Cloud security

NSA to Simulate Attacks to Test Zero Trust Offerings of JWCC Contractors

Red team hackers from the National Security Agency will perform simulated attacks on zero trust security systems on cloud platforms owned by Joint Warfighting Cloud Capability contractors.

According to Randy Resnick, the director of the Department of Defense Zero Trust Portfolio Management Office, the months-long exercise will mimic adversarial attacks to see if hackers could get in and exploit data. He shared during a Billington Cybersecurity webcast that the exercise would allow the Pentagon to see if the companies’ zero trust overlays are implemented correctly.

The official believes that the four companies will achieve the basic target level for cloud-based zero trust while at least one of the companies would reach an advanced level.

The red team, which may include hackers from the U.S. armed forces, will target the zero trust overlays owned by Amazon Web Services, Google, Microsoft and Oracle. The activity, which is not a requirement for JWCC, will start in the spring, Breaking Defense reported Thursday.

Zero trust is a cybersecurity principle that assumes that every user is hostile, hence the need for constant authentication. According to Palo Alto Networks, implementing zero trust on the cloud could eliminate some security concerns, such as data loss and leakage, data privacy and control issues.

JWCC is a $9 billion, multiple-award, indefinite-delivery/indefinite-quantity contract vehicle that allows the Pentagon to acquire commercial cloud capabilities and services directly from the four CSPs.