Personnel from the AFNet Sustainment and Operations Branch at Hanscom Air Force Base are partnering with the Air Combat Command Directorate of Cyberspace and Information Dominance to develop a modern software-based perimeter that will deliver zero trust capabilities to applications across the Air Force.
Defined by the Air Force as a “data or application access strategy that assumes all resource requests originate from an untrusted source,” zero trust networks grant access for individual requests only after establishing confidence in both the user and the device through identity verification and connection context attributes.
“The concept of zero trust has been around for many years, but recent cyberattacks and the heightened cyber threat landscape have elevated the need to implement zero trust architectures,” said Raju Ranjan, an AFNet Sustainment and Operations Branch engineer. “Last year’s National Institute of Standards and Technology special publication and the Department of Defense’s reference architecture helped us better understand this strategy, and it’s now a DOD mandate for all agencies to use a zero trust architecture model.”
Vincent Maguire, the branch’s lead engineer, said the zero trust concept is a paradigm shift in how the Air Force secures its applications.
“With the architecture we have now, we’ve focused on hardening our network and then trusting users connected to it with a CAC (Common Access Card),” he said. “But with zero trust, users can be on any network in the world, because we don’t start off with the premise of trust. We establish trust at the time of a transaction and we build different levels of trust depending on how healthy the machine is and the user’s identity.”
ACC is developing the concept and strategy for the Air Force to move forward on zero trust, the AFNet Sustainment and Operations Branch is leading the integration efforts and the Platform One team is tackling the development, security, and operations piece, Maguire said.
“Based on the strategy ACC’s provided, Raju is leading a team of engineers that is building a software-based zero trust boundary,” he said.
Ranjan added the concept also offers consistency, agility and savings.
“Currently, our boundary stack drives significant cost, and this concept could reduce those costs by as much as two or three times less than the current price,” he said.
The Massachusetts National Guard’s 126th Cyber Protection Battalion recently spent a week at the Lantern, also known as the Hanscom Collaboration and Innovation Center, proving the value proposition for micro segmentation work designed to help increase the project’s security, said Lt. Col. Darren Edmonds, the Lantern’s director.
Stephen Haselhorst, ACC Directorate of Cyberspace and Information Dominance chief technology officer, emphasized how “revolutionary” this project is for the Defense Department.
“It’s an architecture adapted from cloud-based technologies used by the Air Force Platform One team that have never been used on legacy networks in the DOD, that we know of,” he said. “It’s embracing a lot of modern concepts of DevSecOps, such as automation and orchestration necessary for zero trust to exist. The work that Raju is leading at Hanscom (AFB) is pretty groundbreaking.”
Lauren Knausenberger, the Air Force’s chief information officer, agreed innovative projects like this one are key to accelerating our warfighting advantage, by simplifying digital access for our Airmen and Guardians, without sacrificing security.
“Zero trust safely unlocks access to next-generation Joint All-Domain Command and Control warfighting capabilities by enabling seamless data sharing with our partners and allies, and greater freedom of maneuver for our warfighters,” she said. “At the same time, zero trust capabilities also impose greater costs on any adversaries trying to disrupt these efforts. The inventive approach the Hanscom (AFB) and ACC teams bring to this project is exactly the mindset we need to succeed in a future fight.”
The project is currently in the research and development phase, with many collaborators helping to move the effort forward, including the 16th Air Force, the Air Force Systems Networking office, the Cyber Capability Center, MITRE and others.
Haselhorst said the project’s proof-of-concept test is expected to conclude later this summer and two bases will serve as pilot locations for the boundary stack this fall. Air Force-wide deployment is targeted for fiscal year ‘23.
Maguire said ACC’s timeline for Air Force-wide deployment aligns perfectly with the AFNet Sustainment and Operations Branch’s five-year roadmap, which also targets FY23 for a zero trust Air Force network.
The project is currently unfunded, but ACC has an FY23 budget submission that should provide the funds needed to move forward.
Haselhorst said the combined efforts of the AFNet Sustainment and Operations Branch’s perimeter work and the Lantern’s micro segmentation work will give the Air Force a solid foundational start in the zero trust journey.
“The team at Hanscom (AFB) is helping transition zero trust from a buzzword to reality,” Haselhorst said. “The truly innovative solutions they’re helping us develop will increase the security posture of the Air Force, while enabling Airmen to execute their mission anywhere, anytime.”