As the Defense Information Systems Agency (DISA) prepares to begin development on its Thunderdome zero trust prototype, which will serve as the new backbone for cybersecurity across the Defense Department, DISA cyber leaders say improved user experience is the end goal.
DISA CIO Roger Greenwell said improving the user experience with cybersecurity is not only critical, but also practical because users will always find “workarounds” if security measures become too burdensome when trying to access data to do their jobs.
“How do we improve performance on the endpoints and making sure we put the right security on the endpoints? How do you balance security — because people will try to work around security if you make things too difficult, so we want that wide area of security around the network,” he said at the AFCEA TechNet Cyber 2022 conference in Baltimore this week.
Jason Martin, director of DISA’s Digital Capabilities and Security Center, said manually logging into 17 different systems with different security protocols does not encourage user compliance, which increases the likelihood of security breaches.
“It’s a fundamental rethinking, talking to the user,” Martin said during a TechNet Cyber panel this week. “When you’re out in the field we don’t have time to wait. The adversary doesn’t stop, they innovate minute by minute. I think that’s critical, it’s empowering the workforce.”
During a media roundtable, DISA CTO Stephen Wallace said Thunderdome is the first step toward a user-centric approach to cybersecurity across the DOD enterprise.
Previously, users and data would “sit together” on a given network with a “castle moat” approach to security. The shift to the cloud changed how users accessed the network and data on the network, and the COVID-19 pandemic catapulted DOD into a new data environment where old cyber processes were no longer sufficient.
“When we started with Thunderdome we started with the ways users we operating,” Wallace said. “In 2020 we saw a dramatic shift with the workforce scattering and accessing data in different ways. The network-oriented approach is not the right answer. The original name for Thunderdome was ‘Perimeter Evolution.’”
Wallace said they realized users were struggling to access data on the network in a timely fashion, contributing to what DISA Director Lt. Gen. Robert Skinner described as a “soul-crushing user experience” in his Tuesday morning keynote. This is where he wants industry’s help.
“Thunderdome wasn’t, ‘Hey here’s a new way of doing security;’ it was, ‘Hey, we need to provide a better user experience,’” Wallace said. “We needed to provide users a more direct result to their ultimate destination without backhauling them into the network. So how does that endpoint relate to the other portions of the network back through all the data? It starts to look like an equation — they all start to develop some level of weight. If the endpoint is in a certain condition, then we can start to allow the user access to things and be a lot more flexible about that than ever before.”
Balancing the right levels of security for different users and different data sets is a delicate dance, but a zero trust approach to security is uniquely suited to handle the challenge.
Greenwell said automation, pilots and test efforts will help DISA pinpoint the right security balance to improve user experience.
“How do we take and understand what load are we putting on the endpoints, what’s being driven from a cyber perspective, and using automation to react to the fact that you’re seeing a utilization spike,” he said. “We want the automation to be in place to help us detect those things in real time and use automation.”
Rear Adm. Brian Hurley, director of DISA’s Joint Service Provider, said he’s optimistic about the Thunderdome prototype efforts and how they will impact cybersecurity for the DOD enterprise.
“We’re the end user of Thunderdome, and that coordination is relevant where they are actively trying to implicate and apply that into that environment, so we’re looking forward to that end-user environment,” he said.
DISA will hold an agency-wide discussion Monday to discuss the way forward with Thunderdome, according to Martin. DISA has set up a program office for Thunderdome and discussed parameters for the prototype with the vendor, Booz Allen Hamilton. DISA awarded Booz the $7 million Thunderdome prototype contract in January 2022.
“We’re about to get a whole bunch of new security capabilities,” Wallace said. “We have to be very careful and diligent not to enable every one of those in the name of security. Too much security leads to the user going out of bounds and they will get their jobs done period. We’ve been shown that time after time. The idea is the best security is the security the user doesn’t see and is completely transparent to their experience, and that’s a lot of what we’re going for here with Thunderdome.”