> Our adversaries are in our networks, exfiltrating our data, and exploiting the Department’s users.<p>I'm happy to see this admission lead the document; it's bold coming from an org as conservative as the DoD. To see critical mass around the idea that -- like it or not -- adversaries (both malicious insiders and outsiders) are already on trusted networks is really encouraging to see.<p>First, let's be clear what this document is and isn't.<p>> Importantly, this document serves only as a strategy, not a solution architecture. Zero Trust Solution Architectures can and should be designed and guided by the details found within this document.<p>This is a long term strategy doc, not an implementer's guide. Operators looking for zero-trust easy mode won't find it here. It's also very DoD specific.<p>But there are some good parts. I read the doc so (maybe?) you don't have to.<p>I made some screenshots of the portions I thought most relevant.<p><a href="https://imgur.com/a/Dhm7yvi" rel="nofollow">https://imgur.com/a/Dhm7yvi</a><p>The comments will make more sense if you are viewing those.<p>> Zero Trust uses continuous multi-factor authentication, micro-segmentation, advanced encryption, endpoint security, analytics, and robust auditing, among other capabilities, to fortify data, applications, assets, and services to deliver cyber resiliency. The Department is evolving to become a more agile, more mobile, cloud-supported workforce, collaborating with the entirety of DoD enterprise, including federal and non-federal organizations and mission partners working on a variety of missions.<p>If you somehow managed to read the above without going into a post word salad coma, I'm sorry. I highlighted the section just to bring up there's an awful lot of enterprise security buzzword and DoD acronym bingo going on. But there are some good thoughts too.<p>> Zero Trust is much more than an IT solution. Zero Trust may include certain products but is not a capability or device that may be bought.<p>It's nice to hear this being reiterated so often. A good start!<p>> Zero Trust security eliminates the traditional idea of perimeters, trusted networks, ...<p>Zero trust is -- to me at least -- mostly about the idea of removing perimeters and trusted networks as the basis for trust and access control. So I'm with you so far.<p>> ... devices, personas, or processes and shifts to multi-attribute-based levels of confidence that enable authentication and authorization policies founded on the concept of least privileged access concept of least privileged access<p>But it's interesting here that the authors are also calling out and devices, personas which is what I'd argue are the fundamental contextual attributes that allow you to replace a "trusted perimeter"; if we aren't using perimeters, devices, personas... what is the DoD suggesting we use? I can't find it.<p>> At its core, ZT assumes no implicit trust is granted to assets or users based solely on their physical or network location (i.e., local area networks versus the Internet) or asset ownership (enterprise or personally owned).12<p>I strongly agree with the first point, but disagree and am perplexed by the second. Zero trust is all about getting rid of a trusted network location.<p>However, asset ownership *matters* because it affects not only the identity of the user, but also the _state_ of the device. It's totally reasonable to have different levels of trust for a managed company owned device with a known set of endpoint protection tools, vs a BYOD device whose device state is largely unknown.<p>The doc does a good job of outlining the "Why" of zero trust. And what's required from an org to make it possible.<p>Unfortunately, while the document starts out strong, it quickly becomes "actually, zero trust is every security thing you've ever heard of". Paired with a timeline no one will ever meet ever.