Cybersecurity is due for a paradigm change. Many organizations continue to rely on traditional perimeter-based security measures, even though they know that cloud, mobility and related technologies have rendered the perimeter far more porous than they would like – and their network assets far more vulnerable.
The Air Force is in the vanguard of major organizations that are looking to something called zero trust architecture. GovLoop sat down with William Marion, the service’s Deputy Chief Information Officer (CIO), to learn more about its strategy.
Challenge: Good Security in an Era of Increased Complexity
Like many organizations, the Air Force has responded to the growing complexity of the IT environment by adding layer upon layer of security. Cyber experts talk about security measures as “walled gardens” designed to keep assets safe from intruders.
The problem is that the Air Force IT enterprise is larger and more complex than that of most organizations: Operations stretch from one part of the globe to another, and data and applications cross multiple types of networks. Ideally, the service wants to create an end-to-end secure enterprise, because cyberspace is contested space. “It’s a wicked scale problem,” Marion said.
The traditional solution? Build more walled gardens. Unfortunately, with the complexity of the environment, any given transaction, such as retrieving data, needs to pass through multiple walled gardens and checkpoints, which translates into a big hit on performance. UX “is intolerable,” he said. Something else is needed.
Solution: A Zero Trust Architecture
An analyst at Forrester Research was the first to articulate the concept of a zero-trust architecture in 2010, but the notion is not new. As long as agencies have been adding encryption and other security measures to mobile devices, they have been taking a zero trust-like approach.
Traditional perimeter-based security is the equivalent of having a security guard at the front of your office building and requiring everyone to show an ID card to enter. If that is the only entrance, you might be safe to assume that everyone in your office has permission to be there – that is, security cleared them to be there. That’s perimeter-based security.
But what if you add multiple entrances to the building, so many, in fact, it’s no longer practical to rely on guards? At that point, you need to lock individual offices and systems with a security fob system, with each person’s fob configured to access only the resources they need for their jobs. That’s zero-trust security.
The goal is to apply security controls within the network itself, locking down individual datasets, applications and systems. That’s the model that the Air Force is adopting.
Outcome: Better Security, Better UX
As always, when Air Force leaders think about outcomes, they think in terms of mission. Given that cyber is contested space, strong security is essential. But so is a good user experience (UX). If airmen and airwomen on the flight line are unable to access the information that they need at mission speed, that’s a problem.
By putting controls in place at the application and data levels, a zero-trust approach should improve overall security and reduce the need for walled gardens – which should improve UX. That’s not to say that the Air Force will cease to defend the perimeter. But the perimeter will no longer be the last line of defense.
Zero trust is part of a much broader effort to change how the Air Force approaches IT. In the past year, the service has piloted different components of its vision of Enterprise-IT-as-a-Service, in which it will rely on contractors to deliver core commercial IT services. Another program, called Cloud Hosted Enterprise Services, delivers email, calendaring and virtual collaboration tools worldwide through the cloud-based Microsoft Office 365.
Zero trust represents a big change, but it’s a necessary one, Marion said. “We’ve got to continue to pivot to zero trust. We’ve got to challenge the status quo,” he said.
This blog is an excerpt from our recent guide, “Technology Transformation Strategies: From Idea to Implementation.” Download the full guide here for best practices.