Cyberthreats increased dramatically following the Russian invasion into Ukraine. Given that, DoD continues to work on zero trust and containing its threat surface...
DoD can’t just move to the cloud overnight, and some data is so sensitive that it needs to stay on premises, points out Bill Harrod, federal chief technology officer at Ivanti.
Given those needs, DoD and the military services are working closely with contractors to protect that data, Harrod said during Federal News Network’s second annual DoD Cloud Exchange.
The Pentagon set standards for contractors using Cybersecurity Maturity Model Certification and the Federal Risk and Authorization Management Program (FedRAMP). Those benchmarks ensure the companies that DoD works with can handle classified information in the cyber world.
There are plenty of threats out there for DoD and contractors to worry about, especially as the conflict in Ukraine continues, Harrod said.
“Clearly, the cyberattack threat has escalated dramatically. Ransomware continues to be the No. 1 attack vector,” he said. “Much of that has been traced back to Russia and China. I think we’re going see a continuation and escalation of that. I also think that supply chain attacks, things like Solar Winds and Log4J, are critical vulnerabilities. We probably haven’t seen the last of attacks like those.”
It’s critical that DoD can counter such attacks, and zero trust is one of the main ways to do it, Harrod said. By strongly enforcing privilege access, authentication and access controls, Defense organizations can limit the risks to its networks.
“The zero trust policy relies on those enforcement points and creating that micro-segmentation of the DoD network, both in the cloud and on premises,” Harrod said. “Zero trust requires authorization and access control decisions to validate the boundary crossing or access to any new resource or application — or potentially any new transaction or workload.”
The White House is already taking zero trust into account. Last May, President Joe Biden signed an executive order directing use of zero trust strategies to improve the government cybersecurity. In particular, order instructs agencies to “advance toward zero trust architecture and accelerate movement to secure cloud services.”
The tricky challenge comes as DoD addresses many of its legacy operations and systems as it expands cloud adoption across multi-domain environments.
“Today, the DoD workforce works anytime of the day or night, from anywhere, on nearly any device,” Harrod said. “Transactions and data move across the internet to cloud-based applications — and access data and solutions on the DoD enterprise network as well.”
But the enterprise network traditionally made trust assumptions based on each user’s authentication, and there were few if any controls that prevented what Harrod called “east-west” data movement between and across domains.
“The zero trust framework really relies on no assumption or inheritance of trust and enforcing fine-grained access controls and narrowly defined zones have access,” he said. That will be a critical evolution in retooling legacy services in the cloud and on premises.
Another critical element will be the use of software bills of materials (SBOMs), Harrod said. SBOMs are necessary to zero trust because they will let DoD know all of the components, routines and libraries associated with each application and system, he explained. “We can test and evaluate to make sure that there hasn’t been any compromise or changes from what’s expected.”
To listen to and watch all the sessions from the 2022 Federal News Network DoD Cloud Exchange, go to the event page.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Public Sector CTO, Ivanti
Defense Reporter, Federal News Network
Public Sector CTO, Ivanti
Bill Harrod is the Public Sector CTO at Ivanti, joining as part of the MobileIron acquisition, where he held a similar role prior to the accquisition. He is a CISSP and an accomplished information security executive and cybersecurity professional with experience managing cybersecurity risk and designing and delivering security solutions to federal agencies and Fortune 500 companies. Bill joined MobileIron from Deloitte where he was a Specialist Leader/Senior Manager for the Federal Advisory Cyber practice. Where he was the identity architect for citizen facing identity, authentication, authorization, and access management for several Federal agencies and managed programs at the US Postal Service, Government Services Agency (GSA), IRS, and the National Institute for Standards and Technology (NIST) for identity and privacy standards. Prior to Deloitte, Bill was an advisor for Public Sector Security solutions at CA Technologies; VP/Research Director at ICSA; and served for 14 years in the Federal government.
Defense Reporter, Federal News Network
Scott Maucione is a defense reporter for Federal News Network and has worked in journalism for over a decade. He previously covered the Pentagon for Inside Defense. He received his B.A. in journalism and political science from the University of Maryland and his Master’s from American University in applied politics.