The COVID-19 pandemic marked the beginning of a cyber revolution at the Defense Department as it began a gradual shift from the Department of Defense Information Network (DODIN) to commercial cloud service providers (CSPs) to serve thousands of employees in a new remote environment.
Now that telework is a mainstay of the federal workforce, DOD's combat support agency wants a cybersecurity solution for the new normal.
Defense Information Systems Agency (DISA) awarded Booz Allen Hamilton a $7 million contract in January to develop a zero trust prototype, called Thunderdome, which aims to reconcile zero trust ideals, identity management technology, and the secure access service edge (SASE) concept with endpoint security goals.
Before the pandemic, DOD employees accessed data, email and other resources to do their jobs through the DODIN.
“All the DOD workloads were sitting in data centers on the DODIN, then we had APIs at the perimeter that kept us safe from the dirty internet and that's how we did a lot of cybersecurity,” said Drew Malloy, technical director for the Cybersecurity and Analytics Directorate at DISA, in an interview with GovCIO Media & Research.
As more DOD employees moved to a telework environment, DOD routed their connections to the DODIN through a VPN, which turned out to be highly inefficient. DOD cyber leaders needed a new security solution.
“We were really trying to force traffic through the legacy way of how we architect the system and for us it didn't make sense,” Malloy said. “Telework was becoming a larger part of the business we do, and there was an increased migration to the cloud for a lot of DOD workloads. So how to do this smarter in a way that's highly secure and highly performative, that's really part of the journey toward this Thunderdome prototype.”
Malloy said DISA and DOD want to see if Identity, Credential, and Access Management (ICAM) and SASE solutions can work together in a zero trust environment, and how they could scale the combination of technologies across DOD.
SASE dovetails with ICAM in theory: a SASE solution evaluates the identity of a user trying to access the DODIN and the identity of the user’s device, then calculates whether the device is up to date on security protocols and software patches before granting access to the DODIN. For example, a verified user might be allowed to access some cloud-based resources on their personal device, like a smartphone, but not certain functions.
“From a SASE perspective, you have your gateway and then you have an agent on your endpoint that talks to your endpoint device to determine health and status and identity,” Malloy said. “Say you have the [user] identity, but coming from an unmanaged device, like your personal device, then maybe we throttle that you can access your web mail and [Microsoft] Teams and read-only documents, but you can't download any data.”
But too many SASE gateways and agents can be costly.
“If we have a bunch of different SASEs, now you're going to have a bunch of different agents on SASE endpoints,” Malloy said. “Then you get in the issue of resource confliction on the endpoint, as well as, how are we going to pay for all of this? SASE right now is based on the number of users that have it [so] those are things we're really keeping an eye on.”
Two of the big goals DISA has for the Thunderdome prototype are scalability and interoperability, which Malloy said will be a “huge, huge issue.” The DOD CIO's new zero trust office stood up in December 2021 is focused on fostering zero trust interoperability throughout the department.
The ultimate goal of Thunderdome is to enable DOD employees and military service members to securely access the resources they need “without having to traverse the DODIN,” Malloy said.
“How do we go direct to that commercial cloud workload?” he said. “The Air Force has done some prototyping around cloud access point solutions, and we're working in partnership with them with the Thunderdome prototype to stand up a [memorandum of agreement] between the two of us — here’s your security stack, here's ours for Thunderdome, which one is best suited for the different kind of use cases we're trying to solve at the enterprise level, and going forward as a department, how do we want to procure these services and not create our own silos?”
Cyril “Mark” Taylor, CTO at Special Operations Command (SOCOM), said siloed data is a high-priority challenge for implementing zero trust across DOD. Overclassification is often the root cause of siloed data, which many DOD leaders are trying to address.
“We're having to get over decades of isolation,” Taylor said at a FedInsider webinar last week. “It's about getting folks to agree on the how to classify. We have the challenge of trying to figure out what it is we want to do with the data. You've got to figure out some baselines. Because we've got multiple security clearance levels of classification, then it gets into the legalities of what can be done with the data relative to what you're trying to do. That's where having a CDO and data strategy has been helpful. It does start with mapping out what is the type of data then coming up with the metadata tagging and all the different types of classifications, then you get into these buckets. You iterate from that.”
Jay Letteer, compliance branch deputy chief for the Marines Corps, echoed Malloy’s comments about the need for zero trust interoperability, a concept predicated on good data standards.
“You're not going to have good data management without the identity management to go along with it, it's a critical component,” he said during the FedInsider webinar last week. “How do we standardize those aspects of identity management that we have to be able to track down to the individual? We want to make sure the identity of the person and the device is irrefutable, and if it is, by all means, come in (to the network).”
Malloy, Taylor and Letteer all said moving to a zero trust architecture will not be like flipping a switch, but more like a journey, which Taylor said is what makes it an “evergreen” security solution.
“It's going to be a progression, we're not expecting this to be a Big Bang,” Malloy said. “As we move forward, what we're doing with ICAM and the endpoint, those are still going to be critical technologies. I don't see the requirements for the perimeter going away any time soon, bandwidth will be reduced as we offload a lot of that traffic to SASE solutions, so it's going to be a slow progression.”
The nebulous nature of zero trust makes interoperability a concern at DOD, but the lack of rigidity also allows each military service branch and DOD component to adopt iterations of zero trust that work for them and their mission sets.
“That's what I think will make it last the test of time,” Taylor said. “By that nature of it being a framework and not too prescriptive, it leaves it open enough to interpretation as long as you cover the basics.”
The Thunderdome prototype is the result of DOD’s shifting cloud needs, but it also heralds the dawn of DOD’s new approach to cybersecurity: one less focused on the perimeter, and more concerned with the data.
“We've been classically very network-centric in how we do cybersecurity,” Malloy said. “More and more we're going to need to move toward applications and the data layer to do cybersecurity at that level and figure out what the right mix is going forward.”
Note: A previous version of this article incorrectly stated the amount of the Booz Allen Hamilton contract. The correct amount is $7 million.