How COTS Makes Zero Trust More Achievable

The availability of capable COTS products helps streamline implementation and reduces the complexity of deploying a Zero Trust Architecture.

By: Dave Dimlich, President of SD3IT
and Steven Boyer, SD3IT Director of Emerging Technologies

Zero trust has been an industry priority for years, yet implementing a Zero Trust Architecture (ZTA) remains challenging for many organizations. High upfront costs, integration with legacy systems and cultural resistance continue to slow adoption. A recent Accenture report found that implementing zero trust still posed a significant challenge for 88% of organizations, with 77% reporting they are behind in adopting essential data and AI security practices.

Implementing zero trust can be an intimidating prospect, but some of the hesitation may stem from misunderstandings, as well as organizations being unaware of their options.

Part of the challenge is that zero trust isn’t a single product or practice. It’s an architecture reflecting a security culture based on core principles and distinct practices. It also requires a sustained effort. An organization may have implemented elements of a zero trust program, such as identity management and least privilege policies, but now needs to microsegment the network to prevent attackers from moving around.

For organizations that haven’t fully implemented a ZTA, time is getting short. Not only are attackers—increasingly aided by AI—becoming more sophisticated and faster in executing ransomware and other attacks, but organizations and institutions may also be facing deadlines to put at least a baseline ZTA in place. The Department of Defense’s mandate that all components implement a Target Level Zero Trust Architecture by 2027, for instance, is fast approaching.

One misunderstanding that prevents zero trust implementation is the idea that it may require specialized expertise and customized devices and services. But zero trust is achievable today using commercial off-the-shelf (COTS) products—as long as you go about it the right way. Using COTS products, in fact, can speed up implementation while cutting costs, making zero trust a less daunting challenge.

Case in Point: A Defense Implementation Using COTS

SD3IT has experience with integrating a ZTA using COTS. In one example, we worked with the integrators on a project for an organization within the Department of Defense, which, like other DOD components, must meet the requirements for a Target Level Zero Trust Architecture in the next year.

Using COTS allowed us to prioritize the right elements from the start. In many cases, technology has advanced more quickly than policies; the products required for a zero trust implementation are actually readily available. So, our team decided not to focus first on specific products and capabilities, but to look at DOD standards and work on that.

The Target Level strategy centers on four requirements within the Seven Pillars of Zero Trust:

  • Continuous Authentication: Constant verification of users and devices as they move through the network.

  • Identity Management: Treating identity as the primary control plane for network access.

  • Microsegmentation: Isolating critical data and systems to limit the “blast radius” of potential breaches.

  • Data Tagging/Labeling: Implementing consistent classification of data across the enterprise.

The pillars themselves define a ZTA. Although some organizations list five pillars, DOD follows the seven-pillar model:

  1. Identity: Verifies users, services, and non-human entities using strong authentication, MFA, and least-privilege access.

  2. Devices: Ensures the health, security posture, and compliance of any device attempting to access resources (including laptops, servers, and IoT).

  3. Networks: Implements micro-segmentation, encryption, and secure communication to isolate environments and restrict lateral movement.

  4. Applications & Workloads: Secures applications, containers, and virtual machines (VMs) against exploitation, both on-premise and in the cloud.

  5. Data: Identifies, classifies, tags and encrypts sensitive information to manage access and prevent data loss (DLP).

  6. Visibility & Analytics: Provides comprehensive, real-time monitoring and logging of user behavior, network activity and security telemetry.

  7. Automation & Orchestration: Uses automated, AI-driven responses to threats and integrates security tools for faster threat detection and mitigation.

All of these pillars are essential to a ZTA, but the most critical is data. Zero trust is strongly tied to identities, for example, and with good reason. As the network exploded past the traditional on-prem perimeter into the cloud and out to the edge—suddenly populated with more machine identities than human users—identity and access management became paramount. Compromising identities became the attack vector of choice for cyber criminals and adversarial nation-states. Zero trust, which focuses on continual verification and authentication of network identities, has become an essential layer of defense.

However, organizations cannot lose sight of a fundamental point: At its core, zero trust is not about the tools, or even identities. It’s about what you choose to protect, specifically the data. If you get that wrong, everything else falls apart.

With zero trust, we go beyond the traditional Castle Doctrine, also known as the castle-and-moat model, which is analogous to protecting a castle with walls, gates and guards mimicking, for example, firewalls, intrusion detection systems, and intrusion prevention systems. With zero trust, we don’t focus only on perimeter or application protection; we wrap security controls around the data. Protection covers the three primary areas of data’s existence: storage (protecting data at rest), compute (data in use) and transit (data being moved). Achieving that involves:

  • Consistent data classification and tagging.

  • Encryption tied to sensitivity, not location.

  • Access decisions based on both identity and data context.

  • Continuous monitoring of how data is accessed, shared and moved.

  • Microsegmentation that isolates applications and limits lateral movement by attackers.

These steps help to fortify access control and limit any damage once attackers inevitably get inside the network.

The Advantages of Using COTS Products

Implementing a ZTA can seem daunting, but there is guidance available from the likes of the National Institute of Standards and Technology and the National Security Agency, as well as private-sector companies. NIST, in fact, has released a document that details 19 ZTA projects implemented using COTS products.

Using COTS products offers organizations several advantages, including faster procurement and deployment cycles. Because the products are already available, there’s no need for in-house development. COTS products also come with support contracts and automatic product updates. And you can choose mature, best-of-breed products that can solve specific problems.

For all of those advantages, however, security teams don’t want to trust COTS products blindly. They need to be sure that those products, which can introduce supply chain dependencies and vulnerabilities in their underlying components, have been properly secured. Zero trust helps with that by assuming that those products, like everything else in the network, are potentially vulnerable and untrustworthy. Applying zero trust principles such as strict identity verification with strong multi-factor authentication, microsegmentation and least-privilege access helps limit exposure. Privileged Access Management (PAM) further controls administrative access and restricts elevated permissions to specific tasks and timeframes.

In addition to paying attention to the seven pillars, organizations should also be willing to look down the road at emerging threats. For data, the biggest looming threat involves quantum computing. The pending arrival of a practical quantum computer is a moving target, with estimates ranging from two years, five years, 10 years or longer. When it does arrive, current encryption standards will be obsolete.

Attackers are already gearing up for that day by practicing “Harvest Now, Decrypt Later” attacks in which they steal sensitive but encrypted information to hold onto until quantum enables them to crack it.

Designed for Today with the Future in Mind

Zero trust is part of a cultural change that puts security at the top of the list of an organization’s priorities. And, of course, because cybersecurity is an ongoing process, addressing current threats while being built to prepare for what’s around the corner, whether that’s a new AI-powered attack, quantum encryption cracking or something else, is paramount. Taking advantage of COTS products allows organizations to move faster, reduce complexity and make zero trust a practical, achievable goal rather than an overwhelming transformation.

About SD3IT

Solution Driven, Designed and Delivered Technology (SD3IT) provides advanced IT solutions that help organizations modernize infrastructure, enhance security and improve operational performance. By aligning emerging technologies with mission needs, SD3IT delivers practical, scalable outcomes across government and commercial environments.

Return To News Page

More Articles to Explore

Cloud-Based Disaster Recovery Solutions in Honolulu, HI

Space-Based Technology: The Next Frontier of IT Terrestrial Infrastructure

The Expanding Drone Ecosystem Needs a Guiding Hand

The Future of Virtualization in a Post-VMware World