Security Demands a User in the Loop
Leaders of the agency serving the services’ technology needs aims to balance cybersecurity and ease of use. Development of current and future capabilities focus on simplifying access as well as facilitating data and network protection.
As a lead up to Technet Cyber 2022, key Defense Information Systems Agency (DISA) directors are sharing their insights during weekly webinars to preview their priorities for attendees and exhibitors alike. The conference takes place next month in Baltimore.
Harmonizing cybersecurity and the user experience requires simplicity and consistency, the panelists agreed. Brian G. Hermann, Ph.D., noted that the network-centric cybersecurity model of the past limited access to systems or data, complicating data availability and ease of use in the name of protection.
“Technically, I could take away your keyboard and your Common Access Card and our network would be more secure because no one could log into it,” explained Hermann, who is the director of DISA’s Cybersecurity and Analytics Directorate. “We have to balance that perspective. So that’s the word I would use constantly throughout this: How do we find balance whether it’s a network-centric or a zero-trust model? We think zero trust is the way going forward,” he said.
Caroline Bean, acting director, Joint Enterprise Services Directorate, DISA, agreed, saying engaging users who have hands-on experience with the enterprise is one way to achieve this balance. For example, O365, the U.S. Defense Department’s software suite, provides global directory. Consequently, DISA can provide one centralized active directory, so users have a single sign-on capability for all the applications their credentials allow.
“That’s the kind of model we want to make sure we’re always adhering to when we’re producing enterprise services. We ask vendors and key partners also to also partner with us and think about that,” Bean said.
In addition to making data and systems easier to access, Bean said DISA is developing business systems that simplify purchasing DISA’s products and services. “Whether you're ordering a circuit, a 365 account or a peripheral … it's all one same process. … We are trying to consolidate and make it easier and have one marketplace,” she explained.
Jackie Snouffer, acting director, risk management, DISA, explained the agency also is addressing challenges the companies are facing when working with U.S. Defense Department members. For example, cloud-service providers couldn’t easily share information with users about the risks the cloud could pose to their data security.
To address this issue, the agency stood up a cloud space of the Enterprise Mission Assurance Support Service, or eMASS, where cloud providers can post information about their offerings. This allows mission owners to decide which products best meet their needs and provides the steps to protect their data. “This will shrink the timeline that we can move to authorize our cloud providers as we try to make more offerings available to the department,” Snouffer said.
Korie Seville, technical director, Hosting and Compute Center, DISA, explained that his organization, known as “the hack,” is working with Snouffer’s team on other ways to empower mission owners. For example, an internal project called Infrastructure as a Code creates preapproved baseline templates to use when deploying their cloud environments into a provider’s system.
Seville also described one pilot program in the Stratus constellation of services. The goal is to offer a containers-as-a-service as part of the agency’s on-premises container solution.
“We also are currently working through a pilot of a DevSecOps pipeline to be able to give the agency a way to deploy environments through a CI/CD [continuous integration/continuous delivery] pipeline and continuous integration pipeline infrastructure,” Seville shared. The latter would enable including items such as compliance codes so users would know they could be added onto the pipeline, he added.
Both pilot programs are in their initial stages. and additional information about both will be published in the next few weeks.
Hermann also shared ideas for how the commercial sector can best meet DISA’s and ultimately the Defense Department’s immediate needs. He recommended developing solutions to increase information analysis and sharing automation.
“I know when I go to TechNet Cyber, I will see commercial vendors with capabilities that claim to automate the identification in response to cyber incidents. I'll candidly say that I think one of our highest priority activities is to actually stop having the man loop or the woman in the loop and let some of that happen in a fairly automated way. In fact, I think it might be the only way we can keep up with the real-time threats that the department has from our adversaries on a daily basis. It gives us what we need to respond whether it's an external actor trying to attempt to get in to access our data or applications or its internal user activity. I think automation is the buzzword,” Hermann stated.
Automation will enable mission owners to deal with the mounds of data they are collecting but do not have the staff to sift through and analyze, he pointed out.
“I've said this a number of times: We are drowning in data. We're paying for it and we're not able to use it. So, one of the things I've asked our folks to do is to go on a data diet,” Hermann proposed. Mission owners do not need massive amounts of data to do their jobs effectively, they need actionable data, he added.
Reducing the amount of data they store for immediate access and keeping the remainder in what he referred to as “glacier storage” decreases costs. “Our appetite [for data] is really high, and our budgets are not growing in that space.”
The four-part webinar series tees up AFCEA’s TechNet Cyber event, April 26-28 in Baltimore, and provides an opportunity to learn how you can support the nation’s cyber mission. Be sure to catch the next two sessions April 6 and April 13—all taking place live at 1 p.m. ET. Missed an earlier webinar? No problem. You can view them on demand. One registration provides access to all live and recorded sessions.