Some programs are already operating under a zero trust framework, but the enterprise as a whole still needs basic tools for things like identity, credentials and access management.
The U.S. Air Force has already established pockets of zero trust in some of its programs, but there’s still a ways to go before the full zero trust vision is achieved, according to the service’s chief information officer.
Platform One and Cloud One, the Defense Department’s enterprisewide DevSecOps service and the Air Force cloud computing home, respectively, are fully architected for zero trust, Air Force CIO Lauren Knausenberger said during a Thursday Dcode webinar. The Air Force is also working on integrating zero trust in its Office 365 implementation, she said.
“So we have these little pockets of zero trust, but we're also doing some basics right now,” Knausenberger said. For example, “You can't really get to zero trust if you don't have a solid [identity, credential, and access management] solution.”
Zero trust is becoming a cybersecurity buzzword but the model calls for a move away from traditional perimeter defense that assumes anything that has successfully made it inside the border wall is trustworthy. In a zero-trust environment, networks are micro-segmented such that identities and authorizations must always be verified. The Defense Information Systems Agency last year announced it would publish a zero trust reference architecture.
Ultimately, Knausenberger said the goal is to have one domain that is a secret cloud and software-defined that allows for seamless collaboration with allies and is optimized for DevSecOps.
In addition to working on an enterprise ICAM solution, the Air Force has also developed a maturity model that outlines all of the activities needed to create a true zero-trust environment, Knausenberger said. The model is a roadmap of sorts, she said.
“We have to do a better job of funding the roadmap,” Knausenberger said. “But this is all very new, like to date, we've been doing zero trust projects. It's just been very recently that we have kind of zero trust maturity model and are starting to put in place the people that are in charge of making sure that the data tagging, you know, initiative and level of maturity moves forward.”
On the funding point, Knausenberger raised concerns about how digital modernization and innovation projects will proceed under defense budgets with shrinking toplines. That defense budgets are likely to flatten or shrink is a widely accepted theory, though some Republican lawmakers are still pushing for 3 to 5% growth.
The Biden administration’s dialogue around innovation—calling for more spending on cyber and digital modernization—is positive, in Knausenberger’s assessment. But whether those priorities can be realized all comes down to what lawmakers decide to prioritize when making authorization choices.
“We need to just have really great enterprise solutions that everyone knows to use, and the only way to do that is by making investments and then by killing off the legacy,” Knausenberger said.