Tailoring 9 Zero Trust and Security Principles to Weapon Systems

The Department of War (DoW) has defined an approach for implementing zero trust in weapon systems, which generally have different requirements than enterprise information technology (EIT) systems. Because of these differences, DoW stakeholders need guidance on how to tailor and adapt zero trust concepts to weapon system platforms. To help address this need, we conducted a study that analyzed the applicability of nine foundational security and zero trust principles to weapon system environments. These principles define a framework for making security decisions, implementing security controls, and enabling mission assurance through effective risk management. This blog summarizes the study and its key findings.

What Is Zero Trust?

Zero trust is a term that describes a cybersecurity strategy that eliminates implicit trust based on network location and requires strict identity verification, device validation, and continuous monitoring for every access request to resources. Each request to access computing resources must be authenticated dynamically before access is granted.

Applying zero trust principles and concepts allows an organization to shift its focus from a perimeter-focused security perspective to a proactive, data-centric strategy. This shift provides several benefits, including reducing a system’s attack surface, enhancing threat detection and response capabilities, improving resilience, and adapting to modern work environments while also addressing data protection and compliance requirements.

Zero trust is based on the core concept that all networks are potentially compromised, so no entity should be trusted without verification. This philosophy runs counter to traditional cybersecurity practices and assumptions. As a result, zero trust represents a paradigm shift from the traditional cybersecurity strategy. The transition to zero trust likely will be incremental and iterative, requiring thoughtful change management and continuous monitoring.

Zero trust principles should be included with basic security principles to provide a foundation for developing, operating, and maintaining secure systems and protecting data. Security principles codify fundamental guidelines that shape how systems, applications, and processes are designed and managed to ensure they are protected against threats and vulnerabilities.

Security and zero trust principles help to ensure that systems are protected against threats and vulnerabilities, comply with applicable laws and regulations, and are able to complete their missions. Strategies for implementing security principles must evolve to address the dynamic nature of today’s cyber landscape.

No User or Device Is Trustworthy By Default

The traditional cybersecurity approach for EIT environments employs measures and technologies to protect an organization’s systems and networks from unauthorized access by establishing a secure boundary between internal and external networks. Once attackers breach perimeter security controls and gain access to an organization’s infrastructure, they can traverse the infrastructure’s systems and networks with relative ease.

The movement to a zero trust philosophy can significantly reduce this risk, but it also changes how an organization implements its cybersecurity strategy.

SEI Zero Trust Study

Security and zero trust principles were primarily designed for general-purpose computing systems, such as those found in EIT environments. As part of this study, we explored how to tailor EIT-focused cybersecurity and zero trust principles to weapon system platforms that must meet stringent real-time performance requirements. We focused on accepted security and zero trust principles, including the following:

• Saltzer and Schroeder’s design principles for computer security [Saltzer 1975, Pages 1278–1308]
• additional security principles defined by Saltzer and Kaashoek [Saltzer 2009]
• DoW zero trust tenets and principles (documented in DoD Zero Trust Reference Architecture Version 2.0) [DISA 2022]
• DoW strategic zero trust principles (documented in DoD Zero Trust Strategy) [DoD 2022]

We reviewed principles from the above sources and selected the following well-established principles to analyze in detail:

1. never trust, always verify
2. presume breach
3. least privilege
4. scrutinize explicitly
5. fail-safe defaults
6. complete mediation
7. open design
8. separation of privilege
9. minimize secrets

We made these selections after conducting a literature review of relevant publications containing principles that are generally considered to be applicable to zero trust. The ordering of the principles is designed to facilitate the presentation of the study’s results and does not reflect their priority or level of impact. The remainder of this blog summarizes our analysis of the selected security and zero trust principles, including the tradeoff challenges they present. The details of our study can be found in the SEI special report, Tailoring Security and Zero Trust Principles to Weapon System Environments.

Principle 1: Never Trust, Always Verify

Never trust, always verify is a meta principle of zero trust. According to this principle, no user, device, or network location is inherently trusted. Every access request must be verified and authenticated before access to computing resources is granted, regardless of where the request originates.

Never trust, always verify establishes a common foundation for the other security and zero trust principles that we included in the study. It defines high-level concepts that are used to organize and interpret the remaining eight principles.

Principle 2: Presume Breach

The zero trust principle of presume breach means that an organization should assume that its networks have already been compromised. As a result, no user, application, system, or device should be trusted by default, which requires continuous verification and validation of every access request. In EIT environments, every user, device, and request must be verified before granting access to any data or system, regardless of its location within the network. A variety of controls are implemented in EIT environments to manage security risks, including architecture, authentication, encryption, monitoring, response, and recovery controls.

The performance versus security tradeoffs of implementing authentication, encryption, monitoring, response, and recovery controls in weapon system environments will differ from those in EIT environments. For example, controls that introduce latency into a weapon system’s processing could introduce unacceptable mission risks. Weapon system stakeholders might need to relax some zero trust controls and accept the resulting security risks to meet the system’s performance requirements.

Principle 3: Least Privilege

Least privilege indicates that users, applications, systems, and devices should be able to access only the minimum resources and permissions needed to perform their assigned tasks. Least privilege significantly reduces an organization’s attack surface by restricting access to an organization’s IT resources. In an EIT environment, access permissions for users are generally based on organizational roles and responsibilities, which tend to be relatively static over time. Changes to access permissions for users can be planned and managed.

In contrast, weapon systems are deployed in unpredictable and highly contested environments, where real-time adjustments to users’ access permissions might be needed. Weapon system stakeholders must determine the extent to which access requirements or security status might change dynamically during mission execution and be able to respond accordingly. For example, it might not be feasible to restrict access privileges on a per-session basis. This limitation could introduce issues (e.g., latency) that could affect mission execution (and ultimately mission success). A thorough risk analysis will help stakeholders balance zero trust and mission requirements by examining the associated risks and tradeoffs.

Principle 4: Scrutinize Explicitly

The zero trust principle of scrutinize explicitly involves verifying and authenticating access requests based on available data for each user, application, system, and device. The data used for verification and authentication typically includes user identity, device health, location, and data classification. In EIT environments, resource authentication and authorization are dynamic and strictly enforced before access is allowed. This practice requires a continuous cycle of obtaining access, scanning and assessing threats, updating access policies and procedures accordingly, and reevaluating trust continually.

For weapon system platforms, stakeholders must assess zero trust requirements and tradeoffs related to the principle of scrutinize explicitly, particularly in relation to user and asset inventories, identity verification, device posture checks, continuous monitoring, policy enforcement, and automation and analytics. The practices needed to implement this principle could introduce risks that affect mission execution. For example, the technologies required to implement continuous monitoring and policy enforcement could affect a weapon system’s performance by consuming system resources and introducing latency.

Principle 5: Fail-Safe Defaults

The fail-safe defaults principle denies access to resources or information by default unless permission is granted explicitly. This means that a system should always restrict access unless it is actively authorized, minimizing the risk of unauthorized access or security breaches. In an EIT environment, access permissions for users are generally based on organizational roles and responsibilities. If the user does not have a need to access an object or resource, then—based on fail-safe defaults—the user is denied access.

For weapon system platforms, stakeholders must assess zero trust requirements and tradeoffs related to the principle of fail-safe defaults, particularly for provisioning new users, assigning role-based access privileges, and managing software updates. Implementing the concept of no access by default reduces the chances of sensitive data and resources being accessed by unauthorized users. However, if users unexpectedly need access to information and resources during mission execution (e.g., through dynamic reallocation of personnel), the application of the fail-safe defaults principle could prevent those users from accessing the information and resources they need to carry out their assignments. The application of the fail-safe defaults principle in weapon system environments requires analysis and tailoring based on the mission being pursued and the associated opportunities and risks.

Principle 6: Complete Mediation

Complete mediation states that every access request to a resource must be checked every time, ensuring that unauthorized access is prevented. The access operation must be intercepted and determined to be acceptable before a resource can be accessed. Identity, credential, and access management (ICAM) and asset management are services used in EIT environments to implement complete mediation.

Weapon system stakeholders must assess the tradeoffs associated with implementing the principle of complete mediation within the system. Stakeholders must evaluate the performance versus security requirements for weapon systems. Checking each transaction against the security policy before providing access consumes IT resources and can introduce latency, which can adversely affect the mission. The tradeoff analysis must consider the weapon system’s role within the missions it supports, its internal processing requirements, and its interface requirements with other systems.

Principle 7: Open Design

The security principle of open design states that a system’s security should not rely on the secrecy of its design or implementation. A system’s security risks can be managed even if its architecture and algorithms are publicly known. The principle of open design states that systems should be designed in a manner that enables them to be easily inspected, analyzed, and modified by anyone with the necessary skills and knowledge. In EIT environments, the principle of open design requires implementing well-established standards, leading practices, and transparent implementation details.

In weapon system environments, stakeholders need to assess the tradeoffs between releasing design information and restricting its disclosure. Many technologies in weapon systems provide a military advantage and promote survivability objectives. For example, critical program information (CPI) refers to information that could undermine U.S. military preeminence or technological advantage on the battlefield if compromised. Programs need to strike a balance between the principle of open design and the need to protect a weapon system’s information.

Principle 8: Separation of Privilege

The principle of separation of privilege states that a system should not grant permission based on a single condition. Systems and programs granting access to resources should do so only when more than one condition is met. In an EIT environment, different roles and access levels are assigned to individuals, where one person might be responsible for initiating a transaction, another is responsible for approving it, and a third is responsible for recording it. This practice ensures that users fulfill their duties without exposing sensitive data or making unintended errors. Controlling access to data and resources also helps to reduce the attack surface, mitigate the impact of insider threats, and limit the lateral movement of attackers within an EIT environment.

Weapon system stakeholders must assess zero trust requirements and tradeoffs related to separation of privilege. Weapon systems typically operate in real time. Security checks and access control mechanisms in real-time systems need to be designed carefully to avoid disrupting operations and introducing latency. A thorough risk analysis will help stakeholders balance zero trust and mission requirements associated with separation of privilege by examining the associated risks and tradeoffs.

Principle 9: Minimize Secrets

The minimize secrets principle focuses on limiting the number and scope of secrets that are accessible to users and systems. Examples of secrets are digital credentials, passwords, application programming interface (API) keys, encryption keys, secure shell (SSH) keys, and tokens used for authentication and access control. This principle requires that secrets (1) be few and easily interchangeable, (2) have a high degree of unpredictability, and (3) be minimal in complexity. When compromised, secrets can lead to attacks or breaches, which is why it is important to manage them properly. The broad range of secrets required in an EIT environment requires effective management of those secrets to prevent unauthorized access.

Weapon system stakeholders must assess zero trust requirements and tradeoffs related to the principle of secrets management. Weapon systems often have strict timing requirements. Implementing a secrets management system can introduce latency or processing complexity into accessing and managing secrets, which can potentially impact performance. Many weapon systems operate in dynamic and highly contested environments. These types of environments can make it difficult to manage secrets because they require flexible approaches. In addition, the real-time components of a weapon system often have complex dependencies between them. Identifying and minimizing the secrets needed by each component can be a challenge.

The Ongoing Evolution of Security Strategies to Manage Emerging Threats

Zero trust is another phase in the ongoing evolution of security strategies needed to manage emerging threats and deploy new technologies across the systems lifecycle. Mission environments are dynamic and require ongoing tuning, refinements, and improvements to ensure that resources and risks are managed effectively. Effective management in these environments requires monitoring risks and strategies closely and being prepared to adapt when necessary.

Principles are basic ideas or concepts that explain how something is supposed to work. They provide a bridge between theory and practice and help to make abstract ideas actionable. While principles are based on theories, they are more concrete and specific than theories and provide a framework for their implementation. Our study of security and zero trust principles provides foundational content that can help inform the development of zero trust implementation strategies and guidance for weapon systems. Our future research-and-development activities will focus on providing actionable strategies and guidance for implementing zero trust capabilities in weapon system platforms.