For once, the Defense Innovation Unit has solved its own problems.
While DIU typically works on challenges for military services and defense agencies, a recent project showed them how a secure approach to using commercial cloud services can work outside of the traditional Department of Defense methodology.
Rick Simon, program manager for the Secure Cloud Management project and contractor for the Defense Innovation Unit, said that of the 29 respondents to the office’s request for white papers, three prototypes were successful.
DIU released the three prototype Success Notes from Google, ZScaler and McAfee earlier this year, determining that each has met the pilot’s goals and that any Department of Defense entity can use the services to secure their access points. to the cloud.
âIt turns out that all three really offered similar abilities. They all offer what’s called SASE services, secure access edge services, and they all have a wide range of zero trust capabilities, âSimon said on Ask the CIO. âOne of the interesting things is that in the original areas of interest (AOI), which is another word for a request for proposals, we didn’t include the phrase zero confidence. DoD has become very focused on zero trust capabilities and zero trust architectures, and all three prototypes happened to offer these kinds of capabilities. “
Simon said that when DIU used the traditional cloud access point (CAP) security configuration, it experienced latency and made applications such as video conferencing difficult to use. Just as the Trusted Internet Connections (TIC) initiative needed updating for the remote workforce, DoD needed a simpler but still secure approach to using commercial cloud services.
DIU employees tested each of the prototypes to access its network. Where DIU typically buys and builds systems on behalf of others, this project attempted to address an internal problem that many other agencies – DoD and civilian – face.
âWe divided our population into three groups, and each group was subjected to one of the prototypes. They downloaded the agents and worked on these prototypes. We wanted to make sure that we were evaluating the equivalency of the cloud access points, âsaid Simon. âWe have partnered with the Defense Information Systems Agency to develop the assessment criteria. They took it from the Secure Cloud Computing Architecture Document because it most directly defines the requirements of the CAP. But as the project progressed, it became clear that zero trust was becoming a more important part of the future of DoD. We also asked DISA to take inspiration from a draft of the zero trust benchmark architecture. It is now in published form, but it was a draft at the time, the guide to security requirements in various other reference architectures to develop a set of criteria.
DIU and DISA measured the three prototypes against 77 different measurements to compare them to the CAP equivalence. Simon said the goal is to ensure the new approach doesn’t erode the trust capabilities around endpoint security, network security performance, and other security and control testing.
âWe have engaged with each of the vendors and third-party assessment organizations to do the actual assessments. The results were published and widely disseminated within the DoD, âhe said. âNone of the vendors exceeded 77 metrics. In the evaluation, there were a handful of tests, for example, that required a red team and we couldn’t afford either ourselves or through our security service provider to do any work. red team. We therefore did not do these tests. There has been some testing regarding IPv6. But they all passed over 90% of their tests, and that was very encouraging for us.
Production of prototypes
Once the prototypes have passed testing, DIU said any DoD agency or military service can work with suppliers to bring them into production.
âWe will probably select one of these prototypes to go into production. It will probably be in the first quarter of fiscal 2022. We think we could pick one of them and have a lot of success with them, âsaid Simon. âWe have discussed with many entities of the project and the results of the project. Over the course of the project, I personally informed probably 15 different DoD entities about what we were doing, and then they followed through with a newsletter that I created on the progress we were making on the project. Once it was complete, we put all of the artifacts, third-party assessment results documents, and lots of other project documents in a secure location where anyone in the DoD could access them, and download and read the documents that have been prepared. We believe various DoD entities will embrace it and, at the very least, use it as a guide to determining their own wave of zero trust.
He added that DIU has also had discussions with other agencies about the prototypes, which he believes can help them approach a zero trust architecture by enforcing specific security policies.