News & Commentary

6/6/2018
12:45 PM
Scott Petry
Scott Petry
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

DOD Looks to the Cloud for Browser Security

The US Department of Defense just published its cloud browser strategy. What's yours?

On June 5, 2018, the Defense Information Systems Agency released an unclassified request for information (RFI) outlining its intent to procure a cloud browser for 3.1 million Department of Defense (DOD) employees.

The operators of the most-targeted network in the world have concluded that they'd be more secure and efficient if they kept all public web code off the department's network. This is significant for the entire cybersecurity market, not just the DOD. With this RFI, an arguably niche, disruptive security solution becomes mainstream. Cloud browsers are now something any organization concerned with online security must consider.

DOD personnel use the web for mission-related activities, support and logistics functions, and morale and well-being. With more than 4 million users worldwide, and with many people operating out of sensitive government facilities, the DOD is also a compelling target for cyberattack. The volume of attacks the department must deal with is mind boggling. On any given day, the DoD:

  • Contends with "800 million cyber incidents that threaten the network" (Pentagon spokesman Lt. Col. James Brindle)
  • Responds to "360 million targeted probes, compared to the 1 million probes an average major US bank gets per month" (DOD chief information assurance officer Robert Lentz)
  • Thwarts an "estimated 36 million e-mails containing malware, viruses, and phishing schemes" (Pentagon spokeswoman Heather Babb)

The Defense Information Systems Agency, or DISA, provides network services across the DOD. While the agency would like to limit support to mission-related network traffic — which it has tried to do previously — the public Internet has become a reality it must embrace.

In May 2007, the DOD started blocking access to 13 social media sites. There was strong reaction from both press and DOD insiders citing the requirement for deployed personnel to stay connected with loved ones back home, and the expectation of morale, recreation, and welfare on their personal time. 

The debate continued into 2009, when the DOD announced plans to expand the ban to additional "Web 2.0" sites, such as Twitter and Facebook. This time, the rationale wasn't network efficiency — rather, the security vulnerabilities associated with military personnel using social media sites.

Even within the DOD, there was no consensus. The commands were supportive of even more aggressive blocks, but appointees within the Office of the Secretary of Defense publicly stated their support for "Web 2.0" across the DOD, saying "What we can't do is let security concerns trump doing business."

The logjam was broken in June of that year, with the decision for Army bases to stop blocking sites: "It is 'the intent of senior Army leaders to leverage social media as a medium to allow soldiers to "tell the Army story" and to facilitate the dissemination of strategic, unclassified information,'" according to a news story from Wired.

With that, the DOD was back on defense — users got access to the Web, and it was up to the DISA to keep systems secure and available. And it has spent a lot of money to do that. Over the last three years, public records show that the DOD budgeted more than $18 billion for cybersecurity in 2016, nearly 30% increase over 2015. Open RFIs and purchase data shows that it has pursued advanced endpoint solutions, sandboxing, deeper network analysis, and more.

Yet pressure hasn't waned. The volume of non-mission-related traffic has increased dramatically, requiring continual infrastructure investment and aggressive traffic-shaping policies to give priority to mission traffic. Meanwhile, cyber threats have continued unabated.

Projecting the current "spend to protect" trend doesn't end in a happy place. Cybersecurity, according to Gartner, is a $100 billion industry annually, growing at almost 9% CAGR, yet 2017 was the biggest year on record for data breaches, ransomware, and other cybersecurity failures.

DISA, as the network operator for arguably the largest private network in the world, needed to consider solutions out of the box. The result is this RFI for a cloud-based browser. 

The concept of a cloud browser is obvious in hindsight. Instead of letting arbitrary web code enter the network and execute on the local device, the cloud browser executes all web code on a remote host. All rendered data is transformed into a known-safe, encrypted interactive display of the web session. This provides immediate isolation from any web threats. But a cloud browser does more: executing in a central location, regardless of the endpoint, the cloud browser becomes the point for improved network efficiency, centralized access policies, data loss prevention controls, audit and oversight of usage, full anonymity, and more. 

DISA has come to the same realization that other cloud browser customers have: current cybersecurity solutions analyze and act on content after it has reached the network or endpoint, an approach that does not scale with the threat environment. Cloud browsers make network operations more efficient:

  • Cloud browsers, which prevent any web-native code from executing locally keep malware isolated remotely, which makes them safer.
  • Cloud browsers deliver compressed and optimized data to the endpoint, which results in lower bandwidth consumption.
  • Not getting infected means IT has less burden with remediation and exceptions management, allowing them to focus on other tasks
  • And, cloud browsers provide centralized audit and oversight of web activity helping manage acceptable use, governance and compliance  

Authentic8 will respond to DISA's RFI. We think it's a strong message to the rest of the government — that current practices regarding web access and security aren't tenable. We also think it's a powerful signal to the commercial market as well. DISA's network is a national security asset. It's arguably the largest private network in the world, and it's certainly the most targeted. If the DOD is moving to a cloud browser, then the category needs to be taken seriously. What's your cloud browser strategy?

Related Content:

 

Top industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Click for more information

Scott Petry is Co-Founder and CEO of Authentic8. Prior to Authentic8, Scott founded Postini and served in a variety of C-level roles until its acquisition by Google in 2007. He served as Director of Product Management at Google until 2009. Prior to Postini, Scott was General ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15504
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. The server mishandles some HTTP request fields associated with time, which results in a NULL pointer dereference, as demonstrated by If-Modified-Since or If-Unmodified-Since with a month greater than 11.
CVE-2018-15505
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. An HTTP POST request with a specially crafted "Host" header field may cause a NULL pointer dereference and thus cause a denial of service, as demonstrated by the lack of a trailing ']' character in an IPv6 a...
CVE-2018-15492
PUBLISHED: 2018-08-18
A vulnerability in the lservnt.exe component of Sentinel License Manager version 8.5.3.35 (fixed in 8.5.3.2403) causes UDP amplification.
CVE-2018-15494
PUBLISHED: 2018-08-18
In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid.
CVE-2018-15495
PUBLISHED: 2018-08-18
/filemanager/upload.php in Responsive FileManager before 9.13.3 allows Directory Traversal and SSRF because the url parameter is used directly in a curl_exec call, as demonstrated by a file:///etc/passwd value.