Many federal agencies are exploring zero trust for greater network security, but perhaps none are applying more stringent requirements than the armed services. And although the exact definitions of zero trust may vary, for the 16th Air Force that means breaking traditional relationships.
The 16th Air Force’s cyber wings provide the larger service branch’s network, and is heavily involved with the community that runs the Air Force Information Network, according to Robert Hembrook, deputy director of Operations and Network. That encompasses weapon systems and those run by program managers, including “one-off” interconnected systems.
Hembrook said the idea that upon logging in everything one sees is “flat” and their access is wide, is just not the case.
“Zero trust brings it back down to the essential element of who I am, what the data is, and what do I need to have access to, because there’s a whole lot of information out there that I probably don’t have to have access to, based on my role and my function,” he said on Federal Monthly Insights – Zero Trust Month. “But there is information that I do need access to, and I need easy access to it without having to fight it.”
Hembrook said the 16th Air Force has a multitude of ways to log in and authenticate, while each system has its own administrative organization taking care of it. Ideally, he would like to see zero trust and flexibility for all users.
“The dream would be to have a common architecture that allows you to localize customization of security roles and responsibilities, but a common architecture and a common framework that works across the entire Air Force,” he said on Federal Drive with Tom Temin.
At this time, Hembrook said, Air Combat Command — the 16th Air Force’s major command — has a team working on some pilots for this goal, along with Air Force’s offices of the chief information officer and chief data officer. He added that the 16th is implementing some pilots on a small scale. But when trying to roll out an initiative like zero trust on a large scale, “There’s definitely support. But the timelines are kind of flexible on that based on availability of emphasis, and availability of resources for people and money,” he said.
The 38th Engineering Squadron is working on building something akin to a reference architecture. Once that moves through the pilot phase, Hembrook said, they will better understand how to roll it out enterprisewide.
Similar to how the Department of Homeland Security is rolling out continuous diagnostics and mitigation in civilian agencies — i.e. asset management, identity and credentialing management — zero trust in Defense Department spaces requires an understanding of what date and which people are on the network. Hembrook said that, though not identical, going through CDM at the National Oceanic and Atmospheric Administration better prepared him to implement zero trust.
“But the flexibility that DHS gave was that we don’t really care which tools you use as long as you use tools that work, and it’s more up to ‘do you implement along with the philosophy?’” he said.