Acting Defense Department (DoD) CIO John Sherman said he has set his sights on generating faster progress on implementation of zero trust security concepts throughout DoD as a key follow-up to the agency’s success in facilitating rapid and widespread telework during the coronavirus pandemic.
Sherman laid out his plans for post-pandemic security improvement during MeriTalk’s March 25 webinar, “IT Modernization: 5 Keys to Success in 2021,” which also features Chris Roberts, who leads the Federal Engineering team at Quest Software.
“We have a robust digital modernization strategy with numerous pillars,” Sherman said when asked about his 2021 priorities. Improving cybersecurity sits high on the list after the Pentagon’s efforts in 2020 to make telework capabilities available to nearly 1.5 million DoD personnel. The department’s first efforts to make its Commercial Virtual Remote (CVR) telework solution using Microsoft Teams is giving way to its adoption of DoD 365, which Sherman said is based on Microsoft Office 365 as a managed service, with additional cybersecurity protections added in.
DoD’s experience with remote work capabilities has given the agency advantages, Sherman said, “but also challenges in making sure we are secure.”
“I really want to use this opportunity to move toward zero trust” security concepts – which rely more heavily on constant testing of user authentications and privileges – Sherman said.
“It’s talked about a lot, but we are serious,” he said, adding that his office is working with the Defense Information Systems Agency (DISA), the National Security Agency (NSA), and Cyber Command on the particulars. “We have the pieces to make this work [including] robust endpoint, middlepoint, [and] comply-to-connect,” he said.
“But there is more we need to do” to implement zero trust security concepts, he explained, including undertaking a “philosophical shift” about security. “This is going to take a whole team effort to make this work,” Sherman said, while pledging, “we are going to be a leader for Federal colleagues” in showing the way to zero trust implementation.
“I have talked about this for a long time, but now we have to get it done,” Sherman said.
The DoD acting CIO also listed cloud adoption, DevSecOps, data utilization for AI and other advanced technologies, further progress on data center closures, and spectrum issues on his 2021 priorities, but said that his list “has cybersecurity at the very top.”
In response, Quest’s Roberts spoke about zero trust as “one of the key pillars” required to improve cybersecurity and reduce the ability of attackers to make much headway if they do penetrate networks. “If [attackers] are able to move laterally with impunity, then you are deep water,” he said.
Roberts also detailed numerous considerations that Federal agencies have to think about when moving to cloud services from legacy systems. “The first challenge that you have to come to grips with is the decision about cloud is not an either/or proposition,” he said. “You have to figure out what [should be] on-prem, what is in hybrid mode, and what is cloud-native … You need a commercial partner to help with that.”
“The cloud is just somebody else’s server in another location,” Roberts said. “Before you go [to the cloud], inventory, patch, and upgrade,” he advised, “because if it doesn’t work on prem, it won’t work in the cloud … when you lift and shift you inherit all the baggage of that one-prem system.”
“If you don’t figure that out, you are moving your problem from one zip code to another, which is up in the cloud,” he said.