Search AFCEA Site

Enable breadcrumbs token at /includes/pageheader.html.twig

Sponsored Content: Q&A: The Importance of Dynamic Zero Trust for the DoD

Making the connection between people-defined security and zero-trust architectures.
By Sandra Jontz

Zero trust has become the ubiquitous cybersecurity term and a strategic, need-it-now necessity that adapts rapidly to changing threats. It’s a digital architecture that provides secure access to data when users need it, from anywhere in the world and at any time of day or night.

I connected with Ned Miller, senior vice president and general manager of Appgate Federal, and with Michael Friedrich, vice president of strategy and innovation, during a Q&A session to learn how the Defense Department in particular can use the company’s influential dynamic zero-trust solution—today and in the near future.

Q: Gentlemen, thank you for taking the time to address a vital yet somewhat misunderstood technology focus. To jump right in: The Defense Department faces increasingly complex challenges as technology and the cyber threat landscape continue to evolve. The DoD must better understand zero-trust architecture (ZTA). Ned, can you please address what are you doing to help the DoD understand, and more importantly, adopt ZTA?

A: Appgate is on a mission to empower and protect how people work and connect. The new DoD workforce demands an ‘operate from anywhere, anytime, anyplace’ model. People and data are the new perimeter. So, whether we’re protecting and securing data or high value assets such as cloud or 5G networks, or delivering information-sharing capability across mission partner environments, zero trust is front and center of the DoD’s modernization conversations. For the zero trust model to work, the approach must be dynamic and extremely resilient. And the concept of least privilege access decisions must be effective.

Today, we support DoD zero-trust initiatives across a broad range of areas, to include secure access to DevSecOps environments, modernizing base boundary security access, secure access to command-and-control systems, supply chain and third-party access to internal on-premise and cloud-based resources, and even recently IoT systems.   

Q: Heidi Shyu, undersecretary of defense for Research and Engineering at the DoD, shared recently during a virtual Carnegie Mellon University session that the department must “harness the incredible innovation ecosystem, both domestically and globally,” to stay ahead of adversaries. But how? Ned, can you detail the changing perimeter and how you might lead the charge to help the U.S. government stay ahead?

A: We’ve heard it time and again that technology innovation occurs faster than ever before, which means so does the threat landscape. Several recent industry analyst reports and surveys produced fascinating statistics. Here’s how the perimeter changed:

  • 82% of enterprises allow a hybrid workforce
  • 78% allow using a hybrid cloud
  • 95% allow the use of personal devices
  • 86% have been affected by a successful cyber attack
  • 88% of the most significant breaches were caused by human error.

Here’s how we stay ahead: Zero trust cannot solve all these challenges immediately, however, it sets the foundation for improvement. The cyber attack surface today is massive and growing exponentially. We must always remember that adversaries do not play by any rules, and are not governed by budget and procurement timelines, approvals and bureaucracy. Zero trust is an answer to overcome our biggest challenges, people and time.

Q: Can you talk differentiators, and address why Appgate’s zero-trust approach increases vigilance while minimizing risk?  
 
A: Appgate is a purpose-built secure access solution—what Gartner and Forrester classify as zero trust network access capability. We are a critical part of any zero-trust reference architecture, whether you follow the strict definition from the DoD Zero Trust Reference Architecture or the DoD Cloud Native Access Point Reference Design (CNAP). Our software defined perimeter (SDP) is 100% aligned to meet DoD ZTA requirements, as well as NIST SP800-207 Zero Trust guidance. Our SDP platform is approved to run in DoD IL5 environments, certified to run in SC2C secret environments and has been selected as a component to help modernize threat intelligence sharing capabilities within the intelligence community.

We provide our customers with several unique advantages, such as flexibility in our deployment. Our SDP solution can be installed on premise, delivered as a service, from our cloud, a partner cloud or a customer private cloud, such as AWS or Azure GovCloud. The design criteria was to deliver the capability as infrastructure as code—meaning it runs where it’s needed.  

Q: Pivoting to you Michael: Appgate uses the term “Dynamic Zero Trust.” What do you mean by dynamic?

A: Appgate defines dynamic as solutions falling into three buckets.  

First is the ability to send to and receive information from sources outside Appgate SDP. This is critical as a meta data and application programing interface (API)-driven platform; it gives us, as the solution provider, a much deeper integration capability and for the end user, a much richer and more powerful platform on which to develop their zero trust use cases.

Systems that rely strictly on data learned from the user device are not meeting the mission. You must pull and apply information from the user, user device, identity management systems, third party systems, and more. Only then can you truly develop a policy that accounts for the possibility of a bad actor attempting to gain inappropriate access.

Second would be near real-time insight. Zero-trust solutions that cannot react to API or meta data calls in near real-time are not useful. Beware of the far too many market solutions claiming “zero trust” that are too basic and do not have well-defined API, cannot read AWS tags, or more.

If zero trust is truly the end goal, begin all conversations around the assumption that solutions must react in near time to information learned from all kinds of decision support systems, such as IDS, IPS, SIEM, DLP, EUBA, etc. Unintegrated platforms deliver just another silo.

Third would be continuous evaluation. I can’t stress this enough: The zero-trust solution that will truly meet the mission is one that not only integrates by reading and writing with other parts of the security stack that comprise the ZTA, but most importantly, does not define trust as a single point of time.

Appgate SDP continuously reevaluates all users, devices and communications to ensure it still approved and safe.

Q: Zero trust is notably more than just a passing technology fad. It requires us all to think differently—and dynamically—about cybersecurity. Michael, why is a dynamic zero-trust model critical for the DoD?

A: Like almost every other consumer of security solutions, the DoD has so many mission needs and has fallen victim to the same problem as other agencies and commercial industry: too many point solutions that cannot work together to provide real-time access controls. Solutions must provide a wholesome API allowing for “bi-directional” communications with other solutions in the security stack and deep reporting. A dynamic system must be able to react—and most importantly report. No decision process can occur without a total view of all data.

The next reason we believe a dynamic and highly integrated solution should be a must is the warfighter themselves. It is no secret that warfighters often move from task to task and mission location to mission location. With that comes the need for varied data impact level access. When warfighters move around, the need to access different levels and types of data is normal. If the operational zero trust system cannot understand the change in circumstances and adjust to it in near real-time, then what good is it? The ZTA must account for those situations and adjust. Success for the warfighter depends on good information in a timely manner.

Last, but certainly not least, is data loss/exfiltration. If your zero-trust system is not integrated with other tools in your security stack, then it cannot identify malicious or risky activity. When you centralize all security systems information and apply an artificial intelligence/machine learning (AI/ML) process to it, then have them connected to a dynamic zero-trust solution provider, you can ensure that behavior being caught sooner AND the source of risk (be it a person, user, device, server or service) will be removed to lower the risk of exfiltration.

Simply, the DoD is trying to take steps to put itself on a path to create a system to meet today’s and tomorrow’s mission needs—a great example is the DoD CIO-approved architecture for CNAP.
We must break down the silos between branches, create a data lake normalization process for all this information, apply AI/ML to it ensure any system working with the DoD is not only contributing to the data driven process, but can react to its calls in near real time.

For more information, visit appgate.com/federal

Enjoying SIGNAL?
SIGNAL Magazine is available through subscription or as part of your membership in AFCEA.
SUBSCRIBE NOW
LEARN MORE
JOIN AFCEA