CDlioguitdalSEexcpuerirtiyence
JOHN HALE
Chief of Cloud Services, Defense Information Systems Agency
This conversation is adapted from a presentation at an FCW event.
From baked-in security
to defense in depth
I used to make the statement that I’m not a security expert, but I play one on TV. But I don’t do that anymore because in the world of cloud, everybody has to be a security expert.
The Department of Defense has been involved in cloud from the very beginning. We actually kind of created the cloud.
We started a project about 55 years ago called ARPANET, which was all about connecting research labs and universities together so they could share compute power and research. ARPANET ultimately became what we call the internet today.
And then DOD created our own networks for warfighting purposes.
So cloud computing is in our DNA. When we started sharing compute power early on, security really wasn’t a major concern because the networks were closed. They were limited to the academic institutions and the research labs that were connected. And you had to go through
a human in order to get jobs run on computers. So security was baked into the
system from the very beginning.
As we moved away from that kind of
model to client/server and then ultimately springing back into the cloud world, security has gone into what we call the onion layers. You build security in a series of layers to ultimately get to the center of the onion. But once they’re in the center, there’s really nothing in there to protect you. People are allowed to move around in there as they see fit.
Defense in depth is the model we use for cloud security today. We start with firewalls at the edge and add intrusion- prevention capabilities, intrusion-detection devices, reporting, aggregation of log data, humans who actually review that data
and machines that do AI analytics to try to find people who are doing things they shouldn’t be doing in the cloud and then take action to stop that from happening.
The rise of zero trust
That defense-in-depth process really has not changed in the last 15 years. And while it was probably good when it started, we’re now seeing the problems with that model.
Executive Viewpoint
A conversation with
JOHN HALE
The data in the cloud is what’s valuable, and with zero trust, access to that data is not guaranteed at any time.
16 SPONSORED CONTENT