How the U.S. Navy and Department of Homeland Security Made Zero Trust Work

Zero Trust has no shortage of frameworks.

There are maturity models, reference architectures, and vendor solutions everywhere. But for many teams, Zero Trust still feels stuck in theory. It’s understood in concept but harder to turn into real outcomes.

That was the focus of the recent webinar, Protect the Data, Not the Noise: A Practical Zero Trust Conversation. In the session, Illumio Chief Evangelist and Zero Trust creator John Kindervag joined Don Yeske to explore what it takes to make Zero Trust work in practice.

Yeske previously led Zero Trust architecture efforts at the U.S. Department of the Navy and the Department of Homeland Security, giving him firsthand experience in some of the most complex and mission-critical environments in government.

That experience showed him that Zero Trust only becomes real when it shifts from broad ambition to focused execution.

That shift starts with one idea: the protect surface.

This is what helped the DHS and the Navy move Zero Trust from theory into operational reality. Here’s what organizations can learn from it today.

Why Zero Trust fails without operational focus

In Yeske’s experience, Zero Trust often breaks down before it even begins.

The issue isn’t understanding the concept. Most teams understand the principles of Zero Trust. The problem is how those principles are applied.

In large organizations, especially in government, the default approach is to think at scale. Security teams frame initiatives at the enterprise level and apply requirements broadly. They measure success by how widely something is deployed.

Yeske described this as an early phase of the Zero Trust journey, where the focus is on the entire attack surface rather than specific outcomes.

That leads to a familiar pattern. Teams implement capabilities like multi-factor authentication (MFA) or endpoint controls across the organization. These are important steps, but they don’t automatically translate into meaningful protection.

The missing piece is focus.

Without a clear understanding of what needs to be protected, controls are applied evenly instead of strategically. That makes it harder to measure impact and easier for risk to persist in critical areas.

The protect surface: where Zero Trust begins

Yeske’s work inside the DHS and the Navy introduced a more practical way to think about Zero Trust.

Instead of trying to protect everything equally, security leaders should shift to identifying what matters most.

At the DHS, that meant asking a simple but powerful question: which data, applications, or services would cause mission failure if they were compromised?

This question reframes the entire strategy.

It forces organizations to move away from broad coverage and toward specific outcomes. It also creates a natural way to prioritize effort, especially in environments where resources and complexity are both high.

This is where the concept of the protect surface becomes critical.

The protect surface is the smallest unit of what matters. It’s not an entire network or system. It’s a specific asset or resource that the organization cannot afford to lose.

By focusing on that, teams can design controls that are precise, measurable, and aligned to real risk.

What it means to operationalize Zero Trust

Turning Zero Trust into something operational requires more than identifying what matters. It needs a repeatable way to build security around it.

Yeske described how this worked in practice.

Definir la superficie de protección

The first step is defining the protect surface in clear terms. This means breaking down large systems into smaller components that can be understood and controlled. If the scope is too broad, it becomes impossible to manage.

A useful rule from Yeske is that you should be able to list every entity that needs access to the protect surface, along with when and why that access is required. If you can’t do that, the scope is still too large.

Understand what’s normal for your network

Once the protect surface is defined, the next step is understanding how it’s used. This involves mapping transaction flows and identifying normal behavior. Without this context, it’s difficult to enforce meaningful policy.

From there, controls are designed and applied as close to the protect surface as possible. This is a key difference from traditional approaches, which often place controls at the perimeter.

Policy plays a central role in this process. Every access decision is based on explicit rules, not assumptions. Access is granted only when conditions are met, and continuously evaluated over time.

Monitor and refine your Zero Trust policies

Finally, the system is monitored and refined. Telemetry provides insight into how the environment behaves, allowing teams to adjust policies and improve over time.

This approach transforms Zero Trust from a set of principles into a working system.

The role of capabilities, not just tools

Another important lesson from Yeske’s experience is how organizations think about technology.

In many cases, they approach Zero Trust as a series of product decisions. Teams focus on what to buy rather than what to build.

At the DHS, Yeske took a different approach. Instead of starting with products, they focused on capabilities.

A capability is the ability to perform a function that protects a resource. It includes people, processes, and technology working together.

This distinction is important.

It means that success isn’t defined by whether a tool is deployed. It’s defined by whether the organization can consistently perform the function that tool is meant to support.

Yeske noted that many environments already have the tools they need. The challenge is that those tools are not always used effectively or in coordination with each other.

By focusing on capabilities, organizations can make better use of what they already have while identifying where gaps truly exist.

Scaling Zero Trust across complex environments

One of the biggest challenges in government environments is scale.

The DHS, for example, includes a wide range of agencies with different missions and technical requirements. A single, uniform approach is not always practical.

Yeske described how this complexity was addressed through the concept of a protect web.

A protect web is a set of capabilities organized around a specific protect surface. It allows teams to apply Zero Trust in a way that is tailored to each asset while still aligning with a broader strategy.

This approach enables incremental progress.

Instead of trying to transform the entire environment at once, organizations can build Zero Trust step by step. Each protect surface becomes a unit of progress, contributing to a larger, more resilient architecture.

As Kindervag emphasized during the discussion, this is how Zero Trust is meant to be built: one protect surface at a time.

Turning Zero Trust into something that works

Zero Trust often gets discussed as a destination. But in practice, it’s a method.

What Don Yeske’s experience shows is that success doesn’t come from adopting a framework or deploying a set of tools. It comes from applying a clear, focused strategy and executing it consistently.

The protect surface is what makes that possible.

It gives organizations a way to move from theory to action. It provides a starting point, a structure, and a way to measure progress.

In a world where complexity continues to grow, that clarity is essential.

The goal of Zero Trust isn’t to secure everything equally but to ensure that the things that matter most are protected, no matter what happens around them.

Aprende cómo Illumio can build Zero Trust security at your government agency.