DISA Embraces ‘Zero Trust;’ Might Stop The Next Snowden

The Defense Information Systems Agency (DISA) is not known for being an agency that quickly embraces the latest industry buzzwords, and it has been cautious about adopting one of the buzziest cybersecurity terms of late—Zero Trust. Today, DISA has only one publicly acknowledged Zero Trust effort, a  small pilot program with Cyber Command that goes back to last summer. 

That may be changing. Steve Wallace, leader of DISA’s new Emerging Technology Directorate, said he is starting to become a believer. At an AFCEA D.C luncheon last week, Wallace declared he was a self-proclaimed “skeptic” of Zero Trust and joked about buying a “box of Zero Trust”, throwing a gibe at companies selling Zero Trust that mistakenly imply it is a product that can just be bought and installed on a customer’s network—giving you instant Zero Trust. It’s not. 

After the AFCEA D.C. panel session, Wallace told Breaking Defense why he’s changed his mind. 

“I was skeptical because of the buzzword nature of it. When you talk to vendors (they said) if you implement (Zero Trust) then you’re good to go,” he said, noting that Zero Trust is a set of design principles and not something that can just be plugged in. 

Wallace said he became a believer in Zero Trust after seeing it in operation.

“We met with a vendor on the West Coast — I can’t say who — and saw how they had implemented it end-to-end in their own infrastructure. They looked at (cybersecurity) holistically from the user identity, to the identity of the endpoint, to the application. I was very impressed with what they had done. 

“That got me thinking, OK, everything is just an attribute. Traditionally we worried about the CAC (Common Access Card); is the user a valid user (for example)? But we don’t look at the other attributes of the session, whether it be the user, the network, the time of day, (or whether) the machine is trusted. We think about those as attributes. The application has its own set of attributes. Zero Trust becomes an attribute-based access decision. We’ve been talking about ABAC (attribute-based access control) for years, typically around the users. But, in my mind, Zero Trust is about attributes around the whole stack.

“So that’s what we’re looking at and where we’re concentrating. What are the attributes around everything that’s in a user’s pathway to access a given set of data, and how do we make a proper decision about that?

Wallace said the DoD is already using some of these concepts in its Comply to Connect program, which validates the attributes of devices like laptops and mobile devices before letting them connect to the network.

Zero Trust is a methodology, not simply a tool or product. It packages a set of existing technologies and processes like multi-factor authentication, identity and access management, and data analytics to provide defense in depth to thwart adversaries even after they’ve breached networks.  

It operates on a simple concept: don’t trust anybody operating inside your network and make them authenticate their identity over and over again. Zero Trust means an architecture of next-generation firewalls (sometimes called micro-perimeters or micro-segmentation) that segregate and manage the network. Everyone — without exception — is required to provide multiple methods of authentication at each step of the way to access IP addresses, servers, data, and machines.

“Zero Trust architecture (ZTA) has the ability to fundamentally change the effectiveness of security and data sharing across DoD networks,” stated the Defense Innovation Board’s July 2019 report entitled, The Road to Zero Trust (Security). “From a security perspective, ZTA can better track and block external attackers, while limiting security breaches resulting from internal human error. From a data sharing perspective, ZTA can better manage rules of access for users and devices across DoD to facilitate secure sharing, from the enterprise center to the tactical edge.

“Furthermore, the network design and flexibility of (Zero Trust) will help DoD more rapidly adopt and implement critical network technologies and enablers, ranging from cloud computing to artificial intelligence and machine learning.”

Zero Trust is targeted at both outside attackers that have already breached the network and malicious insiders, and is designed to prevent them from moving laterally through the network as they seek out sensitive data. 

For example, Edward Snowden had legitimate credentials to operate as a subcontractor within the National Security Agency’s network. There was no way to know, however, that he was downloading top secret material about NSA surveillance programs because there wasn’t an additional micro-perimeter that prevented downloads without proper authentication. 

Zero Trust would have hypothetically uncovered or prevented his activities through the principle known as least-privilege, which gives users the least network privileges they need to access the data, applications, and services necessary to do their job.

The Origins of Zero Trust

Walk among the booths at any cybersecurity conference and you’ll see multiple vendors hawking Zero Trust as the latest in cybersecurity. But it’s been around at least for at least a decade. The concept was first prosthelytized by a Forrester Research analyst in 2010. 

Some background is necessary to better understand Zero Trust and why the two most common types of cybersecurity architectures aren’t working. 

The first architecture is the basic castle-and-moat structure where defined perimeters are protected by firewalls. Once inside the perimeters, however, users and malicious actors can move unfettered between applications and data servers. 

The second structure is indicative of today’s expanding environment—endpoint protection to address cloud computing and mobile devices. Like castle-and-moat protection, though, anyone can roam inside the network once endpoints are breached.

The main security fault for each architecture is that perimeter protection is built on trust. If you have the proper passwords and credentials you can penetrate the network, whether you’re a legitimate user or an adversary.

The reality, however, is that there is a long list of companies and government agencies that have fallen prey to phishing attacks where employees unwittingly gave away legitimate credentials. Many of those led to privilege escalation, where attackers gained network access through the accounts of lower-level employees and then maneuvered their way to higher privileges and sensitive data—resulting in breaches with huge impacts on operations and national security. Studies have shown that this type of espionage can go on for six months or more before a company discovers the breach. 

Third-party vendors working for major defense primes are of particular concern, as they often don’t have sophisticated cybersecurity capabilities to keep hackers out—opening the door to the theft of data related to major weapons systems. 

“This method of blind trust in users and devices inside the perimeter of the network is not sustainable, and will continue to put national security information and operations at risk until it is resolved,” said the Defense Innovation Board, which is a federal advisory committee established to provide independent advice to the Defense Secretary. “Alternatively, Zero Trust doesn’t provide for default trust. Rather, it takes human error out of the equation by requiring an understanding of users and machines, identification of end points and their security status, and governance around network access policies.”

Zero Trust in the DoD

Zero Trust has been on the Pentagon’s radar for some time, but implementation of its methodology was only made a concrete goal in July 2019 when it was included in the Defense Department’s 72-page DoD Digital Modernization Strategy. 

That’s likely due to DoD’s embrace of cloud computing under the Joint Enterprise Defense Infrastructure (JEDI) program. While various military organizations have stood up their own purpose-built clouds, the $10 billion JEDI contract (won by Microsoft, but protested by Amazon Web Services) Is the first to attempt at installing DoD-wide cloud computing architecture.

“Cloud deployments are excellent candidates for implementing zero trust concepts, especially when using commercial clouds,” states the modernization strategy. “If the cloud infrastructure itself is ever compromised, a Zero-Trust-compliant architecture provides protection from adversaries seeking to entrench themselves in our virtual network. 

“While commercial clouds offer an excellent opportunity to scale capability and control costs, they pose risks since we do not control the infrastructure and there may be delays in communicating compromises. The assumption zero trust makes—that you are compromised—is particularly suited to cloud infrastructures.”

While the DoD doesn’t set out any timelines for Zero Trust implementation, it does admit the timeline is of an indefinite nature due to the large number of siloed networks across DoD. And as with any management activity that potentially diminishes an individual’s power within an organization (in this case that could be the potential loss of certain network privileges), there’s also the cultural dimension that must be addressed. 

“Any shift to (Zero Trust) would likely have to be incremental, starting with a standard set of identity checks for applications and services that could gradually be integrated into common mechanisms for authentication and authorization across DoD,” according to the Defense Innovation Board. “As part of this effort, DoD will need to improve its digital management and tracking of user roles (and changes to those roles) across the organization in order to build access control for specific applications and services. 

“While some of this effort will require security architecture reconfiguration, there will also need to be a shift in the security culture throughout DoD to promote accurate and consistent record-keeping of roles and other identity characteristics.”