What DOD can learn from TIC modernization
- By Patrick Perry
- Mar 31, 2020
For years, the Department of Defense has struggled with balancing security and operations throughout its networks, while maintaining optimal technology posture for both. The Joint Regional Security Stacks (JRSS) family’s internet access points (IAPs) and cloud access points (CAPs) were designed to be the next evolutionary step to maximize this balance. They centralize network flow through high-throughput security stacks to create economies of scale to secure the DOD Information Network (DoDIN).
JRSS requirements, however, focus on network-centric security, rather than data-centric security. The challenge is that DOD is creating and managing exponentially higher levels of data as a result of internet-of-things technology, artificial intelligence, mobile users and more. Centralized security stacks can’t scale to meet the requirements of these emerging technologies.
The need to continuously process the exponentially growing volumes of data outpaces JRSS hardware, processes and acquisitions. The regional approach to isolate traffic flows is simply no longer efficient.
Besides data that flows “east to west” between the services, all traffic is first processed through the JRSS, then goes through an IAP or CAP before it finally reaches its destination. Considering the high-cost circuits and the work needed to maximize traffic flows, any potential financial savings are lost, the user experience is poor and the security posture is unacceptable.
What DOD can learn from TIC modernization
DOD’s JRSS/IAP/CAP challenges are similar to the issues civilian agencies faced with the Trusted Internet Connection. With more mobile users and more agencies moving data and applications to the cloud, the requirement to send all traffic through a TIC led to frustrating user performance, poor reliability and increased IT costs. Too many agencies deployed “shadow IT” solutions to accomplish their missions.
In response, the Office of Management and Budget’s new TIC 3.0 strategy and updated use cases establish a more flexible approach for agencies to securely route federal traffic through a TIC.
Similarly, as more cloud-based solutions become approved by the Federal Risk and Authorization Management Program at High Impact Levels 4 or 5, DOD agencies have the same issues routing more and more traffic through JRSS/IAP/CAP.
Going forward, how can Defense agencies adapt their legacy methodologies to the hybrid cloud realities, while improving performance, reliability, latency and cost?
JRSS/IAP/CAP Next generation: Shifting the focus to data security
It’s time for a secure and fiscally responsible architecture that moves away from the current multivendor service-chained appliance version to a more agile and secure approach. Consider the JRSS/IAP/CAP architecture as a whole. Users must first send traffic down a circuit through a regionally situated JRSS that secures the mid-tier boundary between services and bases. Internet- and cloud-bound traffic is then routed down another circuit to another security stack (IAP/CAP).
This approach is inefficient, redundant, and too complicated. The department needs a simplified solution to improve efficiency and encourage the innovation needed to assure a tactical advantage into the future.
To manage growing bandwidth requirements and the massive influx of data flows, future security models must shift the focus from network security to data security. Increasingly, users do not reside in the same location as their data. Instead of bottlenecking connectivity through regionally aligned security stacks, agencies need security for their data, regardless of location.
Ideally, innovative security models will redesign the “defense in depth” paradigm to make network devices and security appliances fade into the background. Then, agencies can embrace a centrally enforced policy plane that maintains consistent data security at any time, in any location and from any device.
The military services should be able to securely take advantage of innovative ways to collect, store and process data. It’s time to shift the paradigm and eliminate stacks of security appliances that degrade operational capabilities.
DOD teams need innovation and the ability to shift to a cloud security-as-a-service platform. The first step is decoupling the required security from the hardware and software that houses it. Second, agencies must move the security apparatus inline to the destination. Finally, agencies can innovate by rebuilding all necessary security requirements into a common x86 architecture. This also creates a common management and logging approach to help services troubleshoot and monitor more efficiently.
Looking forward: The opportunity for innovation
We must address the root of the problem. Rather than managing multiple solutions built with security appliances across vendors, the DOD, under the Defense Information Systems Agency’s guidance, should consider a cloud solution to reduce complexity -- a distributed architecture that can maintain a standard security posture for everyone, everywhere, while optimizing the user experience.
However, like any other cloud adoption policy, leaders must understand the difference between a “lift and shift” approach (where data is simply moved from one data center to another) and a true “cloud native” approach. They should be wary of solutions that move appliances to a cloud and sell it as a service. Instead, agencies need an innovative solution -- one that was born in the cloud and distributed via an as-a-service model. This is the only near future-proof option that will allow agencies to consistently pivot ahead of operational needs and remain at the cutting edge of technology offerings.
A true cloud-based architecture will provide a unified flow of logging analytics, scale to meet ever-growing demand, maintain broad uninterrupted access and decouple the unnecessary burden of maintaining hardware/software/firmware -- all while reducing costs through an as-a-service platform.
Finally, while a cloud native as-a-service model will help ensure security of external connections to DOD networks, defense agencies should consider a platform that is inherently designed for zero-trust architecture to provide security for personally owned applications in the cloud or on-premise. A zero-trust security model requires strict identity verification and policy compliance for every person or device trying to access resources, only granting access to authorized users -- all while shrinking the attack surface by removing the need for network appliance-based security.
This strategy will give commanders improved visibility, access control and security to support globally operating forces across DOD. The information terrain will become an environment that provides contextualized, actionable intelligence to commanders, driving mission success into the future.
Patrick Perry is director, emerging technology, federal DOD/IC at Zscaler, Inc.