The Defense Information Systems Agency's (DISA) Thunderdome project was developed in answer to the question, "How do we really change the dynamic of the way that we're protecting the network?" said CTO Steve Wallace.
The agency is making a bold move away from its legacy guard-the-perimeter approach to holistic network security, and Thunderdome is its jumping-off point for building a comprehensive zero trust architecture.
"It's not going to be perfect, but one of one of the tenants we had going into this was, 'Let's not study this problem for years, and then come out with what we think the perfect solution is going to be,'" DISA Cyber Development Directorate Director Drew Malloy said at AFCEA’s TechNet Cyber in Baltimore this week. "Let's just start. Let's start somewhere and iterate off of that.'"
While Thunderdome is being phased in, the legacy Joint Regional Security Stacks (JRSS) program will be incorporated and phased out, Malloy said.
"JRSS was narrowly scoped to a mid-tier security stack," Malloy said. "It was an enterprise capability, a joint solution that everyone was always going to get on. Thunderdome is a bit different — the scope is much broader. Now we're talking about endpoint all the way up to the applications data layer and everything in between and modernizing the network. It's a much different scope. What we are doing with Thunderdome is going to replace the security functionality of JRSS."
The replacement process will require careful consolidation and iteration to transition DISA to true zero trust architecture.
"We as a department have to work together moving forward to figure out what that migration path is going to be so we can gracefully sunset JRSS and move toward a zero trust architecture in line with the [distributed network protocol (DNP)] guidance," Malloy said. "It's not a one-for-one replacement. It's going to be an evolutionary look at how we do security differently."
Wallace credited the JRSS program with building DISA's network awareness, an understanding that was integral to Thunderdome's development.
"JRSS received its fair amount of criticism over the years, but the reality is JRSS helped us to get a picture of the network like we had never had before," he said. "It helped us consolidate a number of functions across the department that we hadn't done before. What we're doing here with Thunderdome is the next generation, taking a lot of these newer concepts and applying them."
One of the core functionalities of Thunderdome is micro-segmentation. Based upon data and attributes about a system user, their endpoint and their session, DISA will direct that user's network access. In this model, if a verified trusted user is operating a personal device or accessing a public network, their system access could be adjusted accordingly. This security strategy is a part of DISA's Secure Access Service Edge (SASE) technology, which consolidates security enablers such as identity, credential and access management (ICAM) and DevSecOps in a single cloud-delivered service model.
The Thunderdome project will also integrate new dashboarding capabilities to enhance cyber situational awareness and software-defined wide area network (SD WAN) technology to optimize and secure network traffic.
While Thunderdome will deploy many new technologies and strategies, Malloy emphasized that the prototype does not outline a finish line or a complete solution for DISA's zero trust journey.
"Now, is this going to be the 'be all end all' for that on zero trust? Absolutely not," he said. "But these are the large deltas that we identified in our architecture that we felt we needed to prioritize. There's going to be a big play around endpoint; we have a big ICAM integration effort that's going to have to happen as part of this. And then there's a number of other technologies that we haven't gone after just yet, but we know are out there and are things that we want to identify and highlight — especially around the application security stack."
Web applications are typically the most exposed part of information systems and may provide an entry point for data breaches and internal network infiltration, said Rob Barney, solutions engineer at Invicti Security. The zero trust approach is changing the way that agencies secure these vulnerabilities.
“Zero trust will usher in a new era of operations for agencies, including big changes in how they create and maintain applications, one of the most significant attack vectors," Barney said. "The push for the optimal approach to securing application workloads is a clear call for the level of orchestration, automation and governance that only modern web application security solutions can provide.”
Malloy said DISA is currently modernizing its application security stack to offer a blueprint to application owners to build off of. They're looking for capabilities such as vulnerability scanning, container scanning, asset inventory and asset control.
The Thunderdome project is currently in phase one, which DISA Cyber Security & Analytics Directorate Program Manager Alan Rosner said will likely last through the fall. Initial sites for the prototype include the DISA headquarters, the DISA Pacific Command and the Joint Service Provider to the Pentagon.
"I can't stress enough, what we're doing right now is a prototype," Rosner said. "The goal is to learn from that as much as possible."
Phase two will involve operational testing, a formal process evaluating all aspects of the system. DISA anticipates phase two will continue through January of the next calendar year, and then DISA will decide whether and where to scale up the program.