Ensuring user access, identity management at DISA grows complicated in mass telework


For an enterprise service provider like the Defense Information Systems Agency, mass telework means serving the needs of not only internal employees but external offices. DISA provides many of the workforce collaboration tools and capabilities such as the Defense Collaboration Services (DCS) and Global Video Service (GVS).

During the pandemic the agency launched a new environment — Commercial Virtual Remote (CVR) — which has since been shuttered but during its run presented the question of how to manage IDs or transition to a permanent environment.

Andrew (Drew) Malloy, technical director for the Cyber Development Directorate at the Defense Information Systems Agency, said that in a multi-tenant environment, an Air Force employee moves to a combatant command needs their data to migrate as well. In a way it’s similar to an electronic health record that travels with a person.

“DISA and the [Cloud Computing Program Office], as part of the [Office of the Chief Information Officer] who’s now under DISA, set up the Global Directory Initiative,” Mallow said on Federal Monthly Insights — Disrupting the Kill Chain. “They started with CVR, they started global directory and now we’re moving that to the [Defense Enterprise Office Solutions] and other DoD [Microsoft Office] 365 clients.”

This can be challenging with all of the Defense Department’s different programs, hence DISA standing up an installation campus area network program, concentrated on financial services. DISA is starting with a small number of pilot programs to see an entire departments can use an enterprise identity management service. But right now, Office 365 applications do not tie into DISA’s financial services.

“And that’s what we need to figure out moving forward is, how we manage that and how we manage that centrally, to where from a cybersecurity perspective, we don’t have as much of a threat surface area,” Mallow said on Federal Drive with Tom Temin. “We can now look at some of the interesting things we can do centrally as far as automating a lot of the provisioning, hooking into a lot of authoritative data sources throughout the department to make some of those access control decisions, and then automatically shutting off accounts when something is triggered, or there is a certain action taken to — how do we automate a lot of this experience as opposed to what we’ve been doing in the past?”

Sometimes data that originates in the enterprise or legacy system ends up in a 365 environment as people collaborate and share information. As a result, DISA is trying to architect around zero trust concepts. DISA and the National Security Agency co-authored a zero trust reference architecture and now, a major effort is underway to figure out, end-to-end, how to pull in those concepts, Mallow said.

As of right now, Malloy said DISA deals mostly with government-issued devices and is determining a bring-your-own-device (BYOD) strategy going forward. Managed government endpoints are easier because cyber staff know exactly the health of those endpoints. Several pilots and prototypes are in process within DISA and the services to figure out what the BYOD approach will be.

“BYOD is a bit of a different animal — when you talk about someone bringing in their own device, what can we do for that endpoint?” he said. “Can we load software on that endpoint, can we then make those fine-grained decisions based off of the inputs that we get from that software, as opposed to just really a wild west approach of anyone can access anything from their own personal devices, trying to bring some control in there?”


Read More:Ensuring user access, identity management at DISA grows complicated in mass telework