Creating Zero-Trust-Enabled Cloud Environments

The Department of Defense is taking key steps to house zero-trust architecture in its future computing and data storage platforms in the cloud. Led by Randy Resnick, director, Zero Trust Portfolio Management Office (ZT PMO), Department of Defense Chief Information Office, the department is in the beginning stages of affecting the top commercial cloud providers to produce what the military will need as far as ZT components in its future joint warfighting cloud arrangements. Several new pilot efforts will begin this spring in 2023 and extend through next fall. Based on successful implementation of the ZT properties, the efforts will lead the way to having DoD ZT-enabled cloud environments.

Resnick, an apparent godfather of ZT cybersecurity for military application, has been in the ZT PMO role since January 2022. While at his previous role as the National Security Agency’s (NSA’s) ZT strategic lead, Resnick led the creation of the first DoD ZT Reference Architecture, the first NSS ZT Reference Architecture, DoD’s ZT Maturity Model, DoD’s initial strategy for ZT and the construction of two ZT Innovation testbed labs in collaboration with the Defense Information Systems Agency and U.S. Cyber Command, according to the NSA. 

“We've been very productive in producing the documentation, answering the really hard questions that not only the DoD has been asking about zero trust, and quite frankly everybody has, and that is how to build an actual zero-trust enterprise network,” Resnick stated. “We've even thought outside that box, about doing zero trust in the cloud. This is a really important [step] that will help defend against our adversaries going forward. And I've had personally and the office has had tremendous support from DoD leadership, allowing us to have freedom of movement to develop these strategies.”

The ZT PMO will conduct an estimated six pilot programs across the services and the U.S. combatant commands. The first four pilots are with the four commercial cloud providers down selected in November 2021 as part of the initial Joint Warfighting Cloud Capability (JWCC) selection process: Amazon Web Services Inc., Google LLC, Microsoft Corporation - Azure and Oracle Corporation. 

The director and his staff spent the last 11 months defining and identifying the military-necessary components of ZT architecture and will closely examine if these vendors can meet ZT requirements at two levels, “target level zero trust” and “advanced level zero trust.”

“We approached all four of those vendors and we asked them whether or not they could implement zero trust in the way we defined it,” Resnick explained. “We sat down with them, spent a number of hours with each one. We explained to them our approach to zero trust, our definition of zero trust, how we define the capabilities across our seven pillars of zero trust. And then how we broke down each capability into activities. We explained to them that there are 91 activities that define ‘target level zero trust’ and that will be the level that everybody in the DoD has to meet within five years or less. And then we also explained to them the 152 total activities in order to achieve ‘advanced level zero trust,’ 61 more activities on top of the 91.” 

Then, the ZT PMO quired the vendors if they could provide ZT architecture as part of their cloud environments. Resnick reported that, yes, all of them could perform that kind of advanced cybersecurity, at least at a minimum level.

“All four of them responded back at various different levels of how many zero-trust activities they can do in their cloud,” he shared. “Some of them came back with very high percentages. Some of them came back with slightly lower percentages. They provided paperwork, their analysis of the truth of why they think they are meeting the activities of zero trust, and we took that body of evidence, and we are working with NSA to evaluate that body of evidence across all four of those vendors.”

Resnick, who also has considerable red teaming expertise, having served as chief of the NSA’s Red Team, will see to the stringent testing of the commercial cloud ZT offerings for the DoD environment during the pilot programs. “We're going to validate [those cloud conditions] through red team activity, real red team activity,” the director stressed. “We're also working on how to think about zero trust in a low bandwidth or disconnected environment.” 

The pilots will not directly impact the pending year-end decision by the Defense Information Systems Agency’s one-year-old Hosting and Compute Center and the DoD CIO’s office to award the specific cloud services and JWCC task orders to the cloud vendors, under the planned three-year base performance contracts that will also include two 12-month option periods, he noted. 

“We probably won't be able to affect the clouds with a JWCC contract until likely a year from now—November, December next year,” the director emphasized. “The whole idea is that if we can prove out zero trust in the clouds, DoD CIO would likely mandate that from a certain time forward that all DoD clouds have to be zero-trust enabled, and zero-trust enabled in the way we configured it. And we would have to keep configuration control, which would look different for each one of the four vendors.”

Meanwhile, the fifth ZT pilot program is designed by the NSA to be an advanced level, on-premise cloud ZT effort under the ZT PMO’s Course of Action 3. It will be conducted at the NSA’s National Zero Trust Center (NZTC) located in U.S. Cyber Command’s unclassified DreamPort facility in Columbia, Maryland. 

“DreamPort being the facility that CYBERCOM sponsors to perform all their innovation efforts, and innovation efforts specifically with industry, and NSA built the NZTC there,” Resnick explained. “And because I came from NSA, I know that just saying you meet a certain standard doesn't make it so. What really needs to happen is you need to actually do an operational test. And then you have to have it realistically readied in the field.” 

The sixth pilot program, still under consideration, would involve ZT architecture applied to an array of Microsoft products—given DoD’s wide dependency on their software. The ZT PMO is evaluating whether or not to have this be a separate effort from the Microsoft Azure cloud pilot. “It would be with Microsoft to see how far an E-5 license can go in terms of meeting our zero-trust criteria,” he stated. “E-5 is supposed to be everything and the kitchen sink of almost everything that Microsoft produces, which includes Office 365. But, but there's a lot of other capability in the license itself, which adds value to the overall zero-trust enterprise effect. What we are seeking is enough to prompt us to want to do a pilot.”

In addition, the ZT PMO is developing ZT education for various professional levels at DoD, from beginner to the practitioner level and hands-on lab learning, Resnick shared. Officials from the Defense Acquisition University are working closely with the ZT PMO to create the curriculum, with DAU personnel embedded in the office.

“When it comes to zero trust, training classes haven't necessarily been developed yet, so the DoD is moving out on [this],” he noted. “We want to grow the number of people who are familiar with zero trust. We're kind of forced into a corner and having to develop our own training concepts. That's exactly what we're doing now. I see it as a bridge for the DoD until the industry catches up and starts to develop their own cybersecurity classes in zero trust, and then perhaps, extends out to certifications in zero trust.”   

The director also is working with DoD officials to make sure the services have the financial means to accelerate ZT adoption. 

Lastly, the ZT PMO’s efforts have not gone unnoticed by allies, with partner nations and NATO officials expressing an interest in the DoD’s approach to implementing zero trust. “They're seeking collaboration with us,” Resnick said. “And we've also shared our approach, our definition, our strategies, with OMB [the Office of Management and Budget], and the Office of the National Cyber director, who has also shown interest in collaborating in a much deeper level.”