Security-Focused Agencies Tackle Integration Challenges of Digital Services

Security-Focused Agencies Tackle Integration Challenges of Digital Services

Low code and other cloud capabilities are used throughout DOD to ease transformation of digital services development.

This is too difficult. It is taking too much time. This is useless. These are some of the common complaints in ramping up digital services at the Defense Department. The agency has set out on a mission to make the transition into more digital operations smoother, easier and faster when there’s no time to wait. 

“This technology that you’re trying to implement takes too much training for me to understand, and I need it right now,” said Maj. Evan Adams, product owner and information systems engineer at Project Ridgway within the Army XVIII Airborne Corps, at an ATARC event this month. “Unless I can pick it up and use right now and it provides no value, then it’s useless for me, you’re adding more work to me." 

Another challenge is getting leadership more involved. If the boss doesn’t want to see the work, then it’s worthless.  

“How leaders can get engaged with it early to understand the information and understand where the information comes from, that’s really the second challenge and where we fit in,” said Adams. 

A key requirement in digital services is access to data. Some officials at the Department of Homeland Security have touted methods like low code development in terms of being able to collect data very quickly and throw up an interface that is multi-user with strong authentication. But there are some pitfalls when it comes to using these tools. 

“Everything looks really easy until you start to really confuse the underlying data model. You need to still follow some of the old school classic procedures of developing a model of data, understanding of what data you are going to collect and then what data are you going to expose to what entities for reporting,” said DHS Executive Director of Information Sharing and Services Office Philip Letowt at ATARC’s event. “Part of the art is understanding where those boundaries exist and how to best use the tools to emphasize their strengths and avoid their weaknesses.” 

When it comes to digital services, DHS believes that you should focus on building and funding strategies that will stay around for decades. Plus, the department sees promise in automating many of these processes to enable faster development. 

“Using services, workflow packages and low code to be able to automate things, we need to invest our money in things that have a future not just something that is going to just smear some paste over something,” Letowt said.  

According to Adams, it’s about how to integrate these new tools in order to make these decisions better, faster and more informed. The tools are also empowering the workforce. 

“A lot of these technologies are filled with potential and possibilities. Then tapping into the younger soldiers, and then partner with industry to see how we can implement these things to gain that asymmetric advantage,” he said. “Because it’s not going to be done in the factory anymore, we’re over that. It’s really being able to capitalize on the spark of creativity. “ 

With digital transformation strategies, DHS and the Army have both experienced a large amount of success.  

“Having that set of design patterns the team knows how to implement, that their roles and responsibilities are clearly defined, that the technology is set up to expand horizontally allows us to be much more effective in terms of meeting the solution. And that’s one place where low code has come out to be a real winner in that we’ve been able to replicate things very quickly in stand-up applications in very short order that historically what would have taken months to do we’ve done in weeks,” said Letowt. 

With any strategies around data, cybersecurity approaches in zero trust are important to ensuring that data is secure from external threats.  

At the Navy, this means taking charge of appropriate identity management solutions first. In doing so, the agency is throwing its supporting behind the idea of moving away from compliance to an idea of readiness.  

“That cultural component of readiness should and will go beyond things not just the way we look at our risk management framework — our ability to ensure that our systems, our critical infrastructure and weapons systems, our mission forces, all of the things we are going to need to operate in cyberspace are ready when needed to perform the duties, functions and tasks that they are designed to go do,” said Navy Principal Cyber Advisor Chris Cleary at SailPoint’s Government Identity Security Summit this month. 

Tackling identity solutions began as a response to financial audits that were being conducted in the Navy. Cleary said an identity strategy is one of the fundamental building blocks of zero trust.  

“There’s not one product out there that you can buy that deploys as a zero-trust architecture. It’s a concept, it’s an idea, it’s a belief system, but a fundamental foundational thing that you must have to get to a zero-trust architecture is an identity strategy,” said Cleary. 

Cleary said overall industry is going to play a major role in making the Navy more cyber secure. 

“Industry has stood up and answered the call for cybersecurity. The government needs to do a better job of understanding that’s where innovation happens, innovation happens in industry. We have to be better about acknowledging and accepting innovations. Doing things that allow us to innovate faster,” Cleary said. 

This is just one example of DOD’s approach to meeting zero trust requirements as outlined in an executive order earlier this year. In May, the Defense Information Systems Agency released a Zero-Trust Reference Architecture to help the military maintain information superiority on the digital battlefield. 

“It’s an initial look at how DOD is modernizing cybersecurity strategy by focusing on data and application-centric security less so rather than just a network and perimeter base,” said DISA Chief Engineer of Security Enablers Brandon Iske at the Government Identity Security Summit. “At the end of the day, it’s still a cybersecurity strategy, but it still leans on things that we are doing and it does present opportunities to change other areas.” 

DISA is also pushing another initiative called Thunderdome, a push into a network modernization approach while aligning to zero trust principles. Thunderdome also focuses on how to connect to applications and users and modernizing the perimeter. 

“Software-defined enterprise — so those capabilities from the DISA perspective is our bread and butter of being a network service provider and IT provider for the department. It’s our ability to provision networks and do that in a more dynamic and rapid fashion versus just circuit ordering is really where we have to truly modernize there and that has so many efficiencies and cybersecurity benefits,” said Iske. 

As time goes on Identity, Credential and Access Management is becoming more important and gaining momentum in DOD. 

“How we collaborate going forward is based on how we do identity, especially in a multi-tenant commercial cloud environment,” said Iske. “All of these things are fundamental capabilities that we have to get right, otherwise our interoperability challenges just become extreme down the road. So, I’m very energized by it, I’m excited about with where we’ve been with our pilot, but we have a long road ahead of us.” 

Moving into 2022, the department is setting up great groundwork for continued innovation for digital services. 

“We’ve created a couple of instances where we used virtual machines to increase the capability of some of our mission command platforms notably the Dragon Cloud, which uses CPCE — our new Command Post Computing Environment — that’s a huge prospect,” Adams said. 

“We’re going back to building out the existing infrastructure that we have, developing applications and developing solutions for our business units. We will be focusing more on natural language processing and handling some of the document classifications going on. There are a number of things that we have been doing this year and we’re planning on expanding on those things in the next 12 to 18 months. We had a successful year and we will build upon that success,” said Letowt.  

 

 
Standard