Businesses around the globe are moving to the cloud for the multitude of benefits it offers. Those benefits have not gone unnoticed by government agencies, which are looking for a secure way to share information while reducing costs and infrastructure complexity. Among them is the U.S. Department of Defense, which has made great strides in recent years on its journey to the cloud.
The Department of Defense (DoD) developed the Joint Information Environment (JIE) framework to address inefficiencies of siloed architectures. The JIE created a unified way in which the DoD agencies would modernize their IT networks. This framework helped ensure agencies and mission partners could share information securely while reducing wasted manpower and continued infrastructure expenditures.
A few dozen stacks that the Defense Information Systems Agency (DISA) centrally manages replaced the more than 190 agency security stacks located at the base/post/camp/station (B/P/C/S) around the globe. The secure cloud compute architecture (SCCA) of the single security architecture (SSA) provided a security framework for the adoption of cloud services from commercial cloud service providers.
The JIE was an innovative concept that took the DoD from a highly fragmented and siloed architecture, in which each agency managed its own cybersecurity strategy, to an architecture in which there is a unified SSA.
Having taken the first step of consolidating security under a unified security architecture, the DoD is ready to begin the next transformational step—moving from managing and maintaining that architecture itself to having it provided as a service.
Within the JIE framework, two of the most difficult technical challenges were the SSA and cloud computing.
The original benefits of the SSA:
Two of the most critical components of the SSA are the Joint Regional Security Stacks (JRSS) and the internet access points (IAPs).
> Cloud computing
One of the early challenges identified for the JIE with regard to cloud computing was managing cybersecurity as part of the SSA.
In response, the DoD leverages the SCCA and the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP establishes a standard approach for accessing and authorizing cloud computing services, and DoD uses it for low- and moderately- sensitive data.
The SCCA is a suite of enterprise-level cloud security and management services. It provides a standard approach for boundary and application-level security for impact Level 4 and 5 data hosted in commercial cloud environments.
The purpose of the SCCA is to provide a barrier of protection between the DoD Information Services Network (DISN) and the commercial cloud services that the DoD uses while optimizing the cost-performance trade in cybersecurity.
The DoD has publicly stated it wants to get out of the infrastructure business and consume information technology as a service from cloud service providers.
JIE was a step in the right direction, but many of the underlying designs are rooted in architectures that were developed more than 10 years ago. These architectures have taken nearly a decade to roll out into production and have kept the DoD consuming mass amounts of infrastructure.
The current JIE design is network-centric, meaning that the focus is on securing the network itself with the assumption that once the network is secured, resources and users will be protected as well.
This belief has been experientially proven wrong and there are many examples of exploitations that have occurred because too much trust was placed on the secured network.
What the DoD needs is a modern approach that adopts the zero trust architecture as NIST is defining it, which offers this operative definition:
The basic tenets of the NIST-defined zero trust architecture are:
The DoD has already begun exploring zero trust solutions and the zero trust architecture is becoming the focus for protecting resources from inside the network while solutions, such as the IAP and content access point (CAP), protect the perimeter. Once the zero trust architecture is embraced and implemented, the network itself becomes just a means of information delivery.
With a cloud-based security stack being delivered as a service, Zscaler is positioned to provide the perimeter security that today is being delivered by the IAP and CAPs.
The zero trust framework of Zscaler, combined with cloud-based endpoint detection and response (EDR) solutions, can replace the overly complex and expensive regional security stacks that have proven to be a major bottleneck to performance.
The benefits for the DoD for transforming JIE to an as-a-service model will be realized in cost savings, greater scalability, better performance for the end user and warfighter, and ultimately in a greater cybersecurity capability.
Rich Johnson is a DoD Sales Engineer at Zscaler