Date: On demand
Duration: 1 hour
Cost: No Fee

Brian Laird summed up a very complex challenge in a succinct way: “How do we ensure the confidentiality, the integrity and availability of the data?”

For Laird, the assistant commander for supply chain technology and systems integration of the Naval Systems Supply Command (NAVSUP), an imperative to keep improving security is coming from the highest levels.

Partly because there’s an executive order on the topic, but mainly because worsening threats and the complexity of the technical environment in which NAVSUP operates, Laird said the IT operation is going all in with a strategy leading to zero trust.

Using a naval metaphor, Laird said the strategy represents a sea change for the Department of the Navy, no less than for NAVSUP itself. In effect, zero trust will supersede a cybersecurity strategy the Navy and DOD have been pursuing for years, namely defense in depth.

As Laird described defense in depth, “We would protect ourselves at the perimeter layer for all of our networks. And then, at the endpoints at which we actually consumed the data.” Zero trust doesn’t precisely reverse defense in depth, but it subtracts the presumed trust of users and devices once they’ve been cleared at logon.

“We actually don’t trust those individuals or devices anymore,” Laird said. “We treat those devices and those IP addresses on the network, as if they’re actually a nefarious actor. We have to really approach [them with] a least-privilege strategy to make sure, before people can traverse from one system to another, that we have the right protections in place.”

A complicating factor in establishing zero trust stems from the many systems with which NAVSUP interconnects. As the supplier of a large number of mission-related products and services to naval forces throughout the world, NAVSUP acquisition staff and logisticians interact with thousands of companies. On a given day, NAVSUP inventories amount to nearly $40 billion, Laird noted.

Plus, the Navy network environment itself is multifaceted. NAVSUP’s own networks connect to other Navy components using the Navy-Marine Corps Intranet (NMCI) and the Consolidated Afloat Networks and Enterprise Services, or CANES, tactical system. With other partners in the Defense Department, such as the Defense Logistics Agency, NAVSUP connects using the collection of networks known as the DODIN, or Department of Defense Information Networks.

In short, Laird said, “when you start to add different networks, different mission partners and different data exchanges, it can get exponentially more complex every single day.”

Delivering safer software

It’s become axiomatic that zero trust requires visibility into all of the IT assets that need production. Laird said that need for visibility, in the supply chain context, extends to the software the Navy buys. In some instances the software application is the product. In other cases, software is embedded in, say, a weapon system or an building environmental control system, and the software integral to the product’s operation.

Laird pointed out that the same executive order that touched off the zero trust drive also called on agencies to better understand the make-up of software they buy, using software bills of material, or SBOMs.

He likened the many blocks of code that make up a software application to Legos.

“We actually look at them as little Lego blocks. It takes a number of different coders, a number of different vendors and a number of different organic capabilities Hto actually deliver that capability we need to effectuate change,” Laird said. “Having visibility into each one of those building blocks is paramount because if not, then we don’t know where our vulnerabilities are. We can be exploited and then the actual data that’s being used for national security becomes at risk.”

Laird said a combination of continuous monitoring of software modules and their activities, plus incentives for vendors, helps insure delivery of safe software.

“When you look at the Lockheed Martins, the Boeings, the Bell Helicopters, they’re doing a lot of good work for the Navy and for the Department of Defense,” Laird said. “And I think that’s really where you see the power of the defense industrial base coming together to have the right management controls in place to get after that security.”

Inside the fence line

As for zero trust itself, Laird says his shop partners with other Naval organizations, when required, to help get the right elements in place. For example, the department-level Navy CIO office is developing what it calls Naval Identity Services. NIS will eventually replace with an enterprise tool the identity and credentialing management systems various commands or echelons have developed or acquired on their own over the years.

The initial NIS application is for the Navy’s enterprise resource planning application. A NAVSUP-specific application, Laird said, will be next to incorporate NIS.

For a second zero trust-related capability, Laird said NAVSUP will implement a tool for monitoring traffic in and out of the command, “and even as it traverses from one interface to the other.”

He added that identity and credential systems, as well as authentication and access systems, must cover not just human users and their devices, but also the automated, system-to-system interactions that constantly take place.

“We’re really looking at zero trust not just from a human element, we’re really talking about how devices or how IP addresses connect to each other, which is how a lot of the nefarious activity jumps into place,” Laird said.

An industry view

Practitioners connected with IBM studied the NAVSUP cybersecurity imperative.  Chris Egan, partner for IMB’s U.S. Federal Cybersecurity Services team, underscored that supply chain security is essential to Laird’s and NAVSUP’s mission, and that the supply chain has physical and cyber sides.

“Threats are not new in the sense that they didn’t exist before. But they’re new in the sense that they are being exploited by threat actors,” Egan said.

Egan said the evolution from the defense in depth approach doesn’t replace, but rather augments defense in depth. The traditional thinking looked at networks like castles having extensive perimeter protections.

“When we think about zero trust,” Egan said, “what we’re saying is not only are we going to protect those outer perimeters, but we’re also going to assume that we cannot trust who is inside.” He said that requires a holistic approach to ID management and authentication, encompassing individuals and machine-to-machine interactions.

Zero trust also extends beyond the borders of an organization like NAVSUP, said Curtis Dukes, executive vice president and general manager of the Center for Internet Security. Nowadays, he said, any definition of an enterprise must include commercial cloud-hosted assets, non-government-issued devices, and supplier networks.

As for software bills of materials, Dukes said agencies, when obtaining an SBOM, should also obtain information on vendors’ configuration control processes in order to have a complete picture of potential software vulnerabilities.

“This is really is a fundamental change for how the Defense Department and the federal government, for that matter, protect their networks,” Dukes said. He added, agencies face four basic challenges to implementing zero trust. They are bringing legacy systems up to date; instituting multifactor authentication, especially in machine-to-machine communications; being sure to include all of the systems in hybrid, multi-cloud environments; and the basic cost of doing all the work.

Egan added that the cloud is emerging as the most practical place to host zero trust solutions, even for on-premise applications.

Learning objectives:

• NAVSUP overview
• The move to a zero trust model
• Industry analysis

This program is sponsored by   

Complimentary Registration
Please register using the form on this page or call (202) 895-5023.