The Defense Information Systems Agency (DISA) has officially completed work to prototype its Thunderdome zero trust security project, and has rolled out the system to about 1,600 users so far, with more on the way, a senior DISA official said today.
DISA Deputy Director Christopher Barnhurst unveiled that news today at an event organized by FCW.
He discussed plans for the Thunderdome effort that took place over the past 18 months, and the last nine months spent building a prototype composed of numerous technologies to demonstrate “that yes, they will work to deliver all of the tenets of zero trust that we would expect as a department.”
“Today I’m very proud to announce that we have concluded that prototype,” Barnhurst said.
“Thunderdome represents a collection of technologies that are integrated into this zero trust kind of ecosystem or architecture,” he explained.
Those include “things like Secure Access Service Edge, different ways of accessing cloud capabilities for remote users … what we would think of as like VPN today, SD-WAN availability to bring micro-segmentation to the network, or edge security stack as part of that SD-WAN construct” to push security to the network edge, he said. “We brought these technologies together in an integrated way.”
DISA said in November that it was on track to complete the Thunderdome prototype by January 2023. The agency in January 2022 awarded a $6.8 million contract to Booz Allen Hamilton for the execution of the prototype that would align with requirements of the Biden administration’s 2021 cybersecurity executive order.
Barnhurst said today that the roll-out of the prototype is already well underway.
“We have successfully rolled out this series of technologies to over 1,600 users across three different locations from the Pacific all the way to here in Washington in the Pentagon, and in other locations,” he said.
“We’ve demonstrated that these technologies together will achieve the effects of zero trust that that we’re setting out to achieve … in defense of the DoD’s infrastructure,” the official said.
“We’re now getting ready to extend that to more and more locations going forward,” Barnhurst said.
Barnhurst also talked about the cultural changes that will need to happen at the Defense Department (DoD) for the migration to zero trust to become a success.
“This is not just a journey that DoD is on with respect to technology,” he said. “Everything I’ve described up to this point is kind of technical. It’s a different way of thinking about security and how we secure our data. But I think that, at least in my view, one of the things I’ve learned is this is also a cultural change for the department.”
“Because what it requires is even as we put these technical means in place … folks who are doing DevSecOps or who are developing applications or updating applications and other capabilities that might be out in the department’s ecosystem have to start thinking differently about how they protect and segment the data within those applications,” he said.
“In other words, we can provide the means to achieve zero trust,” he said. “But if we don’t change the department’s mindset … how we tag data and these other kind of critical things, we won’t fully get there … and we’ll kind of be sub-optimizing ourselves.”
Finally, Barnhurst explained that the pace of adoption across the DoD and the military service branches of the Thunderdome prototype may differ based on several factors.
“We’re having conversations inside the department [and] the military services about whether and how they want to adopt some portions or what we call Thunderdome in its entirety going forward, so a lot of exciting work getting done in that space,” he said.
Asked about his view on how DoD components will end up transitioning from existing network security architectures to zero trust, Barnhurst said that was “in many ways … the question of the hour.”
“I would say within the department, there is optionality in that space,” he said. “Right now, depending on who we’re talking about in the department, as an example, Army and Air Force are largely on Joint Regional Security Stacks (JRSS). How we move away from those stacks into this kind of security paradigm is a bit of an open question.”
“What we’re going to do is we’re laying out what we see as the options,” Barnhurst explained.
Service branches, he said, “have the option of adopting all or piece parts of what we’ve designed as a Thunderdome architecture.”
“Many of the services, just in discussions with them, are headed down a similar technical path,” he said. “I’ll say whether that means they land on the DISA solution or build it sort of themselves is an open question.”
“But the coordination required to move off of regional security stacks, for example, on to anything else, whether it’s through DISA or a service provided solution, that coordination has to be tight,” Barnhurst emphasized, adding, “we’ve got to keep the user experience in mind when we do that.”
“My contention will be that while that will be somewhat painful, and take time, it will be for the betterment of the department, both from a user experience and performance perspective as well as security,” the DISA official said.