At the heart of defense strategies: Zero Trust

Cybersecurity in the defense sector—whether at the sovereign or industrial level—is both a vital necessity given the current geopolitical climate and a decisive factor in preparing for any potential conflict. Everyone is getting ready: countries are establishing dedicated cybersecurity regiments, and NATO has officially recognized cyberspace as a new domain of operations, alongside air, land, and sea.

The Zero Trust paradigm is becoming essential across all domains and serves as a foundational element in the defense sector. This is evident in the communications and regulations of several countries, where its core principles are often reflected, even if not always explicitly named.

Since 2016 and its first certification and basic qualification by ANSSI, cyberelements has developed a solution that has been selected by numerous governmental and private organizations in the security and defense sectors. The primary selection criterion has been our Zero Trust capability, recognized as unique in Europe by analysts such as Gartner.

This capability can be applied to highly secure access, privileged access, and identity management, which are the key of Zero Trust. It is available both in an on-premise option and through the cyberelements.io SaaS platform.

While we are not authorized to disclose the names of our clients, regardless of the country, the label “Used by the French Armed Forces” is a strong indication of our presence in this sector.

States have structured themselves to strengthen their cyber response

Each country or group of countries is equipping itself with the means to regulate and ensure the protection, first and foremost, of its military and governmental organizations, as well as public or private entities involved in sovereign functions or critical infrastructure.

In the United States, it is structured through the National Defense Authorization Act (NDAA), which follows an annual budgetary approach. In the United Kingdom and France, the strategy is multi-year, guided respectively by the “Defence Command Paper” and the Military Planning Law “Loi de Programmation Militaire”.

Europe, through the NIS and NIS2 directives, takes a broader approach while leaving matters related to national security to individual member states. We explore NIS2 in more detail in other articles.

Three examples of national Zero Trust strategies: United Kingdom, United States, and France

In the United Kingdom, the most significant documents are the Data Strategy for Defence[1] and the Digital Strategy for Defence[2], accompanied by detailed annexes such as the Defensive Cyber Operations Programme. These documents highlight the need for a comprehensive cybersecurity response, which includes broader access to military data “at any time and in any place, whether in the air, on land, at sea, in all bases, and even during remote work.” The challenge is clearly stated: data is a vital resource for defence and therefore must be widely accessible, yet it also carries a high level of confidentiality, requiring minimal exposure.

The initial pillar of the UK’s approach was the implementation of a “secure by design” infrastructure. Core principles of Zero Trust were integrated into its development, guided by the directive: “Develop identity and access management controls to ensure the right users access the right data and nothing else.” There is also a strong commitment to strengthening password security: “keeping our secrets secret”. All within an agile framework: “Try and test new security solutions early to stay ahead of the curve.”

One of the key characteristics of the military environment is also emphasized: all of this must be able to operate in complex environments (such as overseas operations). Therefore, alongside the technological component known as the “Defensive Cyber Capability (DOC) Core,” the approach titled “Defense Cyber Operations in Complex Environments (DICE)” is also documented.

A word on remote work. It may seem surprising to see it associated with the military sector, yet it is becoming increasingly relevant in defense for a portion of the workforce: not all roles require access to confidential or classified data. Moreover, recruitment within the armed forces is a significant challenge, and ruling out a potential asset altogether is becoming difficult. This, however, demands absolute rigor in the implementation of Zero Trust principles.

In the United States, based on federal decisions particularly those driven by the National Defense Authorization Act directives are issued from high-level strategic documents, most notably the classified 2023 Cyber Strategy of the Department of Defense. However, an official summary [3] outlines the direction: building a Zero Trust architecture.

As early as 2022, the Department of Defense set this course with a five-year roadmap for implementing Zero Trust, providing a clear definition also found in documents from the National Institute of Standards and Technology (NIST): “a set of principles that essentially assumes networks are already compromised and requires organizations to continuously validate users, devices, and data.”

The U.S. approach is to embody this threat by operating under the assumption that the adversary is already inside the network. The goal is to “slow them down and contain them,” as described by Randy Resnick, head of the Department of Defense’s Zero Trust program. The strategy is explicitly detailed in various public documents [4][5]. The military tone captures the essence of Zero Trust in a straightforward way:

« Assume a Hostile Environment

Presume Breach

Never Trust, Aways Verify

Scrutinize Explicitly

Apply Unified Analytics »

All the measures are explicitly outlined. The core features of a platform like cyberelements are clearly identified: Conditional User Access, Multifactor Authentication, Privileged Access Management, Identity Federation and User Credentialing, Behavioral, Contextual ID, and Biometrics, Least Privileged Access, Continuous Authentication, and an Integrated ICAM Platform. Each component is precisely defined in terms of expectations and requirements.

In France, the Military Programming Law (Loi de Programmation Militaire) set an early precedent (2014–2019) by strengthening the security of critical information systems for national defense, with specific applications in sectors such as state military activities. Among the 50 measures defined in February 2014 by the Ministry of the Armed Forces, the foundation of a Zero Trust approach was introduced through the requirement for a digital identity for defense personnel. Starting in 2016, 20 specific rules [6] were outlined and implemented, forming the first building blocks of a Zero Trust approach, even if the term itself wasn’t explicitly used.

These rules emphasized the need for dynamically managed identities (“The operator must immediately deactivate accounts that are no longer needed”), the importance of privileged accounts (“Administrative rights must be assigned according to the principle of least privilege”) , and network segmentation (“Each Vital Information System (SIIV) must be physically isolated or… only interconnections strictly necessary for proper operation and security are permitted”).

The subsequent Military Programming Law (2019–2025) further strengthened the role of ANSSI (the French National Cybersecurity Agency), equipping it with a set of guidelines and best practices to enforce these regulations, including in the key areas relevant to Zero Trust.

On-premise or SaaS: cyberelements' Response for the Defense Sector

We thank our clients in the defense sector for the trust built on attentive listening, availability, and a strong commitment to innovation anchored in the Zero Trust model. We’re proud to be challenged on critical issues where cybersecurity lies at the heart of military strategy, driving solutions that are often one step ahead of the civilian world.

Solutions that benefit all our clients, whether through an on-premise approach or via our cyberelements SaaS platform.

Experience it firsthand: three simple steps, three minutes, and your cybersecurity platform is up and running.