Thunderdome Moves DISA Beyond Defense in Depth

The Defense Information Systems Agency intends next month to award a contract for its Thunderdome zero-trust architecture and to begin implementing a prototype within six months. The new architecture is expected to enhance security, reduce complexity and save costs while replacing the current defense-in-depth approach to network security.

A defense-in-depth architecture essentially calls for placing various network protection tools, such as firewalls, antivirus protection software and secure web gateways at multiple points in the network with redundancy to keep attackers out of the network. Zero trust, on the other hand, requires that every user and every device be authenticated every time before being granted network access.

If all goes as planned, the Defense Information Systems Agency, also known as DISA, will award a contract next month for a prototypical zero-trust architecture. The agency released a request for information in May and followed up with a request for white papers in mid-July with responses due in early September. The prototype phase will last just six months, and production will begin in early fiscal year 2023 following a three- to-six-month transition period. “We plan to award in the first week of November, and then we’re going to roll out immediately. So, we hope to have something to demonstrate in real life in December,” reports Angela Landress, Thunderdome program manager and chief for Perimeter Security Division at DISA. The agency received nearly 60 replies to the request for proposals, which is a great response, Landress indicates.

The Thunderdome zero-trust architecture offers a variety of benefits, including lower costs, according to DISA officials. “The defense-in-depth architecture requires us to have duplicative security tools at each tier of defense. By extending the security architecture from the user to the data edge, we can divest from those duplicative security tools and devices, which is a cost savings for the department,” Landress explains.

Serena Chan, who directs DISA’s Cyber Development Directorate, agrees. “While we’re talking about creating this unified end-to-end platform, it’s going to allow us to divest from duplicative defense-in-depth architecture, and also it’s very datacentric, so it’s very focused on securing the data and the endpoints that are connecting to the network.”

DISA’s solution will incorporate a number of capabilities most commonly known by their acronyms. They include secure access service edge (SASE), software-defined area networking (SD-WAN), identity credential access management (ICAM) and virtual security stacks.

SASE, which is pronounced “sassy,” is a technology package that includes SD-WAN, firewall as a service and cloud access security broker. While SASE has been implemented across much of the commercial world, it has not yet been widely adopted by the government, Landress observes. “We plan to utilize this secure capability to provide direct access to the Internet without having to use a [virtual private network]. It extends security all the way from the user to the edge of the data. It basically broadens the perimeter to include cloud applications and bring your own devices.”

The real benefit, she adds, is that it “allows anyone to log on from anywhere safely, and it standardizes the authentication method, so you don’t have to authenticate differently based on which device you’re using.”

The SASE solution and the virtual security containers primarily will benefit DISA and the defense organizations known as the “fourth estate.” The fourth estate includes the Office of the Secretary of Defense, the Joint Staff, the Missile Defense Agency, combatant commands and others. SD-WAN, on the other hand, offers benefits across the Defense Department, Landress notes.

“It’s technology that’s going to allow us to segment traffic in a way to prevent lateral movement inside the network. It allows us to use a variety of transport methods to securely connect users to applications. It’s more flexible than other transport methods,” and it allows for sophisticated bandwidth management and application recognition,” Landress says. She adds that the analysis will provide “the level of security that DISA needs to protect and defend from bad actors.”

Asked to elaborate how it provides greater flexibility, Landress explains that SD-WAN-capable organizations can take advantage of broadband connections and track and consolidate network traffic. “And through the availability of their applications and their user experiences, we will basically be able to consolidate our network traffic and control it to avoid a security breach,” she adds. Additionally, it offers built-in redundancy and can connect to multiple types of platforms from cellphones to tables to laptops.  

“SD-WAN is a really cool technology that, if implemented correctly, can completely revolutionize the way you secure your network. It also improves the user experience quite a bit, and we’ve already contacted all of our mission partners and plan to talk with them during our prototype to make sure that our SD-WAN interoperates with whatever they’re using,” Landress states.

The mission partners include the Navy, Army and Air Force. The Navy will be the first to begin implementing Thunderdome capabilities simply because they have shown the most interest, Landress says.

Because SASE is a mature commercial capability, adapting it to DISA’s needs should not be too challenging. “We need to engineer it a little bit in order to integrate it with ICAM, with virtual security stacks and with SD-WAN. I think what we’re going to find are some really innovative solutions to implementing SASE on a complex network like DISA.”

Ensuring interoperability likely will be the biggest challenge. “We’re going to plan to start testing that head-on to make sure that if we do run into problems, it’s an obstacle in the beginning and not in the end. You have to make sure that the traffic flows seamlessly from a Defense Department end user to an application in the cloud,” Landress offers.

Chan adds that interoperability will be tested throughout the process. “Interoperability will be the biggest challenge in that program because everybody’s interested in implementing zero trust architectures now. To help mitigate that kind of challenge, we really encourage the use of a common set of standards, protocols, and taxonomies in order to tie everything together and to work seamlessly with our mission partners.”

DISA officials considered but then rejected using a “challenge” process under an “other transaction authority” or OTA to develop the Thunderdome prototype architecture. Under the challenge process, participants who perform well are awarded prizes along the way.

“We decided not to go that route. We originally in the [request for information] implied that we might use that method, but when I dug deeper into it, there just wasn’t enough time to implement that kind of OTA,” Landress says. “Because we’re asking for several different technologies in one program, the challenge-based OTA was a little too complex, so we went with a regular oral presentation and demonstration route.”

Chan stresses that DISA already offers another important cybersecurity capability, Cloud-Based Internet Isolation, which moves non-mission-essential Internet browsing off of the endpoint to a cloud-based environment, reducing the risk and attack surface of the Department of Defense Information Networks and relieving congestion at Internet access points.

Adoption of the capability has been slower than expected, in large part because of competing priorities such as the adoption of Microsoft Office 365, but Chan hopes to quicken the pace of deployment. “It’s a great security capability that we’re offering. We have plans to increase migration at a faster pace as well. We had original plans for 1.5 million users this year, and we’re looking to accelerate up to the entire enterprise of 3.5 million.”

The need for speed in implementing zero-trust capabilities is partly driven by the telework boom in response to the COVID-19 pandemic. More workers accessing Defense Department networks from remote locations offer more opportunities for cyber adversaries.

“Thunderdome is a very modern and relevant security and network architecture that uses various zero-trust capabilities to get after a new threat vector that surfaced as a result of mass telework,” Landress says. “While it became popular a few years ago, now is the right time to really implement it to protect our critical assets, our data,” Landress says.

Chan emphasizes the importance of data security. “Really, it’s a very datacentric security model. We’re not just focused on security for access to the network per se. It’s actually security at the data element level. It has a more finite level of security. Now we’re talking about protecting the data resources,” she points out. “It’s a paradigm shift in improving our cybersecurity. That’s why we’re emphasizing the whole zero-trust architecture. It’s a different way of thinking about cybersecurity.”