Businesses around the globe are moving to the cloud for the multitude of benefits it offers. Those benefits have not gone unnoticed by government agencies, which are looking for a secure way to share information while reducing costs and infrastructure complexity. Among them is the U.S. Department of Defense, which has made great strides in recent years on its journey to the cloud.

Evolving information security

The Department of Defense (DoD) developed the Joint Information Environment (JIE) framework to address inefficiencies of siloed architectures. The JIE created a unified way in which the DoD agencies would modernize their IT networks. This framework helped ensure agencies and mission partners could share information securely while reducing wasted manpower and continued infrastructure expenditures.

A few dozen stacks that the Defense Information Systems Agency (DISA) centrally manages replaced the more than 190 agency security stacks located at the base/post/camp/station (B/P/C/S) around the globe. The secure cloud compute architecture (SCCA) of the single security architecture (SSA) provided a security framework for the adoption of cloud services from commercial cloud service providers.

The JIE was an innovative concept that took the DoD from a highly fragmented and siloed architecture, in which each agency managed its own cybersecurity strategy, to an architecture in which there is a unified SSA.

Having taken the first step of consolidating security under a unified security architecture, the DoD is ready to begin the next transformational step—moving from managing and maintaining that architecture itself to having it provided as a service.

Background: SSA and cloud computing

Within the JIE framework, two of the most difficult technical challenges were the SSA and cloud computing.

> SSA

The original benefits of the SSA:

Collapsing network security boundaries
Reducing the Department’s external attack surface
Standardizing management, operational, and technical security controls

Two of the most critical components of the SSA are the Joint Regional Security Stacks (JRSS) and the internet access points (IAPs).

The JRSS initiative provides the starting point for the JIE SSA network security stacks that will protect the enterprise network. It will provide the lateral security for the tenant community of interests at the B/P/C/S and installation campus area networks.
The JIE perimeter defense starts at the IAP, which is a security stack that acts as a secure gateway to the internet from the DoDIN. The IAP also allows approved connections from the internet to the non-classified IP Router Network (NIPRNet) of the DoDIN. It provides enterprise security functions, such as enterprise email security gateway, intrusion detection, firewall, and access controls.

> Cloud computing

One of the early challenges identified for the JIE with regard to cloud computing was managing cybersecurity as part of the SSA.

In response, the DoD leverages the SCCA and the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP establishes a standard approach for accessing and authorizing cloud computing services, and DoD uses it for low- and moderately- sensitive data.

The SCCA is a suite of enterprise-level cloud security and management services. It provides a standard approach for boundary and application-level security for impact Level 4 and 5 data hosted in commercial cloud environments.

The purpose of the SCCA is to provide a barrier of protection between the DoD Information Services Network (DISN) and the commercial cloud services that the DoD uses while optimizing the cost-performance trade in cybersecurity.

Evolving to a cloud-first approach

The DoD has publicly stated it wants to get out of the infrastructure business and consume information technology as a service from cloud service providers.

JIE was a step in the right direction, but many of the underlying designs are rooted in architectures that were developed more than 10 years ago. These architectures have taken nearly a decade to roll out into production and have kept the DoD consuming mass amounts of infrastructure.

Moving from a network-centric to resource-centric framework

The current JIE design is network-centric, meaning that the focus is on securing the network itself with the assumption that once the network is secured, resources and users will be protected as well.

This belief has been experientially proven wrong and there are many examples of exploitations that have occurred because too much trust was placed on the secured network.

What the DoD needs is a modern approach that adopts the zero trust architecture as NIST is defining it, which offers this operative definition:

DOD quote

The basic tenets of the NIST-defined zero trust architecture are:

All data sources and computing services are considered resources.
All communication is secured regardless of network location.
Access to individual enterprise resources is granted on a per-session basis.
Access to resources is determined by dynamic policy—including the observable state of client identity, application, and the requesting asset—and may include other behavioral attributes.
The enterprise ensures that all owned and associated devices are in the most secure state possible and monitors assets to ensure that they remain in the most secure state possible.
All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
The enterprise collects as much information as possible about the current state of network infrastructure and communications, and uses it to improve its security posture.

The DoD has already begun exploring zero trust solutions and the zero trust architecture is becoming the focus for protecting resources from inside the network while solutions, such as the IAP and content access point (CAP), protect the perimeter. Once the zero trust architecture is embraced and implemented, the network itself becomes just a means of information delivery.

Zscaler and information security in the DoD

With a cloud-based security stack being delivered as a service, Zscaler is positioned to provide the perimeter security that today is being delivered by the IAP and CAPs.

The zero trust framework of Zscaler, combined with cloud-based endpoint detection and response (EDR) solutions, can replace the overly complex and expensive regional security stacks that have proven to be a major bottleneck to performance.

The benefits for the DoD for transforming JIE to an as-a-service model will be realized in cost savings, greater scalability, better performance for the end user and warfighter, and ultimately in a greater cybersecurity capability.

Rich Johnson is a DoD Sales Engineer at Zscaler