Implementing a Zero Trust Architecture That Supports Evolving Mission Requirements

DMI’s Zero Trust Plus secures assets, identities, applications, and data with dynamic
policies that support evolving mission and enterprise requirements
ZERO TRUST +
Table Of
Contents
INTRODUCTION 3
FEATURES 4
CONCULSION 13
Cybersecurity Mesh 4
Continuous Attack Surfaces, Posture Management, & Automated Compliance Management 6
Identity Fabric 7
Rapid Threat Detection and SOAR 8
Hybrid and Multi-Cloud Advanced Security 9
Enhanced Data Security 10
Modern Security Service Edge (SSE) 11
Shift-Left Application Security 12
INTRODUCTION
Implementing Zero Trust architecture and optimizing
security controls and operations can be a challenging
journey for enterprise organizations. Zero Trust Plus is
DMI’s security service solution offering that meets an
organization at any stage of zero trust maturity and
moves the organization to the Advanced and Optimal
levels defined in the Cybersecurity and Infrastructure
Security Agency (CISA) Zero Trust Maturity Model
(ZTMM) 2.0.
Zero Trust Plus incorporates the CISA Advanced
and Optimal ZTMM capabilities into a modular
offering that allows organizations to secure assets,
applications, and data located centrally or in remote
locations. It provides dynamic policies that support
evolving mission and enterprise requirements.
Additionally, it offers the ability to identify, isolate, and
remediate threats and vulnerabilities quickly based
on identifiable tactics, techniques, and procedures
used by adversaries.
CYBERSECURITY MESH
GOVERNANCE | CONTINUOUS MONITORING | ENTERPRISE-WIDE ANALYTICS | AUTOMATION | MICRO-SEGMENTATION
Identity Fabric
• Continuous validation & risk analysis
• Enterprise-wide integration
• Tailored, automated access
• Just-in-time & just enough access
• Automated analysis over user activity log types
• Behavior-based analytics
Continuous Attack Surface & Posture Management & Automated Compliance
• Discover all assets
• Identify exploitable vulnerabilities, misconfigurations,
exposed data, default credentials
• Continuously monitor attack surface for changes &
new exposures
• Aligns with NIST, CIS, ISO 27001 for compliance, SSP,
POA&M, and ATO documentation
• OSCAL support for compliance as code
Shift-Left Application Security
• Continuous authorization of application access
• Sophisticated attack protection in all workflows
• Security testing integrated throughout lifecycle
• Real-time risk analytics of application usage
• Immutable workloads
• Continuous & dynamic application monitoring
• Automate application security configurations
• Automates secure application development and
deployment
Modern Security Service Edge
• Distributed micro-perimeters
• Configurations evolve to support application profiles
• Cryptographic agility
• Enteprise-wide situational awareness
• Advanced monitoring with automated telemetry
correlation
• Secure external connections based on application and
user workflows
Enhanced Data Security
• Data inventorying, categorization, and labeling
• Optimized data availability
• Data loss prevention & exfiltration blocking
• Data leak prevention for generative AI
• Data in use encryption
• Predictive analytics support views of agency data
• Automates data lifecycles & dynamic enforcement of
security policies
Hybrid & Multi-Cloud Advanced Security
• Cloud Security Posture Management (CSPM)
• Cloud Workload Protection Platform (CWPP)
• Kubernetes Security Posture Management (KSPM)
• Cloud Identity and Entitlement Management (CIEM)
• Data Security Posture Management (DSPM)
• Cloud Detection and Response (CDR)
• Infrastructure as Code (IaC) Scanning
Rapid Threat Detection & SOAR
• Unified approach for threat protection and policy
enforcement
• Enterprise-wide situational awareness
• Automate telemetry correlation across all detection
sources
• Real-time visibility and content-aware protections to
• applications against sophisticated attacks
• Continuous optimization for security and performance
• Dynamic response to enterprise-wide changing
requirements
ZERO TRUST + WHITEPAPER 3
FEATURES
DMI’s cyber mesh architecture integrates governance, continuous monitoring and analytics, automation, and
micro-segmentation across all assets, applications, workloads, data, and attack surfaces in an enterprise and its
partner ecosystems. The cyber mesh shields a distributed enterprise from threats and enables the organization
to support its mission and customers without disruption.
Federated governance within the cyber mesh architecture provides overarching security policies, standards,
and guidelines for the entire organization. Key features of cybersecurity federated governance include
accountability frameworks, decision-making hierarchies, defined risks related to business objectives, mitigation
plans and strategies, and oversight processes and procedures.
Continuous monitoring maintains situational awareness of all systems and collects security data from multiple
sources. Cyber analytics provide actionable insights through the detection of deviations, misconfigurations,
potential vulnerabilities, and malicious behavior. Automation is supported through low-code workflows and
playbooks that orchestrate and integrate security tools and data sources to enable coordinated response
actions across different security technologies. Automation allows human analysts to approve steps and manual
interventions within the workflows to ensure proper oversight and decision making.
Cybersecurity Mesh
ZERO TRUST + WHITEPAPER 4
• Actionable intelligence on the edge from the
collection, processing, reduction, enrichment, and
routing of data to optimize storage and analysis
• Centralized dashboards to monitor and manage
incidents
• Identity-based policy administration and
enforcement
• Scalable JSON-based data storage with vector
embeddings to natively support AI & Machine
Learning insights
• Extracting, transforming, and loading data
• Removing duplicate data
• Cleaning and normalizing data
• Enriching data with additional information
• Detecting sensitive data and ensuring its security,
access control, and governance
• Integrating customer-specific business data from
multiple sources
• Applying advanced AI techniques, such as
Generative AI and Retrieval Augmented Generation
(RAG)
DMI’s cyber mesh incorporates several key features:
DMI’s cyber mesh architecture integrates and collects threat intelligence and data from various
observability platforms that support each pillar of the zero trust model. The mesh architecture performs
several data management tasks, such as:
Distributed hot-warm-cold activity logging supporting M-21-31 logging requirements.
By performing these tasks, the mesh architecture helps organizations effectively manage and utilize their data
to support their zero trust security framework.
DMI also supports agentless, identity-based micro-segmentation that assigns a /32 IP address and default
gateway to endpoints, effectively creating a segment of one, removing the risk of east-west and north-south
lateral movement on local networks, and eliminating the complexity of firewalls. Least privilege access to
endpoints is dynamically controlled through continuous assessment (authentication and authorization) and
context-based access policies.
ZERO TRUST + WHITEPAPER 5
Continuous Attack Surfaces, Posture Management, and Automated
Compliance Management
Continuous attack surfaces, posture management, and automated compliance management provide total
visibility into all potential attack surfaces by
Automated compliance management continuously assesses systems, including infrastructure, applications,
and data, to ensure security controls mapped to NIST 800-53v5, CIS or other benchmarks are enforced. This
helps to track and manage Plan of Action and Milestones (POA&Ms) and eliminates security deficiencies and
unknown threat vectors.
DMI utilizes OSCAL (Open Security Controls Assessment Language) to automate and streamline the process
of creating and maintaining security documentation. OSCAL is a standard format that represents security
controls, profiles, implementations, and assessments in machine-readable formats such as XML, JSON, and
YAML. These formats facilitate automation, integration, and interoperability across the security control lifecycle.
This approach ensures that security controls are consistently applied and documented across the organization,
reducing the time and effort required to maintain compliance with various security frameworks and
regulations. OSCAL artifacts can be managed in version control systems like Git, allowing tracking of changes,
branches for different environments, and traceability of control implementations.
DMI offers a comprehensive approach to identifying, tracking, testing, and remediating security risks at both
the system and enterprise levels. The company continuously monitors and audits compliance to ensure that
security controls are effective and up-to-date.
To achieve this, DMI aggregates data from across the infrastructure, normalizes scan results from the security
stack into a single view, and maps the results to relevant cloud-specific and other security controls and
standards. These include FedRAMP, DoD CC SRG, ISO/IEC 27001, and others.
DMI automates the security assessment processes that underlie compliance and maintains a central
body of evidence to support continuous audit cycles. The company employs predictive control mapping
to automatically correlate control references across multiple tests, increasing accuracy and efficiency in
compliance mapping. Additionally, vulnerability scan results are dynamically mapped to compliance controls,
ensuring that potential security risks are promptly addressed.
By implementing these measures, DMI helps organizations maintain a robust security posture and ensures
continuous compliance with various security frameworks and regulations.
• Discovering assets across the entire enterprise, including rogue devices
• Automating security testing across the entire external attack surface to identify exploitable vulnerabilities,
misconfigurations, exposed data, and default credentials
• Validating that customer-owned cybersecurity software and tools are deployed properly and correctly
integrated within workflow operations to ensure proper detection, response, and remediation.
• Template security controls mapped to NIST 800-53
compliance requirements
• Generate System Security Plans (SSP) as code
• Implement Compliance as Code
• Produce Automated Documentation as Code
By using OSCAL, DMI can:
ZERO TRUST + WHITEPAPER 6
Identity Fabric
The identity fabric enables dynamic context-aware access control as well as scalable governance, passwordless and multi-factor authentication, flexible identity entity integration, dynamic secrets, asset and service
identity, and privilege access management (PAM) with zero standing access and continuous validation and risk
analysis. The identity fabric ensures that only authenticated and authorized users and non-person-entities are
permitted within the cybersecurity mesh by providing quick and timely access to all required applications and
data just-in-time.
These features work together to create a secure and efficient identity management system that protects
against unauthorized access and ensures compliance with security best practices.
Key features of the identity fabric include:
• Accelerates access review, certification, and recertification
• Provides risk scoring for users based on attribute values, group membership, application, permission,
cost, and risk
• Reduces risk of inappropriate access through real-time risk analysis;
• Supports audit reporting
1. Scalable Governance:
• Verifies user identity without passwords by using mobile devices, FIDO certified security keys, or biometrics;
• Eliminates vulnerabilities like phishing, credential stuffing, and password reuse attacks;
• Improves user experience
2. Password-less Multi-Factor Authentication (MFA):
• Automatically managed identities assigned to users, applications, services, or workloads
• Enables secure authentication and access to other resources or services
5. Asset And Service Identities:
• Governs and monitors elevated access rights
• Mitigates the risks associated with privileged accounts being compromised or misused
• Incorporates MFA, zero standing, session monitoring and recording, just-in-time access provisioning, and
least privilege enforcement for privileged accounts
6. Privileged Access Management (PAM):
3. Flexible Identity Entity Integration, Which Ties Authentications From Various Authentication
Methods Into A Single Consolidated Identity
4. Dynamic Secrets, Which Are Stored, Controlled, And Managed Outside Of Source Code Through A
Single Centralized Fips 140-2 Level 3 Certified Hardware Security Module (Hsm) Via Restful APIs
ZERO TRUST + WHITEPAPER 7
Rapid Threat Detection and SOAR
Rapid threat detection and security orchestration,
automation, and response (SOAR) are powered by
a scalable data mesh architecture, advanced cyber
analytics, and modern Artificial Intelligence and
Machine Learning solutions.
IT/IoT/OT threat detection is performed through prepackaged rules honed by threat researchers and the
security community that automatically detects known
threats early in the attack lifecycle before damage
occurs. Alerts are enriched with threat intelligence
and correlated for high-fidelity detection.
Prebuilt detection rules are mapped to MITRE ATT&CK
tactics and techniques, which are visually represented
through color-coded cells based on the number of
rules mapped to each technique. This allows for easy
identification of coverage gaps. Detection rules can
be filtered based on rule status (enabled/disabled),
rule type, and searches for specific tactics, techniques,
and rule names. SOAR platforms can leverage the
ATT&CK mappings to automate incident response
actions based on identified tactics and techniques.
Knowledge graphs integrate data across zero
trust pillars, including identity, user, network, and
workload data to discover and understand relevant
relationships that enable anomaly detection, threat
hunting, and the root cause for malicious activity.
DMI also automates risk prioritization and orientation
through the consolidation of detection tool findings,
combined with the contextualization of findings
through asset profiling and configurable risk
management.
Security Orchestration Automation Response (SOAR)
provides a low-code interface to build automated
security workflows and playbooks. DMI combines
human and machine intelligence to optimize Security
Operations workflows and maximize return on
investment. AI is applied to alerts, cases, intelligence,
and automation pipelines via LLMs. Advanced cyber
analytics incorporate machine learning and behavior
analytics to uncover hidden threats and suspicious
behavior across diverse data sources.
Generative AI allows security analysts to use natural
language for alert summarization (why an alert
triggered and recommended steps for triage and
remediation), workflow suggestions (guides users
through tasks like adding alert exceptions and
creating custom dashboards), query conversion
(converts queries from other security products to
streamline migration), and agent integration advice
(recommending the best methods for collecting
data).
Unsupervised machine learning (ML) models
automatically detect anomalies and underlying root
causes from various data sources including logs,
network traffic, and host activity. Supervised machine
learning models may be trained to distinguish
suspicious activity from normal activity and identify
MITRE tactics, techniques, procedures (TTPs), and
specific threat use cases.
The combination of AL and ML enhances DMI’s threat
detection, investigation, and response workflows for
security operations.
ZERO TRUST + WHITEPAPER 8
Hybrid and Multi-Cloud Advanced Security
Advanced security controls for hybrid and multi-cloud enterprises secure distributed applications,
infrastructure, and cloud native services (AWS, Azure, GCP) through a single pane of glass that includes
vulnerabilities, risk reduction, and compliance. Risk prioritization ensures that the most critical risks are
identified and surfaced.
Agentless capabilities and easy-to-deploy lightweight agents provide real-time comprehensive coverage of
VMs, containers, Kubernetes clusters, databases, web applications, IaC, and AI:
Cloud Security Posture Management (CSPM) automatically discovers cloud assets (e.g. VMs,
containers, serverless AI), configurations, metadata, networking details, and configuration changes
without an agent. It monitors for misconfigurations, open ports, and unauthorized changes, and it
offers guided remediation steps and guardrails to fix issues and prevent misconfigurations.
Cloud Workload Protection Platform (CWPP) provides comprehensive visibility into workloads,
workload vulnerabilities, and workload threats; scans for vulnerabilities in cloud workloads, virtual
machines, containers, and serverless functions; provides vulnerability remediation through patching;
automates compliance checks; and enforces hardened security configurations across workloads.
Kubernetes Security Posture Management (KSPM) monitors, assesses, and ensures the
security and compliance of Kubernetes environments by continuously scanning Kubernetes clusters for
potential vulnerabilities, misconfigurations, and policy violations while mitigating risks and maintaining
posture via enforcement actions.
Cloud Identity and Entitlement Management (CIEM) oversees identities, entitlements, and
access privileges across cloud and multi-cloud environments. It enforces least privilege access through
permission discovery, detecting excessive or unused privileges, and enabling rightsizing of entitlements.
CIEM integrates with IAM platforms to see all entitlements held by identities and to monitor access
activity and identity usage.
Data Security Posture Management (DSPM) discovers sensitive data, understands data exposure
risks, and prioritizes remediation to prevent data breaches. It provides rapid, agentless visibility into
critical data stored in public and private buckets, data volumes, and in hosted and managed databases.
Cloud Detection and Response (CDR) continuously monitors user activity, privileges, and
configurations across cloud services (SaaS, PaaS, IaaS) to identify and remediate threats and security
incidents in real-time.
AI Security Posture Management (AI-SPM) provides full-stack visibility into AI pipelines by
automatically discovering and documenting AI services, misconfigurations, and misuse.
ZERO TRUST + WHITEPAPER 9
Enhanced Data Security
Enhanced Data Security provides comprehensive protection for your organization’s data across various
platforms and scenarios. It includes the following features:
This feature monitors and controls data transfers to generative AI platforms, ensuring that sensitive data is
not shared inadvertently. It blocks uploads or inputs that violate company policies, scans for sensitive data
using DLP rules, and employs content filtering to inspect outbound traffic, redacting or masking sensitive data
before it reaches generative AI platforms.
1. Data Leak Prevention for Generative AI
Enhanced Data Security monitors every data action, including reads, writes, creates, and shares, to identify
unusual data access behavior that may indicate insider threats or unauthorized access in cloud environments.
2. Cloud and Insider Threat Detection
The solution uses proximity matching, negative keywords, and algorithmic verification to accurately identify
and classify sensitive data, such as PII (Personally Identifiable Information), PCI (Payment Card Industry) data,
PHI (Protected Health Information), and passwords.
3. Accurate Data Classification
It enables secure searching, analysis, and manipulation of data without exposing the underlying information or
compromising its security and privacy.
4. Data-in-Use Protection
Enhanced Data Security employs post-quantum cryptography to protect communications and data, ensuring
that your information remains secure even in the face of future quantum computing threats.
5. Quantum-Proof Encryption
The solution continuously monitors data activity to create a cross-cloud audit trail and alerts on abnormal
or risky activities, such as unusual access to sensitive data, potential exfiltration, privilege escalations, and
configuration changes.
6. Continuous Data Security Posture Management (DSPM)
It safeguards your data from ransomware attacks by encrypting data at rest and in-flight and creating
immutable snapshots. In the event of data loss or corruption, the solution enables rapid recovery of critical
data.
7. Ransomware-Proof Data Protection
By implementing Enhanced Data Security, your organization can proactively address data security risks across
generative AI platforms, cloud environments, and insider threats while ensuring compliance with data privacy
regulations and maintaining the integrity and availability of your critical data assets.
DMI’s confidential computing protects data in use by keeping it encrypted when it is being processed
within the CPU’s secure enclave or trusted execution environment (TEE). This prevents exposure to rogue
administrators, malicious insiders, or malware with root/kernel privileges. Intellectual property like AI/ML
models, algorithms, and source code are never exposed in plaintext outside of the TEE, even during execution.
Multiple parties securely collaborate and share data without risk of exposing the raw data. Hardware-based
attestation verifies that the TEE is securely configured before decrypting data, preventing tampering or
unauthorized access.
ZERO TRUST + WHITEPAPER 10
Modern Security Service Edge (SSE)
Modern Security Service Edge (SSE) is a comprehensive security solution that provides secure access to web,
cloud, and on-premises applications through a single, integrated platform. SSE incorporates various security
components, including:
Protects users from web-based threats and enforces internet usage policies
1. Secure Web Gateway (SWG)
Secures cloud applications and data by enforcing security policies and providing visibility into cloud usage
2. Cloud Access Security Broker (CASB)
Grants least-privileged access to resources based on a zero-trust policy that considers user, device, application,
and content factors
3. Zero Trust Network Access (ZTNA)
Delivers firewall capabilities through the cloud, eliminating the need for on-premises hardware
4. Firewall as a Service (FWaaS)
Securely allows users to access web applications by running the browser engine in the cloud and streaming
rendered content to the user’s native browser
5. Browser Isolation
Ensures the security and privacy of sensitive data across various platforms and environments
6. Data Protection
Enables the inspection of encrypted traffic to detect and prevent threats
7. Decryption
SSE is designed to optimize low-latency communications between users and resources, making it highly
scalable to adapt to changing communication needs. It centralizes management through a cloud-delivered
platform, eliminating the need for on-premises hardware. User validation is performed using SAML integration
with a user directory.
Integration of SSE with Security Information and Event Management (SIEM) provides enhanced visibility into
user activities and potential threats by analyzing SSE log data. DMI has integrated data analytics and Security
Orchestration, Automation, and Response (SOAR) systems to maximize visibility, identify root causes, and
automatically take action based on SSE activity.
Cloud Browser Isolation (CBI) is a key component of SSE that allows users to securely access web applications
by loading the accessed web page on a remote browser in cloud data centers and streaming the rendered
content as a pixel stream to the user’s native browser.
Unified Endpoint Management (UEM) complements SSE by providing comprehensive visibility, management,
and security for all endpoints across an organization, including mobile, desktop, and IoT devices. UEM
provisions devices with applications, settings, and security configurations while enforcing security policies and
compliance throughout the device lifecycle. AI and ML capabilities enable proactive issue detection, diagnosis,
and remediation.
ZERO TRUST + WHITEPAPER 11
Shift-Left Application Security
Shift-Left Application Security is a comprehensive approach that addresses software bill of materials (SBOM)
security, software composition analysis, and code vulnerability management. The DMI DevSecOps Security
Framework accelerates secure software delivery through three main functions: Secure Code & Build, Secure
Deploy, and Secure RunTime.
• Incorporates scanning applications, infrastructure as code (IaC), and secrets for vulnerabilities within the
Development environment.
• GitOps automates the process of provisioning infrastructure, ensuring consistent deployment of
infrastructure environments.
• GitOps requires three components: IaC, Merge Requests or Pull Requests, and CI/CD.
1. Secure Code & Build
• Incorporates access management security, trusted images management, source code repository security,
API security, and data leak protection.
2. Secure Deploy
• Secures production deployments by version control, identifying misconfigurations, vulnerabilities, and
threats.
• Provides web application and API security, and protects data at rest and in use.
• An agentless service mesh enforces security policies directly in the kernel without the need for proxies or
sidecars, providing efficient visibility, encryption, and control over network traffic.
3. Secure RunTime
• Static Application Security Testing (SAST): Analyzes application security code, bytecode, or binary code in
real-time to identify security vulnerabilities early in the software development lifecycle (SDLC)
• Prioritization of reachable, deployed, or publicly exposed open-source issues posing a greater level of risk
• Review of container images to identify risks and make alternative image recommendations
• Infrastructure as Code (IaC) scanning to identify and fix cloud misconfigurations directly in the IDE, CLI, Git
workflows, and Terraform cloud
• CycloneDX SBOMs to identify advanced supply chain vulnerabilities and risk. CycloneDX is an open
standard for generating SBOMs in XML and JSON, including metadata such as component names,
versions, licenses, CPEs, and vulnerability information
• Symbolic and generative AI, and machine language methods to provide scanning accuracy without false
positives
• API security by scanning backend API code to find vulnerabilities like injection flaws, broken
authentication, and excessive data exposures.
DMI’s Shift-Left Application Security includes:
ZERO TRUST + WHITEPAPER 12
CONCLUSION
DMI Zero Trust Plus has been designed to increase customer zero trust maturity through a modular, futureproof, scalable, and redundant security architecture. It supports the latest technical standards, newest cloud
services, and emerging threats by incorporating Artificial Intelligence, Machine Learning, and quantum
encryption.
References
Ball, K., Creasey, T., Gavnik, K., Hazelton, E., Kempton, L., & Stise, R. (Eds.). (2020).
Best Practices in Change Management (11th ed.). Prosci® Inc.
De Smet, A., Mugayar-Baldocchi, M., Reich, A., & Schaninger, B. (2023, September 11). McKinsey Quarterly.
Some employees are destroying value. Others are building it. Do you know the difference?
https://www.mckinsey.com/capabilities/people-and-organizational-performance/our-insights/someemployees-are-destroying-value-others-are-building-it-do-you-know-the-difference.
Morain, C., & Aykens, P. (2023, April 10). Harvard Business Review. Employees Are Losing Patience with
Change Initiatives.
https://hbr.org/2023/05/employees-are-losing-patience-with-change-initiatives.
Schein, E., & Schein, P. (2017). Organizational Culture and Leadership (5th ed.). Wiley.
Schein, E., & Schein, P. (2017). The Corporate Culture Survival Guide (3rd ed.). Wiley.
Staff report. (2023, April 10). Ratio of IT Staff to Employees.
Workspace.com. https://workforce.com/news/ratio-of-it-staff-to-employees.
DMI is a leading global provider of digital services
working at the intersection of public and private
sectors. With broad capabilities across IT managed
services, cybersecurity, cloud migration and
application development, DMI provides on-site
and remote support to clients within governments,
healthcare, financial services, transportation,
manufacturing, and other critical infrastructure
sectors.
© Copyright, 2024 Digital Management, LLC (DMI) | This message is produced and distributed by DMI | https://dminc.com/policies/privacy/
P 240-728-7168
CONTACT US TODAY
TO LEARN MORE.
Learn more at DMInc.com