Air Combat Command Pursues Zero Trust Architecture

The U.S. Air Force is experimenting with a zero trust strategy to provide additional digital protections. Zero trust architecture offers a higher level of cybersecurity, through limited per-session access, continuous monitoring, endpoint security and monitoring of network conversations, explained Col. James Lotspeich, USAF, chief technology officer, Air Combat Command (ACC), Directorate of Cyberspace and Information Dominance (A6).

Col. Lotspeich spoke about the ACC’s zero trust architecture efforts during AFCEA Tidewater’s July 2 virtual luncheon.

“Using Kubernetes orchestration or other orchestration tools, we can separate the Department of Defense Information Network (DODIN) operations from the Defensive Cyber Operations in a clean manner, so the Defensive Cyber Operations can focus on the security policies and monitoring at those security portals,” Col. Lotspeich noted. “And DODIN operations can focus on establishing an accessible, high-speed low-latency highly reliable network, without the need to provide that security for the applications because it is being provided by our architecture. All of these things tie together to create a zero trust architecture.”

It is crucial for the Air Force to move away from a perimeter-based cybersecurity model—the moat and castle approach—to cloud-enabled zero trust, which essentially is like placing a security door in front of each and every application, the colonel said. The new approach shifts from a network location perspective to managing user identity, from layered defenses to harnessing microperimeters, and from having implicit trust of users and open access to requiring proof of security and establishing restricted access, on a per-session basis.

“We will require you to prove that you are secure, and that can happen a number of different ways,” he said. “Rather than providing open access once you are inside of the network perimeter, we provide tailored access… And we no longer need to maintain a domain, instead we are going to look at device compliance, whether it is a domain-joined device or not… By doing it this way, we are no longer beholden to network configuration to manage security. Instead the application security is encapsulated in the code.”

Col. Lotspeich added that this approach will require applications to be developed that are zero trust aware. “Some applications today already do it, but many don’t, so that is one piece that we will fully realize as we move forward on this journey,” he stated.

In January, the command hosted an ACC Zero Trust Summit at The MITRE Corporation’s facility in Hampton, Virginia, bringing leaders together with industry partners such as Google, Microsoft, Unisys, Cisco and Palo Alto.

Since then, the leaders formed a zero trust strategy, tailored to support legacy software and hardware, while they are building the new environment. Under the strategy, the service also will work to “revector” all of its new application development and create acquisition language that embraces zero trust tenants, Col. Lotspeich offered.

In addition, the command is pursuing two zero trust pilot projects. In one effort, the Air Force has submitted a proposal to the U.S. Cyber Command to use a software-defined perimeter through a software-as-a-service (SaaS) environment. That effort harnesses cloud-hosted enterprise services—and Office 365—using a cloud-native access portal. The goal is to demonstrate a zero trust solution that will work in multicloud, multi-vendor environments, as well as on-prem and legacy platforms, Col. Lotspeich noted. The approach centers on device and user context before allowing access to an application.

The other effort is a data-focused zero trust architecture, he said. The pilot program aims to put such an architecture in place for the ACC’s Special Access Program environment. That effort, which continues through an AFWERX Phase II SBIR award, is still in the early phases. “We are applying the same principles at the data level as opposed to the network access level, which allows for much greater granularity of data control,” the colonel observed.

Col. Lotspeich explained that several key computing innovations, including cloud, microsegmentation and container orchestration—the most widely known is Kubernetes, the Google-designed open-source container orchestration tool for automatically deploying and managing software containers—all came together to enable zero trust architecture. And he sees future advancements coming to containerization that will expand that capability even further, as well as more companies entering the containerization marketplace.

Moreover, the identity and data-centric security focus of zero trust architecture requires appropriate identity management to know who to let in via per-session access. And here, advances in common access card (CAC) and identity credential access management (ICAM) are also needed.

The colonel recommended that DOD embrace zero trust architecture, given that the cybersecurity tool is in early development, and apply it to the operational warfighting environment as soon as possible.   

“The ACC has begun this journey, but it is a long journey and it will take us time,” Col. Lotspeich said. “Zero trust is not simply something we will go out and buy. There is a strategy to it. Applying zero trust is something that dictates our enterprise IT [information technology] priorities, and it dictates how we direct our efforts and how we use our resources. And it changes some of the things that we focus on today. It will let us focus more on security and less on managing network access and circuit controls.”