Zero Trust Cyber Exchange: Navy
If you’re using identity as your perimeter, it brings in a lot of new tools, a lot of new automation, a lot of new opportunities to make real-time, dynamic, threat-informed decisions.
Louis Koplin
Deputy Chief Technology Officer, Department of the Navy
For the Department of the Navy, building a more modern and capable framework for identity management isn’t just an important ingredient in the recipe for a successful zero trust implementation. It’s almost the whole point.
After all, if the goal is to grant access to only the data and systems a user actually needs, based on their roles, responsibilities and how they’ve authenticated themselves, an identity framework that can track a whole lot of attributes about everybody on the network is really, really important.
That’s why DoN is putting a lot of effort into identity on the front-end of its journey toward zero trust. Led by the Program Executive Office for Digital and Enterprise Services (PEO Digital), the idea is to build an extensible credentialing and access management framework that both consolidates what individual Navy components are doing on the identity front today and offers far more granularity than the Defense Department’s current enterprisewide identity framework delivers.
“If you’re only guarding your perimeter with network firewalls, that’s something that can be done, but it’s not easy,” Louis Koplin, DoN deputy chief technology officer, said during Federal News Network’s inaugural Zero Trust Cyber Exchange.
“If you’re using identity as your perimeter, it brings in a lot of new tools, a lot of new automation, a lot of new opportunities to make real-time, dynamic, threat-informed decisions about who gets to see what, under what circumstances, for how long and under what operating conditions,” he continued. “Identity becomes the dominant factor in how to control access to information applications.”
Identity as a managed service
To make that practical, the Navy wants to deliver identity as a managed service across the Navy and Marine Corps.
The aptly named project is called Naval Identity Services, and NIS is trying to do several ambitious things at once:
- Create a single sign-on capability all of the Navy’s disparate systems
- Gather and consolidate information about the users in those legacy and localized systems
- Make it much easier to update the now-centralized identity storehouse whenever that information changes, which it does, all the time
Curt Parker, lead engineer for NIS, said breaking down the Navy’s “walled gardens” of identity information is critical to the project. And somewhat counterintuitively, the moves the Navy has already made to the cloud have made things more complicated. Why? Because, so far, the implementation of new technologies that demand modern identity management schemes has been done in a fairly decentralized way, Parker said.
“Some of our [internal] cloud brokers have implemented their own active directories in order to apply policies to machines at their locations. And as part of that, they’ve set up an authentication mechanism that’s located at that local Active Directory,” he said. “If somebody were to, let’s say, leave the DoD and turn in their common access card, there’s no universal method of notifying those [authentication] silos that that person actually left.”
Harmonizing NIS with the rest of DoD
The Navy isn’t looking to completely replace the identity management functions the ubiquitous CAC has provided throughout DoD for the past decade and a half. But for zero trust, it definitely needs to supplement what the Defense Manpower Data Center (DMDC) collects and manages with more person-by-person details that deal with Navy-specific use cases.
“We actually do use a feed of DMDC data — information about contractor, military and civilian personnel — as our authoritative source of information about people who exist inside the DoD,” Parker said. “But in order to make access control decisions, we need the other Navy-specific attributes. DoD doesn’t know if a person has access to a specific Navy system that provides, for example, training information.”
NIS also intends to address limited communication environments. For instance, if a ship goes into a disconnected state, it has its own computer systems that will need zero trust services. “Being able to address those use cases with an enterprise service that has already been paid for at the Navy level would take some of the strain off of their budgets and hopefully make their lives a little bit better and more secure,” Parker said.
The next trick is making sure the Navy’s identity infrastructure doesn’t turn into a silo of its own. Justin Fanelli, PEO Digital’s technical director, said that’s not what anyone wants.
“We’re working with the Defense Information Systems Agency and the Office of the Secretary of Defense on all of this, and they’ve been great partners,” Fanelli said.
“There are some service-specific aspects where we’re going need a Department of Navy infrastructure that’s flexible for our needs. But we’re also sharing back those lessons learned. When we test something, when we trailblaze something, that’s often something the Army can make use of and vice versa. We have good communications on all of that, but there are some things that are just inherently Navy and Marine Corps.”
To listen to and watch all the sessions from the 2022 Federal News Network Zero Trust Cyber Exchange, go to the event page.
Copyright
© 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.