CDlioguitdalSEexcpuerirtiyence
Executive Viewpoint A conversation with
JTOHN HALE
he Department of Defense has been down the chain is almost impossible involved in cloud from the very to catch because the tools we use are
JOHN HALE
Chief of Cloud Services, Defense Information Systems Agency
This conversation is adapted from a presentation at an FCW event.
beginning. We started a project about 55 years ago called ARPANET, which was all about connecting research labs and universities together so they could share compute power and research. ARPANET ultimately became what we call the internet today.
When we started sharing compute power early on, security really wasn’t a major concern because the networks were closed. They were limited to the academic institutions and the research labs that were connected. And you had to go through
a human in order to get jobs run on computers. So security was baked into the system from the very beginning.
As we moved away from that kind of model, security has gone into what we
call the onion layers. You build security in a series of layers to ultimately get to the center of the onion. But once they’re in the center, people are allowed to move around as they see fit.
Defense in depth is the model we use for cloud security today. We start with firewalls at the edge and add intrusion- prevention capabilities, intrusion-detection devices, reporting, aggregation of log data, humans who actually review that data
and machines that do AI analytics to try to find people who are doing things they shouldn’t be doing in the cloud and then take action to stop that from happening.
That defense-in-depth process really has not changed in the last 15 years. And while it was probably good when it started, we’re now seeing the problems with that model. Once you’re inside, that lateral movement from one system to the other all the way
designed to protect the onion.
Where we’re going and where I see the
industry going is zero trust. The data in the cloud is what’s valuable, and with zero trust, access to that data is not guaranteed at any time. Many pieces of information have to come together for you to gain access to that data and process it. And that information could be who you are, where you are, what kind of device you’re on or what network you’re on.
The missions are pushing toward a zero trust model, and we’re really hoping that commercial products catch up and lead us in that direction so that we can continue to push cloud capabilities to enable warfighters to complete their mission. Cloud is not the right fit for every capability, but as we modernize all our warfighting capabilities, ultimately the cloud will become the first platform of choice for every new capability.
For the most part, we have looked
at the cloud as just another data center, and we’ve treated the applications and capabilities that go in there as if they’re just going into another data center. That’s wrong, but that’s the way we’ve done it to date because that’s the mindset and the tool set we have available to us.
We need to move to a model where security is baked in from the very beginning and it’s ubiquitous throughout the entire system — and away from this model where once you’re inside, you’re inside.
This interview continues at Carah.io/Hale-DISA.
S-30 SPONSORED CONTENT