Zero Trust Cyber Exchange: Why Air Force is taking an iterative, DevSecOps approach | Federal News Network
2022-06-24 13:00 (EST) - Jared Serbu
In conversations about federal agencies moving to zero trust, its become something of a truism that zero trust is a journey, not a destination.
But one could argue the Air Force is more explicit about that fact than most. The design team behind the services zero trust implementation is clear-headed that zero trust wont happen overnight. Instead, theyre using an iterative process starting with just a couple bases and with a software-centric approach...
READ MORE
WHY AIR FORCE IS TAKING AN ITERATIVE, DEVSECOPS APPROACH
This is a game changer for the Air Force. We have to implement zero trust in a way that every packet, every bit of data, every transaction is not trusted.
Raju Ranjan Technical Lead, Zero Trust
In conversations about federal agencies moving to zero trust, its become something of a truism that zero trust is a journey, not a destination.
But one could argue the Air Force is more explicit about that fact than most. The design team behind the services zero trust implementation is clear-headed that zero trust wont happen overnight. Instead, theyre using an iterative process starting with just a couple bases and with a software-centric approach that uses the development, security and operations (DevSevOps) methodology already proven successful in other Air Force technology development areas via its Platform One.
This fall, the service will launch its initial zero trust pilot at Joint Base Pearl Harbor-Hickam in Hawaii. This will be its first real-world attempt at proving out some of the concepts its been building in the lab to create a software-based zero trust boundary.
And although the words zero trust and boundary arent normally used in the same sentence, Air Force technologists think thats the right starting point, when youve already got a network thats heavily focused on perimeter controls.
As we slowly start moving more into the zero trust mindset, well start getting away from the concept of boundary. But especially during this this transition period, there will definitely be a need for this concept of a boundary, Capt. Christopher Kodama, a military engineer with the AFNet Sustainment and Operations Branch, said during Federal News Networks Zero Trust Cyber Exchange .
AIR FORCE ZERO TRUST PLAN PART 1
Initially, Kodama said, the idea is to replace a collection of hardware appliances that provide boundary security today with a software-defined security stack that gets the Air Force closer to zero trust principles.
What were trying to do is create a sort of VPN-like entry point into our network. But instead of a traditional virtual private network where you pretty much have access to the full network once youre signed in we want to be able to do a couple of other things, Kodama said. One is to allow the users that are coming in to only access the resources that they should be able to access and also integrate with other endpoint security types of technology. That will give us a better sense of whether the laptop that theyre trying to use to log into the network is secure. We want to be able to tie those together.
But the fact that the Air Force is assembling its own software-defined zero trust architecture shouldnt be read as a shunning of commercial technologies. Quite the opposite, in fact. The eventual goal is an architecture than can virtualize and quickly incorporate security innovations from across industry.
This is a game changer for the Air Force. We have to implement zero trust in a way that every packet, every bit of data, every transaction is not trusted, said Raju Ranjan, technical lead for zero trust at the Air Force. For that, we have to build a stack of COTS products which can give warfighters cutting edge technology to access their resources or data from anywhere or from any place.
LEVERAGING PLATFORM ONE FOR ZERO TRUST EFFORT
And thats where the zero trust teams partnership with Platform One comes in. The Air Force isnt looking to build its own security products. But it does want to use Platform Ones existing DevSecOps techniques to quickly test and accredit its approaches to linking them together, and insist on open interfaces between those products.
We want to leverage their infrastructure for the Air Force zero trust stack GitHub, Party Bus , Iron Bank all those components are there, and whatever they have, we want to use them, Ranjan said. Were also planning to use an open framework. If any vendor says, Use my APIs or use my product, [our answer] is no ... we need to be vendor-agnostic, software-agnostic. It should all be built on an open standard.
And Kodama said the commercial tools Platform One already provides, and has already accredited as part of its DevSecOps pipeline, have turned out to be extremely helpful in mapping out the Air Forces possible future approaches to zero trust.
What it also allows us to be able to do is to have separate deployment pipelines for testing and actual deployment that are nearly identical, Kodama said. It also allows us to, from a security standpoint, embed security checks. This is something that Platform One is doing today, where they embed security checks into their pipeline, so that as the code is being deployed, it will be scanned for vulnerabilities.
To listen to and watch all the sessions from the 2022 Federal News Network Zero Trust Cyber Exchange , go to the event page .
