WASHINGTON — Increased telework amid the coronavirus pandemic has accelerated conversations about zero-trust cybersecurity architectures, but IT officials at the Pentagon are still wrestling with how that would work for a department stretched across the globe.
The challenges facing the Department of Defense have to do with the organization’s differing mission needs that expand across continents, making scaling for the department difficult to tackle.
“There’s not a perfect template necessarily for every situation or every capability,” John Sherman, principal deputy chief information officer at the Pentagon, said in a September interview with C4ISRNET. “And this is where honest people can have good disagreements here over how you do this because this is a relatively new area.”
Mass telework introduced increased risk as personnel used home networks and personal devices to perform work through the Commercial Virtual Remote Environment, a platform the DoD stood up in response to remote work. That capability now has more than 1 million users, and the DoD wants to boost its cybersecurity level in the coming months to allow for more sensitive work as telework continues.
The zero-trust cybersecurity architecture, in which users are inherently distrusted and their identities are consistently verified, would keep DoD networks more secure. But setting that up is complex.
“One of the things that we’ve been trying to learn is what does it take to actually manage these environments,” DoD CIO Dana Deasy said during a media roundtable in late September. “So there’s an architecture stand-up side, but as I always like to tell people: We could put a brilliant architecture together, but if it’s not viable from a management/operations standpoint, that’s where this stuff gets really hard.”
According to Deasy, conversations around a zero-trust approach at the department started a year ago after his office formed a cross-functional team made up of the military services, U.S. Cyber Command, the Defense Information Systems Agency, the Defense Digital Service and industry.
This team, Deasy said, created a controlled environment to explore zero-trust concepts. It then used small networks inside the DoD to serve as a production environment.
Zero trust is an alternative to virtual private networks, which allow a user to access all data after the individual’s credentials are verified. The DoD, Deasy said, is working on several zero-trust pilot programs and plans to take the lessons learned from those as well as telework-related data to determine a path forward on zero trust. Meanwhile, the Defense Information Systems Agency is expected to release a zero-trust reference architecture this year, but that won’t be viable to every component looking at zero trust.
“To meet the needs of specific organizations, there’s no specific solution out of the box … that’s going to work to meet their mission set,” said Andrew Schnabel, vice president of federal business at Zscaler, a cloud-based information security company that’s working on a zero-trust pilot with the Defense Innovation Unit, the Pentagon’s technology hub.
Another challenge the department faces with zero trust is finding vendors that are adequately equipped to work with such a massive organization. The solutions can’t be met by one vendor because a single company can’t tackle each individual piece of a zero-trust network.
“The thing that’s always challenging for us is how can they [vendors] demonstrate to us the sheer scale and sheer geography” required for DoD networks, Deasy said. “I mean. we are dealing with environments that are highly unusual and because of that there’s a ton of work that has to go into validating each of the vendors.
“So the biggest challenge is going to be bolting them together, getting them at scale, and then how do you operationalize it.”