To help secure the scattered telework environment, the Defense Information Systems Agency (DISA) has switched to a zero-trust architecture to protect its network from adversaries.
When agencies across the Federal government were prompted to make the quick shift to telework, DISA was responsible for expanding the Department of Defense’s (DoD) teleworking capabilities. DISA Director Vice Adm. Nancy Norton said that her agency worked to implement new circuits, increase bandwidth, and increase conference call lines that kept DoD running.
“At DISA and Joint Forces Headquarters DODIN [DoD Information Networks], I am proud to say we have never shut down and we have never stopped working since this pandemic began,” Norton said at the July 15 AFCEA Army Signal Conference. “On the contrary, we have ramped up our operations to provide the entire Department of Defense with greater teleworking capabilities while adjusting our own battle rhythm to ensure the safety of our personnel.”
But before the pandemic hit, Norton continued, defense agencies were already moving toward a mobile ready workforce where employees can access data from anywhere on a variety of devices. Agencies realized, however, that a cyber-centric military requires security more deeply ingrained into employee culture rather than physical protection of the perimeter.
For this reason, DISA and DoD networks are now embracing zero trust for network protection.
“Under our traditional defense in-depth approach, we have tried to make DODIN a trusted and safe territory,” Norton explained. “Under a new zero-trust model, we will always assume that our internal networks are as hostile as external networks. This uses a fundamental premise that denies all and allows by exception.”
The defense network’s zero-trust model relies on several key principles, as described by Norton: never trust, always verify, assume breach, and verify explicitly. Leaning into this effort is meant to prevent data breaches and insecurities, which Norton said will protect data as the “ammunition of the future fight.”
“Zero trust is designed to ensure the people and devices accessing our critical infrastructure, resources, and information are the ones who are supposed to be accessing them,” Norton asserted. “This will apply to our data and critical resources both on premise and off premise, from our data centers to our mobile devices.”
Norton clarified that the zero-trust model is not replacing any current tools or technology. Instead, the method is a holistic approach to optimizing the department’s existing functionalities to evolve its enterprise architecture. “This new cybersecurity model will enable us to better support our warfighters, national leaders, and mission partners,” she said.