For once, the Defense Innovation Unit solved its own problems.
While DIU usually works on challenges for the military services and defense agencies, a recent project showed them how a secure approach to using commercial cloud services could work outside of the traditional Defense Department methodology.
Rick Simon, the program manager for the Secure Cloud Management project and a contractor in the Defense Innovation Unit, said of the 29 respondents to the office’s request for white papers, three prototypes made the grade.
DIU issued the three prototypes from Google, ZScaler and McAfee success memos earlier this year, determining that each delivered on the goals of the pilot and any Defense Department entity can use the services to secure their cloud access points.
“All three of them, as it turns out, really offered some similar capabilities. They all offer what are known as SASE services, secure access edge services, and they are all offered a broad range of zero trust capabilities,” Simon said on Ask the CIO. “One of the interesting things is in the original Areas of Interest (AOI), which is another word for a request for proposals, we didn’t include the phrase zero trust. DoD has become very focused on zero trust capabilities and zero trust architectures, and it just so happened that all three of the prototypes offered those kind of capabilities.”
Simon said when DIU used the traditional cloud access point (CAP) security set-up, it experienced latency and made applications like video conferencing difficult to use. Much like the Trusted Internet Connections (TIC) initiative needed to be updated for the remote workforce, DoD needed an easier, but still secure approach to using commercial cloud services.
DIU employees tested out each of the prototypes to access its network. Where DIU usually procures and builds systems on behalf of others, this project attempted to solve an internal problem that many other agencies — DoD and civilian — face.
“We split our population into three groups, and each group was subject to one of the prototypes. They downloaded the agents and worked through those prototypes. We wanted to ensure that we were assessing for cloud access point equivalency,” Simon said. “We partnered with the Defense Information Systems Agency to develop the assessment criteria. They drew it from the secure cloud computing architecture document because that most directly defines CAP requirements. But as the project progressed, and it became clear that zero trust was becoming a more important part of the DoD’s future. We also asked DISA to draw from a draft of the zero trust reference architecture. It’s now in published form, but it was a draft at that time, the security requirement guide in various other reference architectures to develop a set of criteria.”
DIU and DISA measured the three prototypes against 77 different metrics to compare to CAP equivalency. Simon said the goal was to ensure the new approach didn’t erode trust capabilities around endpoint security, network security performance and other security and control tests.
“We engaged with each of the vendors and third-party assessment organizations to perform the actual assessments. The results were published and made widely available within the DoD,” he said. “None of the vendors passed all 77 metrics. In the assessment, there were a handful of tests, for example, that required red teaming and we did not have the wherewithal either ourselves or through our security service provider to do red teaming. So we didn’t do those tests. There were a couple of tests that had to do with IPv6. But they all passed over 90% of their tests, and that was very encouraging to us.”
Taking the prototypes into production
Once the prototypes passed the tests, DIU said any DoD agency or military service can work with the vendors to take them into production.
“We will likely select one of these prototypes to go into production. It’ll likely be in the first quarter of fiscal 2022. We think we could pick any of them and be very successful with them,” Simon said. “We have been talking to a lot of entities about the project and the results of the project. During the course of the project, I personally briefed probably 15 different DoD entities on what we were doing, and then they followed along through a newsletter that I created about the progress we were making in the project. Once it was complete, we put all the artifacts, all of the third party assessment result documents and a lot of other documentation about the project in a secure a place where anybody from DoD could get to it, and download and read the materials that were prepared. We think that that various DoD entities will embrace it, and, at the very least, use it as guidance as they figure out their own zero trust wave forward.”