For many federal agencies, zero trust is something between a buzzword and an aspiration that still lies several years into the future. For the Navy, it’s a reality today, according to the service’s IT leaders.
That’s not to say the work is done — or even close to it. For instance, zero trust models have yet to make their way onto the Navy’s classified networks and, for the most part, its ships. But for the vast majority of users on its enterprise networks, officials say they’ve achieved at least the basic underpinnings of a zero trust architecture that will continue to evolve over time.
One reason the Navy was able to move to large-scale implementation so quickly — much of the work has been completed in just the past year — is that the service leaned heavily on the security tools and architecture that are already baked in to Flank Speed, the Navy’s implementation of Microsoft 365.
The service dramatically accelerated that migration because of the need to let employees work remotely and securely during the COVID pandemic, said Barry Tanner, chief operations officer for the Navy’s Program Executive Office for Digital and Enterprise Services.
“This was the first time that the Navy decided to essentially go all in with cloud capabilities. When we started that journey, we made a conscious decision to start with a blank sheet of paper and use the work that had been done by the National Security Agency and Cyber Command’s experimentation to build those lessons into the implementation of Office 365 for the Navy,” Tanner said during a panel discussion for Federal News Network’s Cyber Leaders Exchange 2023.
Pandemic helped remove implementation barriers
“We were talking about this as early as 2018, and the original estimate was that it would take four or five years to get there … but the pressure of the pandemic, the focus that it gave everyone all the way up to and including Secretary of the Navy, was critical to ensure that everybody was driving in the same direction,” Tanner said. “We were able to remove some barriers that are typically very hard in a government environment.”
That all-in approach to the cloud gave the Navy a way to quickly scale those built-in security improvements as users migrated from legacy email and productivity tools to Flank Speed.
Among the biggest changes, officials say, is much more instrumentation — the kind that gives cyber defenders more relevant, real-time data about what’s happening inside the cloud environment so that the Navy can move from a network-centric security posture to a more data-centric one.
Cmdr. Nick Goddard, director of operations for the Navy Cyber Defense Operations Command, said one key to the service’s approach has been extending those data-gathering tactics to the service’s legacy networks and integrating them with its existing cyber defense tools, automating much of the data analysis process along the way, as part of a more coherent security “ecosystem.”
The number of potential cyber events the Navy records on its networks each day — orders of magnitude more than defenders can examine without advanced tools
SOURCE: Navy Cyber Defense Operations Command
“When you properly instrument a network, you get a lot more data. Within our infrastructure, we’re seeing about 2.3 billion events every 24 hours, which is an insane volume of data for a human to be able to digest and decompose,” Goddard said. “But what cloud enables us to do is to take those old tools and actually give them new life. And we’re also now able to see things like kernel-level processes and identity. So when we take cloud-based capabilities and identity — and tie them together with legacy tools — we get a much richer environment in order for us to do much more informed defensive action.”
Navy expects enhanced ability to identify, neutralize attacks
David Voelker, lead official for zero trust in the Department of the Navy CIO’s office, said that level of detail — with data that truly reflects what’s happening inside the service’s security perimeter — should let cyber defenders find intruders much more quickly once they’re inside the network.
One key principle of zero trust, after all, is that network operators should always assume the perimeter has been breached. Or, as a brand new zero trust design concept the Navy published this month puts it: “Every request for a resource is treated as potentially malicious.”
Voelker pointed out that these efforts build on the Navy’s move toward using outcome-based metrics. “To be able to pick out a bad actor or something that’s anomalous within the network very quickly and highlight that to the warfighter to take action is a critical one of those outcomes,” he said.
Other considerations are more human, such as user experience and ease of use. “Is that ease of use still the same under combat duress, when we actually have some kind of activity on the network and the tempo rises a bit for the [cyber defenders]?” Voelker said. “They need to continue to be able to take coordinated action to, for example, force a reauthentication for that particular user or possibly other countermeasures to help defend the technical baseline.”
Training next-gen cyber skills proves critical too
But the Navy’s workforce, from its cyber defenders to its acquisition community, also will need to get up to speed on how to think about security amid the huge culture change from perimeter defense to data defense and an assumption that adversaries are already inside the network.
As one baseline effort, the Pentagon’s Defense Acquisition University has started offering basic courses for practitioners focused on zero trust, and an educational working group within in the Defense Department’s Zero Trust Portfolio Management Office is thinking about how to incorporate zero trust principles into the military services’ professional education programs and specialty training courses for enlisted military members.
“Industry is already employing these [zero trust] best practices, and one of the challenges we run into on the Navy side is that our A schools and C schools can’t move fast enough. These tools roll out sometimes every other week,” Goddard said.
“We want to reimagine what foundational training is. But with some of the cloud services that we’ve been able to onboard, it allows me to take somebody who’s a junior analyst or a junior operator that just showed up to the command, and within 30 to 60 days, get them really functional from an upskilling standpoint. We’re adopting industry best practices and tools to drive us to new outcomes that we didn’t previously think were possible, based on how fast that training can be delivered to us. We don’t have to send somebody back to Pensacola, where our cyber community’s A and C schools sit. They can do that right there live on the command.”