The Defense Department is increasingly moving to the cloud or to hybrid platforms to store and use data, but that also brings new challenges in securing that data.
DoD can’t just move to the cloud overnight, and some data is so sensitive that it needs to stay on premises, points out Bill Harrod, federal chief technology officer at Ivanti.
Given those needs, DoD and the military services are working closely with contractors to protect that data, Harrod said during Federal News Network’s second annual DoD Cloud Exchange.
The Pentagon set standards for contractors using Cybersecurity Maturity Model Certification and the Federal Risk and Authorization Management Program (FedRAMP). Those benchmarks ensure the companies that DoD works with can handle classified information in the cyber world.
There are plenty of threats out there for DoD and contractors to worry about, especially as the conflict in Ukraine continues, Harrod said.
“Clearly, the cyberattack threat has escalated dramatically. Ransomware continues to be the No. 1 attack vector,” he said. “Much of that has been traced back to Russia and China. I think we’re going see a continuation and escalation of that. I also think that supply chain attacks, things like Solar Winds and Log4J, are critical vulnerabilities. We probably haven’t seen the last of attacks like those.”
Recent cyberattacks underscore importance of zero trust
It’s critical that DoD can counter such attacks, and zero trust is one of the main ways to do it, Harrod said. By strongly enforcing privilege access, authentication and access controls, Defense organizations can limit the risks to its networks.
“The zero trust policy relies on those enforcement points and creating that micro-segmentation of the DoD network, both in the cloud and on premises,” Harrod said. “Zero trust requires authorization and access control decisions to validate the boundary crossing or access to any new resource or application — or potentially any new transaction or workload.”
The White House is already taking zero trust into account. Last May, President Joe Biden signed an executive order directing use of zero trust strategies to improve the government cybersecurity. In particular, order instructs agencies to “advance toward zero trust architecture and accelerate movement to secure cloud services.”
Zero trust and the transition of legacy services to the cloud
The tricky challenge comes as DoD addresses many of its legacy operations and systems as it expands cloud adoption across multi-domain environments.
“Today, the DoD workforce works anytime of the day or night, from anywhere, on nearly any device,” Harrod said. “Transactions and data move across the internet to cloud-based applications — and access data and solutions on the DoD enterprise network as well.”
But the enterprise network traditionally made trust assumptions based on each user’s authentication, and there were few if any controls that prevented what Harrod called “east-west” data movement between and across domains.
“The zero trust framework really relies on no assumption or inheritance of trust and enforcing fine-grained access controls and narrowly defined zones have access,” he said. That will be a critical evolution in retooling legacy services in the cloud and on premises.
Another critical element will be the use of software bills of materials (SBOMs), Harrod said. SBOMs are necessary to zero trust because they will let DoD know all of the components, routines and libraries associated with each application and system, he explained. “We can test and evaluate to make sure that there hasn’t been any compromise or changes from what’s expected.”
To listen to and watch all the sessions from the 2022 Federal News Network DoD Cloud Exchange, go to the event page.