A lot of agencies and vendors talk about the move to a zero trust architecture, but few are actually putting the pieces in place to improve their cybersecurity.
The Defense Information Systems Agency may be one of the few exceptions.
Jason Martin, the vice director of the Development and Business Center at DISA, said the agency is working with the U.S. Cyber Command to launch a zero trust pilot.
“We are in the process right now of building out our lab space at DISA in conjunction with our intelligence community and Cyber Command partners to build out three fundamental components of it,” Martin said after he spoke at the recent FCW Cloud Summit. “Zero trust is the architecture or framework that we are building out for overall continued access and authentication mechanisms across the network and at all layers of the network. To do that, you have to have foundational identity credentialing, access, authorizations solution so we are building that out in that same lab. We are leveraging existing capabilities while in turn building out things like master user records and automated provisioning that we will set with policy and push out using our third component, a global policy orchestrator.”
He said once each of these components are in place, DISA and its partners will test the technology against specific use cases.
Martin said the lab is the first step to getting the full pilot or proof of concept off the ground.
Data is key to zero trust
He said a big step for the Defense Department will be consuming enterprise data from disparate databases to oversee and manage access of employees to systems and data.
“Zero trust is rethinking how we do continuous security,” Martin said on Ask the CIO. “It’s leveraging the capabilities we’ve brought to bear for years. It’s working with partners across the DoD and the IC to say here are the lessons learned and here are we doing certain things on certain fabrics and can we now apply it here, can we apply it closer down to the endpoint and can we apply it across the network? What are the uses cases and as we identify those, we then build out a new set of capabilities which either leverages existing capabilities and/or integrates new capabilities in new way that we hadn’t previously done.”
Martin said DISA is looking at both new procurement approaches as well as existing acquisition vehicles to build out the zero trust use cases.
He added DISA also is collaborating with the military services and other Defense agencies about how zero trust fits into the broader discussion and what capabilities can they share. Many of these discussions come during meetings of the zero trust council.
The Defense Innovation Board released a white paper in July looking at zero trust inside DoD. It outlined eight questions that DoD should consider as it moves toward this cyber approach.
“Due to the large number of siloed networks across DoD, any shift to zero trust architecture would likely have to be incremental, starting with a standard set of identity checks for applications and services that could gradually be integrated into common mechanisms for authentication and authorization across DoD,” the board states. “As part of this effort, DoD will need to improve its digital management and tracking of user roles (and changes to those roles) across the organization in order to build access control for specific applications and services. While some of this effort will require security architecture reconfiguration, there will also need to be a shift in the security culture throughout DoD to promote accurate and consistent record-keeping of roles and other identity characteristics.”
The Office of Management and Budget and the CIO Council worked with the industry group ACT-IAC to write a zero trust white paper, and now the National Institute of Standards and Technology is analyzing the current state of technology that fits under zero trust.
Martin said one important piece of the zero trust puzzle is how to secure mobile devices. He said DISA is running pilots to let employees use tablets that have secret and top secret security controls.
He said the goal is to make it easier for service members and commanders to do their jobs in theater or other environments.
“We’ve rolled out a pilot with critical mission sets and it really does provide a full classified experience that you’d expect to see in your office and it’s very contained with headsets and other things so you can do that work like you would if you were in your office,” he said. “We’ve rolled out the pilot to 100 folks. We are working through the planning process to be able to budget and expand this out as a capability.”
Martin said there is a growing demand for classified capabilities at the edge. It’s part of DoD’s desire to bring all enterprise capabilities so data access is ubiquitous.
DISA has long been ahead of the curve in securing mobile devices. The agency has more than 100,000 devices using its Purebred technology, which replaces the need for smart card readers to send digitally signed and encrypted email, decrypt email, and authenticate to DoD websites when using a DoD mobile device.