JWCC vendors to test zero-trust concept in commercial cloud

The Department of Defense plans to leverage the four vendors that were recently awarded its major enterprise cloud computing contract to experiment with the implementation of so-called zero-trust principles in a commercial cloud environment.

Zero trust is a concept that essentially assumes networks are already compromised and requires organizations to validate users, devices and data continuously. The DOD released its zero-trust strategy in October, which outlines three courses of action: institute zero-trust modernization improvements on the existing network, engage in zero-trust commercial clouds, or engage in a zero-trust privately designed cloud.  

It also defines a target level and advanced level of zero trust. The target level is the minimum set of capability outcomes to secure and protect data and requires the delivery of 91 activities. Advanced level requires a total of 152 activities.

The Pentagon plans to lean on Amazon Web Services, Google, Microsoft and Oracle — all of which were recently awarded the Joint Warfighting Cloud Capability (JWCC) contract worth up to $9 billion — to test if achieving zero trust to the “target level” in the cloud is possible, according to an official overseeing the effort.

When the DOD was looking at what commercial clouds exist, the zero-trust portfolio management office decided to ask the four cloud service providers — which will be competing for JWCC task orders — if they could implement zero trust at the target level within their cloud infrastructures, according to Randy Resnick, who leads that office.

“We got four different answers, because every infrastructure is made up of different capabilities in each one of those companies,” he said during a webinar Thursday hosted by Billington Cybersecurity. “To our satisfaction, at least on paper, they said to us that all of them could meet target-level zero trust and that many of them could approach almost the entirety, if not the entirety, of full zero trust, which we’re calling ‘advanced.’”

Now, the plan is to put those providers to the test later this year to see if they can actually do it.

“In the spring and summer, perhaps fall, depending on whether or not we have to go back for round two, we’re intending on testing all four of those CSPs … with their zero trust overlays for what they believe they’re telling us they could do at the target level,” he said.

National Security Agency red teams will attack the cloud infrastructure, allowing the DOD to determine if they can get in and exploit the data.

“That’s going to give us a really good feel on whether or not the zero-trust overlays are implemented correctly in any one, two, three or four of those [cloud service providers]. And that’ll give us a way forward for recommending to the DOD whether or not we could do zero trust in the cloud,” Resnick said. “If we speed ahead and we come to the conclusion that, in fact, it can be done, it would be absolutely revolutionary, because this means now that we can basically spin off a zero-trust cloud in a future DOD instantiation and that would already be built in with zero trust as part of its foundation.”

Resnick noted that this approach reduces risk, cost and simplifies moving to a zero-trust approach.