Dell’s Government CTO: Project Fort Zero Ready For DoD Testing

‘We feel comfortable that we have met the 152 objectives that the government has given us to meet,’ project lead and Dell Technologies industry CTO of Government Herb Kelsey tells CRN. ‘We feel comfortable about that. But we won’t know truly how close we are until they come and give us the test.’

Herb Kelsey

Dell Technologies’ Project Fort Zero — which promises a step-by-step, vendor-by-vendor validated way to create a security stack that meets all 152 requirements laid down by the U.S. Department of Defense zero trust strategy — is ready for its close up, said project lead and Dell Industry CTO of Government Herb Kelsey.

“We feel comfortable that we have met the 152 objectives that the government has given us to meet,” he told CRN. “We feel comfortable about that. But we won’t know truly how close we are until they come and give us the test.”

The timing of the test, which will grade Fort Zero’s performance across all of those objectives, is up to the Department of Defense.

“We still have the indication that it’s going to be in this calendar year, this fall,” Kelsey said. “We are still at their disposal, for when they want to do the evaluation. So we continue to do our testing. We continue to do our documentation, continue to talk with customers to get them excited and one day we’ll get a knock on the door.”

Fort Zero was introduced this past May at Dell Technologies World. Dell said the project is an ecosystem of more than 30 technology company partners that aims to satisfy the DoD’s zero trust strategy.

Gary McConnell, CEO of VirtuIT Systems, a Nanuet, N.Y.-based Dell platinum partner, said Fort Zero could be a security differentiator. The goals of zero trust, he said, are sophisticated technologically, and require a deep understanding of an ever-evolving security stack. Fort Zero promises to simplify that for partners and customers.

“We’re in the security era, which has brought so many different players to the industry from endpoints all the way to data center and network,” he said. “The challenge with that has been identifying the appropriate solution or partner for each security layer. We see this as a way to mitigate those challenges while being able to integrate well within a customer’s existing tech stack.”

First published in November, the DoD guide supplies technologists with strategies to build zero trust environments, including documenting what is required for concept development, gap analysis, implementation, procurement and deployment of a zero trust system.

“Importantly, this document serves only as a strategy, not a solution architecture,” wrote DoD CIO John B. Sherman in the forward of the document. “Zero Trust Solution Architectures can and should be designed and guided by the details found within this document.”

Kelsey said the Dell team has been working closely with DoD leaders to develop Project Fort Zero, but he doesn’t yet have a date when it will debut. Last year Dell unveiled its Zero Trust Center of Excellence at the U.S. Cyber Command’s cybersecurity innovation center, known as Dreamport. Dell is providing the facility with a secure data center to validate zero-trust use cases before they are deployed into live environments.

“We’re very close. Over the last 18 months we’ve been working hand in hand with the DoD and their CIO’s office and the office that supports the zero-trust platform,” he said. “We meet with them on a regular basis. Our team has been a trusted observer of what the government is doing, and we’ve done our design work and our build work and our testing work at the facility in Dreamport.”

Kelsey also talked with CRN about the role that generative AI will play in future zero-trust environments and why old data is getting a new value and a fresh look in the age of GenAI.

You’ve talked about how important automation and AI is going to be to this project, and what an important pillar that is inside zero trust. In what way will that be important?

Automation is what lets you respond faster than your adversary can attack you. Right? If you start looking at some of the statistics in the commercial space around, what’s the mean time to detect a threat? It’s 270 days on average.

Well, that’s probably too long.

How do you compete with that? You compete against that with automation. You say I want to automate the application of my security policy as quickly as possible. I want to respond to a threat as quickly as possible. I want to detect something bad, a threat to my system, as quickly as possible. That’s automation. Keeping humans in the loop in a sprawling enterprise of hundreds of data cetners. Its not feasible. That pillar of automation was added to create the speed.

Now, here’s a baseball metaphor: Doesn’t matter how hard you swing, if you are above or below the ball it’s just not happening. In other words: you can be fast and make a bad decision. So how do we automate in a way that allows us to replicate the skills of my best threat hunters? Of my best network defenders? Oh, we have this thing called AI/ML. Perfect. So that pillar is filled with AI/ML.

Now lets go to the next pillar visibility and telemetry. How do I create AI models? I need data on what’s right. I need data on what’s wrong. I need data on how people make decisions. All of that coming off an infrastructure gives us data and visibility into what’s happening on the system.

How many people are logging in and doing so in a valid way. How many are doing so in an invalid way? What IP address are they on? Can I isolate that? When somebody comes into the system what do they access first?

There’s a pattern of behavior to all of that.

All of that visibility data is what we use to feed and train the machine learning models, along with how experts respond to it, to create the AI to create the automation, to speed up the responses in an intelligent way.

AI is crucial to zero trust. AI is crucial to meeting the objective of defeating the adversary. We’re driving to an outcome. And it’s the fact that the government has been prescriptive about how to go about it that’s been revolutionary for the marketplace.

How close is Project Fort Zero? Or how close are you to having something like this?

My answer to you is we’re very close. Not so much because Dell is amazingly special. We do know how to build those machine learning models. We do know how to do that. What’s different, about what we’re trying to do is that it takes a village to build that. It takes an ecosystem of partners with everyone doing their part to get to the objective.

One of the things that we’ve been very diligent about is collecting a good group of partners, thirty plus. To produce that activity. That’s step one.

The linchpin of this is you have to be able to collect all that data. So since we are building the system with that intention, we’re able to make sure that we identify and log all the data that we get, then organize that data in a way that we can create the models and then create the AI systems and validate them and then apply it to the system.

So how close are we at Dell? We’re very close. Over the last 18 months we’ve been working hand in hand with the US DoD and their CIO’s office and the office that supports the zero trust platform. We meet with them on a regular basis. Our team has been a trusted observer of what the government is doing and we’ve done our design work and our build work and our testing work.

We feel comfortable that we have met the 152 objectives that the government has given us to meet. We feel comfortable about that. But we won’t know truly how close we are until they come and give us the test.

We think we’re there. We think we are ready to take the test. But until they test us and tell us that we passed, we don’t know yet. So that’s where we are.

So when will the government give you the test to see if this works?

The government schedules these kind of assessments. We still have the indication that its going to be in this calendar year. In this fall. But we don’t have anything exact from them. We are now basically at their disposal for when they want to do the evaluation.

And so we continue to do our testing. We continue to do our documentation. Continue to talk with customers and get them excited about what we’re doing. And one day they’ll knock on the door and say, its time to take the test.

Then we’ll go through that process. And in this test, the perfect score is 152.

With something like 90 percent of all the data in the world going untouched after it is created, it just seems like now with these tools it could be useful. So how valuable is all of that historic data?

The data becomes very valuable because what it allows you to do is build a higher quality model. That’s one of the nice things about AI/ML and predictive analytics.

I had the opportunity [before working at Dell] to do the predictive analytics on the Affordable Care Act data for the Centers for Medicare & Medicaid Services. It was the first time that statewide data on Medicaid and Medicare had been collected in one place. So here we are for the first time ever able to look at that data. You know what happened?

We found cross-state fraud rings in an instant. They would go into one state, and when things got hot, they would jump to the next state over, and set their fraud ring up again, and wait for the next state to figure out that they were there. They were doing a four-state circuit and no one saw it because no one was looking at the data as a whole.

So when you ask me, how valuable is that user behavior data and telemetry data? Its invaluable because what predictive analytics or what machine learning models do is the more comprehensive data you give it. The more effective it can be.

It’s like taking the exhaust from your car and turning it into water.

The government was sort of slow on the uptake when it came to cloud adoption. What has been your impression of how it has handled these early months of GenAI?

What I see is that they are paying attention to how do you manage and how do you manage these kinds of environments, and, you know, looking at where they need to be a part where they need to stand back.

So it’s not to say that they’re going to get it perfect the first time because nobody does, but the fact that they’re looking at those things early in the process, to me is a real step up.

You know, for us what’s interesting is, we have all this AI built into the system, but we are also looking at how we can utilize it to help train the system to help educate people on what we’re building in zero trust too.