Zero Trust

The Defense Information Systems Agency (DISA) is still in the prototyping stage with its zero-trust solution but already is looking ahead to the next version.

Thunderdome, the prototype being developed by Booz Allen Hamilton under a six-month contract awarded in January, is DISA’s solution for implementing zero-trust cybersecurity. It is a comprehensive effort requiring cooperation across the agency, as well as with the military services, combatant commands and others.

The U.S. Department of Defense might learn a thing or two about the software-defined world from non-defense industry companies such as Netflix and Mazda, Jason Weiss, chief software officer, U.S. Defense Department, recently suggested to the AFCEA Cyber Committee.

Weiss, who serves on the committee, relayed an incident from Mazda that he said keeps him up at night. The incident was reported by BBC News in a February 10th article.

 This article is part of a series that explores zero trust, cyber resiliency and similar topics.

The recently released federal zero-trust strategy from the Office and Management and Budget (OMB) and the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency (CISA) has one action area that has raised a few eyebrows within the zero trust community: Go ahead and open your applications to the Internet. Wait… what?

The Defense Information Systems Agency (DISA) has announced the award of a $6.8 million contract to Booz Allen Hamilton for a Thunderdome prototype, a zero-trust security model.

During this six-month effort, the agency will operationally test how to implement DISA’s Zero Trust Reference Architecture, published in March 2020 for the Defense Department, by taking advantage of commercial technologies such as secure access service edge (SASE) and software-defined wide area networks (SD-WANs). Thunderdome will also incorporate greater cybersecurity centered around data protection and integrate with existing endpoint and identity initiatives aligned to zero trust, according to the press release.

The COVID-19 pandemic changed how government agencies do business by requiring remote work and videoconferencing for meetings, creating a growing need for securing these virtual workspaces.

One way to achieve this security, and one that is being mandated across the federal government, is with zero-trust architecture.

Zero trust requires a change of perspective about securing data versus securing networks because data can be anywhere on a device, Joel Bilheimer, a strategic account architect with Pexip, told SIGNAL Magazine Senior Editor Kimberly Underwood during a SIGNAL Executive Video Series discussion.

The Cybersecurity and Infrastructure Security Agency may soon release an initial playbook for departments and agencies to follow while transitioning to a zero-trust cybersecurity architecture. The new guidance will be based on lessons learned from various pilot programs across the government.

The use of zero trust could prove to be a boon for 5G networks by providing vital security across networks made up of a variety of innovative devices and capabilities. Fully established zero trust could allow unprecedented network visibility and situational awareness while ensuring that potential attack points are closed to cyber marauders. Yet, implementing zero trust runs the risk of slowing down the network’s fast data flow if it is not applied properly.

Make no mistake: zero trust represents a cultural shift from today’s approach. It will change the way information is secured and the way users access it. Yet, it also must be applied in ways that do not prevent the secured data from being effectively exploited by its users.

The president has issued an executive order to implement the necessary security to stay ahead of our adversaries. But ultimately, the challenge of zero trust is less one of technology and architecture and more one of integration into the operation and workflows. The key to a successful zero-trust implementation is to secure the data that people need to use while simultaneously enabling them to access it.

The U.S. Indo-Pacific Command will deliver an initial mission partner environment next summer. The capability ultimately will allow U.S. forces to access classified and unclassified networks with one device. It also will provide more effective information sharing with allies and coalition forces.

There is a lot of information available about zero trust—at times inconsistent and unreliable. Talk to different vendors and you are likely to get different answers as to exactly what zero trust is and how to adopt it within your agency.

What you need to know is this:

The Defense Information Systems Agency intends next month to award a contract for its Thunderdome zero-trust architecture and to begin implementing a prototype within six months. The new architecture is expected to enhance security, reduce complexity and save costs while replacing the current defense-in-depth approach to network security.

Defense Information Systems Agency (DISA) officials do not plan to try to force others in the Defense Department or military services to use its zero-trust solution known as Thunderdome.

Thunderdome is a fledgling program that offers a range of capabilities, including secure access service edge (SASE), software-defined area networking (SD-WAN), identity credential access management (ICAM) and virtual security stacks.

SASE, which is pronounced “sassy,” is a technology package that includes SD-WAN, firewall as a service and cloud access security broker. While SASE has been implemented across much of the commercial world, it has not yet been widely adopted by the government.

Led by the Air Combat Command, the U.S. Air Force is pursuing zero-trust architecture on a level not seen before. One of the service’s first main use cases applies the cybersecurity measure to the agile combat employment (ACE). ACE operations provide a more lean, agile and lethal force that can generate airpower from multiple locations. ACE requires a different kind of command and control (C2) environment, as well as advanced planning concepts and logistical supply line support.

A delayed focus on IT modernization could create a gap between frequent high-impact cyber breaches and the U.S. Department of the Navy’s preparedness to address them. From the SolarWinds hack to ransomware, new cyber threats emerge almost weekly. Advances in technology to help defend against such threats occur so quickly that current acquisition and infrastructure programs cannot keep pace.

As more federal agencies and businesses move to the cloud, managing their security needs in this new environment becomes critical. One way to do this is to implement zero-trust architectures as part of an identity cloud environment, said Sean Frazier, federal chief security officer at Okta Inc.

Zero-trust architecture, where it is assumed that the network is or will be compromised, is the latest phase of security development. This is important as the Defense Department modernizes its cloud-based systems under constant pressure from foreign cyber attacks.

Cybersecurity in the federal government, especially for the Department of Defense, is a complex dance between agencies and commercial partners. To get things right, companies working with the government need to be adaptable and resilient in helping government customers meet their mission goals, said Dana Barnes, senior vice president of public sector at Palo Alto Networks.

The federal government has been taking zero trust more seriously. Although a significant part of it has yet to be implemented, some initial work has been completed with zero trust network access, yet the outside-in approach to zero trust and complexity remains. But the more important aspect of zero trust relates to application and workload connections, which is what attackers care about and is not being protected today.

This “other side” of zero trust and a host-based micro-segmentation approach will lead to greater security and will stop the lateral movement of malware. Constituting multiple pilot projects is the best way forward in the inside-out approach to zero trust.

The Federal Bureau of Investigation (FBI) has a unique role as a federal law enforcement agency as well as a national security department. Its vast information technology enterprise must support its functionality in carrying out these roles, which have different rules of engagement. And when adding new tools, processes or software, the bureau has to consider solutions carefully. With zero trust architecture—a method that combines user authentication, authorization and monitoring; visibility and analytics; automation and orchestration; end user device activity; applications and workload; network and other infrastructure measures; and data tenants to provide more advanced cybersecurity—gaining use in the U.S.

The Defense Department’s Joint Enterprise Defense Infrastructure, or JEDI, cloud effort has been tied up in the Court of Federal Claims since a preliminary injunction was issued in February. And although that has prevented the DOD from implementing Microsoft Azure cloud computing solutions, the department is not sitting idle, according to Chief Information Officer Dana Deasy.

“Cloud for me has always been first and foremost about supporting the warfighter,” Deasy told a group of reporters yesterday during a virtual Defense Writers Group meeting. “And when we got put on hold with JEDI, that didn't mean we were going to stop working on figuring out ways to support the warfighter.”

Over the last few months, the Defense Information Systems Agency, known as DISA, has been working with the National Security Agency, the Department of Defense (DoD) chief information officer and others to finalize an initial reference architecture for zero trust. The construct, according to DISA’s director, Vice Adm. Nancy Norton, USN, and commander, Joint Force Headquarters-Department of Defense Information Network, will ensure every person wanting to use the DoD Information Network, or DODIN, is identified and every device trying to connect is authenticated.

The U.S. Defense Department by the end of the calendar year will release an initial zero trust architecture to improve cybersecurity across the department, says Vice Adm. Nancy Norton, USN, director, Defense Information Systems Agency, and commander, Joint Force Headquarters-Department of Defense Information Network.

Norton’s agency, commonly known as DISA, is working with the National Security Agency, the Department of Defense (DOD) chief information officer and others on what she calls an initial “reference” architecture for zero trust, which essentially ensures every person wanting to use the DOD Information Network, or DODIN, is identified and every device trying to connect is authenticated.

Zero Trust, a strategic security model to “never trust, always verify,” centers on preventing successful breaches by eliminating the whole concept of trust from an organization’s digital environment; instead, everything must be proven.