Has your computer ever ground to a halt? If you hit CTRL+ALT+DEL and open Task Manager, do you see your CPU, Memory, and Hard Drive pegged at 90%-99%? For Navy, one of the major causes is multiple security agents running on your government computer. This is the typical experience of “more security.” This approach to security is focused on making your computer secure, so it can be trusted, so it can be allowed to access the applications and data which we want to protect. In essence, your computer – and everyone else’s – form a perimeter (or fence) around the Department of the Navy’s valuable information assets.
The problem with a perimeter, fence, or wall, is that once you’re in, you’re in. Whether you’re the Germans bypassing the Maginot Line via Belgium or a near peer adversary using a sophisticated “supply chain” attack on the Solar Winds IT management software to gain legitimate access to government networks or just the victim of a phishing email in which you willingly give up your username, password, Social Security number, and so on. Once you’re past the border, you’re in. More advanced approaches to perimeter defense employ “defense in depth,” creating multiple firewalls (literal and figurative) to mitigate this risk, but obviously the approach yields diminishing returns.
Let’s take the example of your rooftop penthouse in a high-rise condo building in Metaphor City. (It’s best to use a relatable example.) There might be a public lobby, with a security gate to reach the elevators. You might need authorization to reach the rooftop level, then another code to enter the penthouse. Maybe that only gets you access to the entertaining spaces but not the private living spaces, let alone the rooftop pool or helipad. Controlling access to concentric perimeters, this is defense in depth. You have secured locations, and you are trusting that those who have access to codes and the chosen security systems themselves are trusted and not vulnerable.
Now enter the gal wearing all black, an eye mask, carrying money bags, gaining access to your penthouse through stolen access codes (she may have been a friend of your disgruntled colleague) attempting to open the safe in your penthouse with your prized ruby collection. She is in and able to create havoc because she was able to get in. She doesn’t have a right to access the contents in your penthouse, she was not invited and she’s in an unidentifiable form (burglar chic, we can call it), and your security strategy did not include a second defense if the first type of defense was compromised. Securing and controlling access through multiple factors – identity, location, device, threat environment – provides better odds in keeping this uninvited guest from achieving her objective and describes another approach to security, one based on zero trust.
In zero trust, we assume that someone will sooner or later get access inside our perimeter. While we never want to abandon the principle of pragmatic perimeter defenses, it makes sense to quickly switch our strategy and resources to protecting the contents, ensuring that a malicious actor can’t steal or compromise data or applications once inside. A Zero Trust Architecture takes into account who you are, what device you are using to access the system or data, what the data is and if you should have access, what else is occurring from a threat perspective, and selectively grants limited-rights access based on what thresholds those scores reach in a dynamic fashion. Maybe you can see all the purchase order items and quantities in Navy ERP, but not the cost or accounting data. Maybe you can reach information published for all DON employees but not readiness dashboards.
What does this mean for your work experience? Let’s go back to your government laptop, stuck at 99% utilization. When designed for zero trust we are no longer focused on quantity of endpoint defenses, we invest in the right tools that allow us to monitor perimeters and data and focus on validating users, their devices and access rights, minimizing or eliminating the competing endpoint security solutions that suck the life out of our end user experience.
During this last year’s pandemic the DON and all of the Defense Department have leveraged a Microsoft Office 365 Teams environment called CVR (Commercial Virtual Remote) that allowed users to collaborate and share data and documents in a cloud environment utilizing a Zero Trust Architecture. This enabled a disadvantaged workforce, without their usual office IT tools, to increase productivity during an unprecedented period of time where a majority of the workforce worked remotely. CVR saved many of us and opened up opportunity to consider an alternate path to security and improved productivity.
A DoD-wide desire to maintain the CVR-like capability prompted U.S. Cyber Command to issue a plan order (PLANORD) searching for the ideal cyber defensive tool suite that would provide better security based on zero trust principles and an improved customer experience. The PLANORD effort offered the Navy a glimpse of our future path for more granular and more pervasive security in the cloud and an improved customer experience! You get more access and more freedom, while the DON gets more security and more control over data. More Secure = More Usability.
Going forward, the replacement for CVR after June 2021 expiration will be a full implementation of zero trust for all of DoD. This has profound implications for our mental models of network access, and similar offerings. It offers our first foray into managing security in the cloud and establishes confidence that we can operate and defend a cloud ecosystem.
Consider that pre-COVID, we thought of MS Office productivity and collaboration capabilities as traditional perimeter defense-in-depth as illustrated in Figure 1.
But in the future, we can actually decouple our MS Office access from the underlying network and device aligned with zero trust principles, as shown in Figure 2.
The Program Executive Office (PEO) Digital’s approach to this modern paradigm for consuming cloud services is called Operation FLANK SPEED (OFS), and in conjunction with DoD CIO, the Defense Information Systems Agency (DISA) and USCYBERCOM, is setting the pace for engineering DoD zero trust solutions. And at long last, both the citizens of Metaphor City and the DON workforce will find both security and freedom.
On 11 Jan 2021, DoD CIO issued a memorandum providing supplemental guidance for implementation of the post-CVR Microsoft 365 collaboration capabilities, using zero-trust principles. Specifically, for direct internet access via web browser in Impact Level 5 (IL5) cloud environment, the minimum mandatory solutions are Microsoft’s Azure Active Directory Premium 2 (AAD P2), Sentinel, and Lighthouse products, and use of the DoD Tenant Configuration Guide. Additional configuration policy will continue to be issued to ensure a successful transition off of CVR in June of 2021.