Defending DOD networks with a single security architecture

As the Defense Department moves to a network architecture that will one day serve the core needs of all the military services, it envisions a Joint Information Environment (JIE) that comprises shared IT infrastructure, enterprise services and a single security architecture (SSA) to achieve full spectrum superiority, improve mission effectiveness, increase security and realize IT efficiencies. Through the implementation of JIE, Pentagon planners hope to reduce the department’s overall IT footprint, standardize configurations, create shared security protocols at the enterprise level and simplify data routing.

The Defense Information Systems Agency is responsible for leading JIE technology synchronization and is creating a set of common IT services to support JIE based on trusted identity and access management, data center consolidation, and enterprise services such as DOD Enterprise Email, collaboration and file storage. Cybersecurity also constitutes a significant portion of JIE, which seeks to enhance network security by employing an SSA to better protect DOD networks, while giving warfighters easier access and allowing for better information sharing among all mission partners.

The SSA is designed to enable DOD’s cyber operators at every level to see the status of their networks for operations and security and enable commonality in how cyber threats are countered. By implementing a standardized security architecture, the U.S. military wants to be able to know who is operating on its networks and what they are doing and be able to attribute their actions with a high degree of confidence.

“The single security architecture is one of the major components of JIE,” said Mark Orndorff, DISA’s chief information assurance executive and program executive officer for mission assurance and netops. “The No. 1 most important advantage is the ability to actively defend the DOD networks in a time frame that we need to execute cyber defensive operations. What I mean by that is the single security architecture will allow us to understand what’s going on across the entire DOD network with global cyber situational awareness to a level that we can’t do today.”

According to Orndorff, the SSA will minimize complexity for a synchronized cyber response, maximize operational efficiencies, and reduce the risks while reducing the number of organizationally owned firewalls and unique routing algorithms and the inefficient routing of information that currently exists. In addition, a standardized security architecture will better protect the integrity of information from unauthorized access while increasing the ability to respond to security breaches across the system and improving how DOD operates and secures its networks globally, he said.

The SSA “will allow us to implement security controls and countermeasures across the entire network in real time,” Orndorff said. “Today we’ve got a lot of decentralized implementations of some pretty sophisticated and robust capabilities. But they’re implemented in pockets, so we don’t share information across all the pockets and don’t have the ability to simultaneously change policies or controls across all those pockets instantly or at the same time.”

Eliminating overlap and duplication

The problem is that mission assurance services are currently implemented via a complex set of overlapping and duplicative roles and responsibilities. JIE’s SSA is a multiphase approach that solves that problem by collapsing the network security boundaries, reducing the external attack surface, and standardizing the management, operational and technical security controls to ensure the confidentiality, integrity and availability of DOD’s information assets within all required mission contexts while also facilitating rapid attack detection, diagnosis, containment and response.

“We had in a lot of cases more security layers than we actually need,” Orndorff said. “As we design this under the single security architecture, we feel like we can get the right security controls in the right places in the network and eliminate a lot of the duplicate layers that exist in the architecture today. We’re going to pick the key places to control network traffic and the key places to implement security capabilities. And then the security layers that exist today over and above the ones that need to be there for this design…will be eliminated.”

SSA provides for a common approach to the structure and defense of computing and the networks across all DOD organizations. For example, the SSA describes how core DOD data centers and the server computing resources they contain must be structured, what cyber defenses are required on those computers, and what cyber firebreaks are necessary as part of the internal networks of the data center. In addition, the SSA also describes how remote management and automation of data centers is to be structured and secured, and what cyberattack detection, diagnosis and reaction capabilities the data center and the remote management system must have.

“We are shifting a bit in the approach so that more security will be wrapped around the data centers and the applications,” Orndorff said. “So we’re getting a shift in terms of trying to do security at the network boundaries to look at where the applications and data are and better aligning our security architecture to that, which will free up some of the network boundary base defenses.”

Another high-priority objective for the SSA is to enable dynamic information sharing with DOD and its mission partners by shifting the focus from securing systems and networks to securing data and its use.

“If you secure the systems and the data, you’re in a better position to understand the exact security requirements of that system and what that system is trying to support,” Orndorff said. “If you are trying to secure at the network layer, it’s a much more complicated problem and harder to tune the security policy to accomplish what needs to be accomplished without impacting information sharing and the dynamics of the missions that DOD needs to support.”

DOD’s first installment of JIE is coming together initially in Europe. JIE Increment 1 is based in the U.S. European Command area of responsibility. DISA is building on the successes of that pilot project and will bring the process to the Pacific Command to learn further lessons about what works and doesn’t work as DOD seeks to create a set of standards and an architectural construct that will facilitate jointness among all the military services’ networks.

“We have a formal JIE Increment 1 that is being worked in Europe with multiple upgrades planned out between now and the end of this calendar year,” Orndorff said. “While Increment 1 is being worked, follow-on planning for another increment planned for the Pacific [Command] and all the additional phases will be scheduled. In the background, we have work under way within [the continental United States] that aligns with JIE and will help set the conditions, so as we move from the formal Increment 1 work in Europe into other parts of the world, we aren’t sitting still.”

Enabling mobile forces

Mobility is another challenge that isn’t limited to JIE but is common across DOD as it becomes an increasingly mobile force. One of JIE’s primary goals is to provide the warfighter with secure access to information from any mobile device, with an SSA that is available globally and accessible at the tactical edge.

With the commercial explosion of smart phones and the popularity of the Android and iOS operating systems, DISA is trying to take advantage of the commercial marketplace and determine how it can best be used to address DOD’s needs.

“If we try to impose our security requirements on the commercial mobile devices, we’d end up with a device that nobody would ever want or use,” Orndorff said. “The approach we’ve taken is to build a mobile ecosystem that leverages all the benefits of the single security architecture so that when you’re using a DOD-provisioned mobile device, you get all the benefits of the security architecture and infrastructure that we have to mitigate a lot of the risk associated with a generic mobile device operating in the wild.”

DISA wants to ensure that DOD users stay compliant with security rules and regulations. In the past, DOD mandated specific configuration settings for mobile devices through the use of security technical implementation guides (STIGs), which are developed by DISA and updated periodically in an effort to keep pace with documented emerging threats and changes to technology. However, the agency has changed that model by giving industry the responsibility for writing the guides.

“Where we’re headed is we’re giving the vendors the security requirements guide, and the vendors are writing the STIGs for their device,” Orndorff said. “Industry will deliver to the department the STIG and the device, and we will go through a very quick, streamlined process to review what they’ve submitted and then release that as a DOD STIG for general use across the department.”

“Our expectation is that we will be issuing STIGs right in line with the release of the commercial mobile devices to the marketplace,” he added. “There won’t the long lag that has been an issue in the past, plus we will have better-quality STIGs because the experts from industry will be writing them as they build their products.”