plan ensures alignment to relevant security visions or pillars. For public sector partners, it provides a concrete understanding of how technologies specifically address any of the 152 Zero Trust activities identified by the DoD.
space
This process also helps technology partners to scale — making it easier to support other Zero Trust deployments across other government entities. Lastly, the process of developing an execution plan creates opportunities for both customers and technology suppliers to identify pain points and missing capabilities that can be developed to meet user needs.
space
In our conversation, Tamanu Lowkie provided this advice directly to all vendors who have Zero Trust security solutions. “The thing that DoD in general needs is the information sheet that breaks down the activities that your software or solution can provide to us,” she said. “If you can break down – out of the 152 activities – which one your solution helps with and how, that helps us to know which software solution would help with different scenarios.”
space
There is no shortage of opportunities to help government entities with their Zero Trust solutions, she continued. Speaking from her own experience in the Department of the Navy, she said, “We need solutions that fit a wide array of needs. If you can let us know what your solution can provide us, then that would help us a great deal.”

Available Resources

We’ve used our experience supporting the U.S. Navy to create strategy and execution plans that we hope can help others with their own Zero Trust transitions:
  • Guidance for configuring Microsoft cloud services for the DoD Zero Trust strategy can be found here: aka.ms/ZTForDoD
  • Similar guidance to configure Microsoft cloud services for the CISA Zero Trust Maturity Model can be found here: aka.ms/ZTforUSGov

Zero Trust isn’t a buzzword – it’s here to stay. Opportunities for learning and training will be critical to customers’ success. It’s equally important to provide real-life examples of how it provides value to the organization and individuals and recognize those individuals within an organization that are good “Zero Trust citizens.” The Department of the Navy’s Flank Speed transition is an encouraging step that can serve as inspiration and guidance to others as they continue their Zero Trust adoption journey.

Category
Azure GovernmentSecurityUse Case
Topics
Azure Governmentcloud securityZero Trust

0 comments

Discussion is closed.

Read next