DoD Thunderdome: Legacy Security Enter, Zero Trust Leave

Thunderdome is a DoD zero-trust prototype that “aims to reconcile zero trust ideals, identity management technology, and the secure access service edge (SASE) concept with endpoint security goals.”

While the concept of zero-trust architecture (ZTA) is considerably older than the onset of the COVID-19 pandemic, the global mentality shift around where and how we work can almost be seen as an I-told-you-so use-case for zero-trust principles. Now that so much of the workforce has moved well beyond the traditional brick-and-mortar office structure, the new work paradigm has become an adoption accelerator for zero trust, as private and public industry alike needs to reconsider how users working remotely and the rise of cloud-based apps and data impact cybersecurity posture.

Enter Thunderdome, a DoD zero-trust prototype that “aims to reconcile zero trust ideals, identity management technology, and the secure access service edge (SASE) concept with endpoint security goals.” The Thunderdome initiative is currently helmed by Dr. Brian Hermann, Director, Cybersecurity and Analytics Directorate at the Defense Information Systems Agency (DISA), who recently presented on the aims and current status of DoD Thunderdome at the sixth annual NDIA New England cybersecurity conference, with this year’s theme being, appropriately, “Zero Trust and CMMC 2.0”.

ZTA is a strategic imperative for the DoD, and DISA has been a champion for ZTA. In its revised strategic plan for fiscal year 2022, DISA declared zero-trust architecture as the cornerstone of its strategic focus on cyber defense. And while DISA’s work on ZTA predates President Biden’s Executive Order 14028, “Improving the Nation’s Cybersecurity,” the order directs all federal agencies to advance toward ZTA and secure cloud systems (see “Sec. 3. Modernizing Federal Government Cybersecurity” in the executive order).

Dr. Hermann pointed out that while zero-trust is the goal, he doesn’t see it as something that can be easily achieved within the DoD. “I think zero trust is great if you’re doing greenfield, and you start that way,” Dr. Hermann said. “But the reality for us in the Department of Defense is much more complicated than that.”

So while Dr. Hermann says that the DoD is at an intermediate range in terms of adopting zero-trust principles, he sees zero trust as a “journey,” a process aiming to get “close enough” rather than fully arriving at a ZTA destination. This way of thinking about ZTA was echoed throughout the NDIA’s cadre of panels, with industry experts such as Patrick Perry, Director of Federal Emerging Technical Solutions at Zscaler, later defining ZTA as something that should be viewed through a proactive lens. “It’s an arrow that never ends,” Perry said. “You have to keep that evolutionary mindset.”

Even with this evolutionary mindset, however, Dr. Hermann acknowledges that the DoD’s network is not where it needs to be in terms of ZTA adoption. “We can’t people our way out of this problem,” Dr. Hermann said. “We have to automate…and to do that we need some of these zero-trust principles.” Automation and integration are key factors in Dr. Hermann’s vision, because at the scale of the threats we face, we need systems that enable automated responses to threats based on policy and adaptive risk mechanisms. There’s simply too much for humans to defend against.

In practical terms, Hermann said that Thunderdome is focusing on “streamlining the user experience, microsegmenting the network, and modernizing the perimeter.” They are also implementing SASE solutions, which Hermann sees as the future of DoD networking, given that SASE is widely hailed by private industry as a best practice for securing modern work. Within SASE, Hermann is particularly excited about working with SD-WAN (software defined wide area network), saying that “it’s going to change the backbone of the Department of Defense” due to its ability to apply security wherever the end user is, rather than relying on traditional network infrastructure. This is key when we’re talking about the purpose of this prototype (and SASE in general)—the ability to flexibly make access control decisions based on risk factors and context.

Dr. Hermann also admitted that full adoption of ZTA is near impossible for a network as large and complex as is the DoD network, but that the concepts themselves are right. “The concepts are: How do we make sure that when a user accesses something on the DoD’s networks, that they are challenged; they’re personally challenged about their identity, they’re challenged about the state of their device, about where they’re coming from, and we make those granular access decisions,” Dr. Hermann said. “That changes everything.”

This prototype program is an example of exactly what the DoD should be doing. By working with legacy and innovation vendors to combine efforts, the program can not only come up with solutions within a broader, historical context, it can also pilot modern technologies with the intent to modernize the lumbering, legacy infrastructure that is the DoDIN (DoD Information Network). “Like I said, it won’t be perfect out of the gate, but I do think it is the right thing for us to do to take the first step,” Dr. Hermann said, underlining the idea that the DoD Thunderdome project is one example of the DoD experimenting with the best way to modernize its infrastructure.