Zero Trust Cyber Exchange: Why Air Force is taking an iterative, DevSecOps approach

In conversations about federal agencies moving to zero trust, it’s become something of a truism that zero trust is a journey, not a destination.

But one could argue the Air Force is more explicit about that fact than most. The design team behind the service’s zero trust implementation is clear-headed that zero trust won’t happen overnight. Instead, they’re using an iterative process — starting with just a couple bases — and with a software-centric approach...

READ MORE

Shape

Zero Trust Cyber Exchange: Air Force

This is a game changer for the Air Force. We have to implement zero trust in a way that every packet, every bit of data, every transaction is not trusted.

In conversations about federal agencies moving to zero trust, it’s become something of a truism that zero trust is a journey, not a destination.

But one could argue the Air Force is more explicit about that fact than most. The design team behind the service’s zero trust implementation is clear-headed that zero trust won’t happen overnight. Instead, they’re using an iterative process — starting with just a couple bases — and with a software-centric approach that uses the development, security and operations (DevSevOps) methodology already proven successful in other Air Force technology development areas via its Platform One.

This fall, the service will launch its initial zero trust pilot at Joint Base Pearl Harbor-Hickam in Hawaii. This will be its first real-world attempt at proving out some of the concepts it’s been building in the lab to create a software-based zero trust boundary.

And although the words “zero trust” and “boundary” aren’t normally used in the same sentence, Air Force technologists think that’s the right starting point, when you’ve already got a network that’s heavily focused on perimeter controls.

“As we slowly start moving more into the zero trust mindset, we’ll start getting away from the concept of boundary. But especially during this this transition period, there will definitely be a need for this concept of a boundary,” Capt. Christopher Kodama, a military engineer with the AFNet Sustainment and Operations Branch, said during Federal News Network’s Zero Trust Cyber Exchange.

Air Force zero trust plan Part 1

Initially, Kodama said, the idea is to replace a collection of hardware appliances that provide boundary security today with a software-defined security stack that gets the Air Force closer to zero trust principles.

“What we’re trying to do is create a sort of VPN-like entry point into our network. But instead of a traditional virtual private network — where you pretty much have access to the full network once you’re signed in — we want to be able to do a couple of other things,” Kodama said. “One is to allow the users that are coming in to only access the resources that they should be able to access and also integrate with other endpoint security types of technology. That will give us a better sense of whether the laptop that they’re trying to use to log into the network is secure. We want to be able to tie those together.”

But the fact that the Air Force is assembling its own software-defined zero trust architecture shouldn’t be read as a shunning of commercial technologies. Quite the opposite, in fact. The eventual goal is an architecture than can virtualize and quickly incorporate security innovations from across industry.

“This is a game changer for the Air Force. We have to implement zero trust in a way that every packet, every bit of data, every transaction is not trusted,” said Raju Ranjan, technical lead for zero trust at the Air Force. “For that, we have to build a stack of COTS products which can give warfighters cutting edge technology to access their resources or data from anywhere or from any place.”

Leveraging Platform One for zero trust effort

And that’s where the zero trust team’s partnership with Platform One comes in. The Air Force isn’t looking to build its own security products. But it does want to use Platform One’s existing DevSecOps techniques to quickly test and accredit its approaches to linking them together, and insist on open interfaces between those products.

“We want to leverage their infrastructure for the Air Force zero trust stack — GitHub, Party Bus, Iron Bank — all those components are there, and whatever they have, we want to use them,” Ranjan said. “We’re also planning to use an open framework. If any vendor says, ‘Use my APIs or use my product,’ [our answer] is no … we need to be vendor-agnostic, software-agnostic. It should all be built on an open standard.”

And Kodama said the commercial tools Platform One already provides, and has already accredited as part of its DevSecOps pipeline, have turned out to be extremely helpful in mapping out the Air Force’s possible future approaches to zero trust.

“What it also allows us to be able to do is to have separate deployment pipelines for testing and actual deployment that are nearly identical,” Kodama said. “It also allows us to, from a security standpoint, embed security checks. This is something that Platform One is doing today, where they embed security checks into their pipeline, so that as the code is being deployed, it will be scanned for vulnerabilities.”

To listen to and watch all the sessions from the 2022 Federal News Network Zero Trust Cyber Exchange, go to the event page.