The U.S. Air Force recently released its Zero Trust Strategy, outlining strategic goals and objectives that enable Air and Space Forces to operate using Zero Trust in the future.
One focus of the strategy – Objective #5.4 – is expanding segmentation capabilities. It states that segmentation is the practice of breaking a unified system into smaller, isolated segments to apply more granular visibility and access controls to each segment. It highlights that the U.S. Air Force must evolve from network-based segmentation to data center, host-based, and micro-service level segmentation to provide the strongest controls.
As the U.S. Air Force and other Department of Defense (DoD) agencies work to meet the FY 2027 Zero Trust deadline, and federal agencies work to meet this year’s September 30 Zero Trust architecture deadline, it is vital that robust measures to achieve the most secure environments possible are in place.
How the U.S. Air Force Has Already Begun Their Segmentation Journey
According to research by Gartner®, “By 2026, 60 percent of enterprises working toward a Zero Trust architecture will use more than one deployment form of microsegmentation, which is up from less than 5 percent in 2023.” The U.S. Air Force is among the agencies already advancing their segmentation journeys.
For example, the U.S. Pacific Air Forces has used segmentation tools on their Zero Trust architectures to segment their users and networks to a more refined level. This granularity grants users access to only the data they need from anywhere connected to the cloud – protecting their data against adversaries. Additionally, the U.S. Air Force has leveraged segmentation to gain visibility into network communications and insights into potential vulnerabilities.
Reducing An Attack’s Impact with Zero Trust Segmentation
Other agencies should follow the U.S. Air Force’s lead on segmentation methods. Zero Trust Segmentation (ZTS), segmentation using Zero Trust principles, is a crucial technology measure within the Zero Trust framework. By adhering to the principle of “least privilege” access and continuous visualization of all communication patterns and traffic between workflows, devices, and the internet, ZTS constantly verifies connections and creates granular policies that permit only essential communication. In the event of an attack, ZTS isolates on and offline assets dynamically and enhances visibility across networks and traffic – limiting lateral movement and containing the attack’s impact.
Implementing ZTS not only puts methods in place that will minimize the impact of an attack, but also reduces the blast radius of cyberattacks within an organization by 66 percent, ultimately saving organizations $1.8 million annually by decreasing overall risk exposure.
Starting the Zero Trust Segmentation Journey
To start their ZTS journeys, agencies should adopt an “assume breach” mindset, recognizing that cyberattacks are inevitable in today’s expanding threat landscape. Adopting an “assume breach” mindset actively encourages agencies to put measures in place to minimize an attack’s impact. It is not possible to prevent all attacks, but steps can be taken to detect and mitigate the spread.
Next, agencies must determine their security objectives and prioritize progress over perfection. Start small and focus on what’s most pressing, then build up from there. Key security objectives should include:
- Enhance Real-Time Visibility: Agencies can’t protect what they can’t see. Identifying which high value assets – data, applications, systems, services and anything else that’s both digital and mission critical – are most important to their security object is crucial and should be segmented. Agencies can bolster their visibility efforts through application dependency mapping, which helps agencies locate these assets within environments and understand traffic flows reaching them.
- Understand Vulnerabilities: Application dependency mapping also shines light on security policies that are monitoring and controlling the traffic flows, revealing potential vulnerabilities. Through visibility, agencies can understand their risks, like high-risk pathways, and other vulnerabilities, and build out their ransomware containment efforts.
- Block Known Ransomware Points: As agencies segment their assets and block their most vulnerable ports after identifying them, enhanced real-time visibility will proactively reduce the blast radius and block known ransomware points – leading to a small, “quick win” for agencies.
- Build a “Containment Switch”: This allows agencies to stop an in-progress incident from spreading. Controlled manually by the security team or as part of a script, the switch isolates the attack at the entry point. While the attacker is isolated, an application dependency map ensures vital operations continue.
These steps enable ZTS to establish the rules and policies for what’s allowed and what’s not. If an attack does occur, combining all these steps with ZTS guarantees minimum impact, regardless of where an attack originates – whether it’s on an endpoint device, a vulnerable network, or a compromised cloud environment – and ensures operations can continue even while an agency is under active attack.
By preparing for and implementing ZTS, agencies can ensure that everyday attacks don’t escalate into mission-impacting breaches – allowing them to focus on mission readiness and protecting the nation.
Gartner, Market Guide for Microsegmentation, Adam Hils, Rajpreet Kaur, Jeremy D’Hoinne, 12 June 2023
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
About the Author
Gary Barlet is the Public Sector Chief Technology Officer at Illumio, where he is responsible for working with government agencies, contractors and the broader ecosystem to build in Zero Trust Segmentation as a strategic component of the government Zero Trust architecture. Previously, Gary served as the Chief Information Officer (CIO) for the Office of the Inspector General, United States Postal Service. He has held key positions on several CIO staffs, including the Chief of Ground Networks for the Air Force CIO and Chief of Networks for the Air National Guard CIO, where he was responsible for information technology policy and providing technical expertise to senior leadership. He is a retired Lieutenant Colonel from the United States Air Force, where he served as a Cyberspace Operations Officer for 20 years. He can be reached at [email protected].
