The Air Force is trying out a new tool to help implement its zero trust information technology architecture through an AFWERX research contract with Silicon Valley startup Illumio.
The Small Business Innovation Research Phase 2 contract follows a Phase 1 award in March. No figures were released in the Sept. 20 announcement.
The award will be used for pilot projects throughout the Air Force and Space Force, Mark Sincevich, Illumio’s federal director and SBIR lead, told Air Force Magazine by email. “The SBIR Phase II award is meant for research and development projects that will help the Department of the Air Force refine and bolster their deployment [of Illumio’s tools] and ultimately their Zero Trust architecture at large,” he said.
The company is working with the Department of the Air Force Zero Trust Task Force to identify key pilot projects, Sincevich said, adding that “any Air Force or Space Force base” would be able to access the tools.
Zero trust networks make it harder for hackers to move inside a network once they’ve penetrated its walls. By interrogating traffic at every juncture as it tries to move inside the network, zero trust systems raise barriers against intruders and create more opportunities to challenge and expel them. Zero trust architectures typically have three characteristics:
- Each part of a system, whether a location or application, is walled off from the others;
- Users must authenticate themselves continuously; and
- Additional layers of security are added to protect the most valuable data in the system.
Speaking at AFA’s Air, Space, & Cyber Conference on Sept. 20, Lt. Gen Timothy D. Haugh, commander of the 16th Air Force, which is responsible for the cybersecurity of the service’s networks, called zero trust “a foundational technology” that, when implemented, would enable mission-critical data from sensors and weapons platforms to be moved around securely and ensure that security threats and vulnerabilities on any network could be mitigated in a timely manner.
“It’s critical for us to be able to do that [implement zero trust], so that we are able to operate in contested environments and trust our data,” Haugh told a media roundtable, noting that the weapons systems currently in use by the Air Force “weren’t built with the [cyber] threat in mind” and are, therefore, vulnerable to hackers.
“If we have a zero trust-based network, those threats as they’re discovered look different to us, because [zero trust] gives us freedom of maneuver within those networks into how we mitigate that threat,” he said.
“We’re pleased with the progress, but it’s got to go faster,” Haugh concluded.
The zero trust approach was made mandatory for federal civilian agencies in President Biden’s May 12 executive order, and the following day, the Defense Information Systems Agency [DISA] published a DOD reference architecture for zero trust, laying out how networks can be built in accordance with zero trust principles.
“The intent and focus of zero trust frameworks is to design architectures and systems to assume breach, thus limiting the blast radius and exposure of malicious activity,” Brandon Iske, DISA’s chief engineer for its Security Enablers Portfolio, said in a release announcing the DISA publication.
Then Illumio tool being deployed under the SBIR award is called Illumio Core. It provides both micro-segmentation—a way of slicing and dicing the IT network so that attackers cannot move freely around, even after they have penetrated the outer defenses—and a risk-based application “heatmap” that shows how the applications on a network are communicating with each other and highlights potential vulnerabilities.
“Zero trust is a strategy and not something that can be ‘achieved’ by one technology alone,” said Sincevich. “With that said, micro-segmentation is a crucial pillar of any zero trust strategy because it stops [cyberattackers] … from moving around to reach high-value assets. When attacks can’t spread, their impact is dramatically reduced.”