“We’re going to have the NSA red team, and perhaps even service red teams, attack...“That would be a realistic adversary attack, a controlled attack, and we would determine whether or not the red teams could get and exploit data,” according to Randy Resnik, the Director of the newly established Zero Trust Portfolio Management Office within the Department of Defense (DoD) CIO/CS.
Amazon, Microsoft, Google, and Oracle will be put to the test as the DoD ramps up efforts for their zero trust implementation roadmap. Because the DoD relies on the infrastructure of these very cloud providers for any number of services, it just makes sense to turn loose the red team ethical hackers from the National Security Agency (NSA). And starting this Spring, that’s exactly what they’ll be doing.
Notes Resnik, “To our satisfaction, at least on paper, they said to us that all of them could meet target-level zero trust and that many of them could approach almost the entirety, if not the entirety, of full zero trust, which we’re calling advanced...What we plan on doing,” he added, “is actually testing their assertions.”[1]
As to why the four heavyweight cloud providers? That's because Amazon, Microsoft, Google, and Oracle were the companies announced on Dec. 7 as the winners of the Joint Warfighting Cloud Capability (JWCC) contract, the successor to the failed JEDI program. Says Resnik, “We saw that there were four CSPs, or cloud service providers, that were delivering services in the future under the JWCC contract...“and so we said to ourselves, ‘Why don’t we approach those four contractors — independent of JWCC — but to bring up the subject of zero trust with them, show them what our definition of zero trust is… and ask them whether or not they believe they can do zero trust to the target level within their cloud infrastructures.”[2]
The DoD Zero Trust Strategy publication (https://dodcio.defense.gov/Portals/0/Documents/Library/DoD-ZTStrategy.pdf) notes that “The Department will achieve the ZT goals and objectives at the accelerated pace envisioned through continual, adaptive, and centralized coordination of strategic guidance, resource prioritization, and alignment of enterprise-wide and Component-specific efforts. Achieving these goals and objectives requires a multi-pronged approach that goes beyond technology solutions to address people, processes, resources, governance, and risk management, among others.”
About Arlington
We are Arlington, Incorporated (Arlington), a team of innovative, solution-oriented, highly agile, and well-versed professionals with decades of experience in working with America’s defense industry. From emerging cybersecurity regulations to helping our clients solve complex security & compliance solutions – and so much more – you can trust Arlington, the firm that’s Dedicated to Defense®. Learn more at arlingtonintel.com.
[1] https://www.c4isrnet.com/cyber/2023/01/20/amazon-other-pentagon-cloud-service-providers-face-zero-trust-test/
[2] https://breakingdefense.com/2023/01/nsa-red-team-will-attack-jwcc-providers-to-test-zero-trust-security/
More Blog Posts
