Guest Blog // Selected Security Content Provided By Sophos
What's This?
06:08 PM
Dark Reading
Dark Reading
Security Insights

DoD's Bold Initiative: Secure The User, Not The Device

Joint Information Environment effort under way to improve its ability to share information between the services, industry partners, and other government agencies

Not all great ideas come out of the private sector. Occasionally some originate in the public sector. Or, as the following example shows, some are by-products based on partnerships between both.

The U.S. Department of Defense is planning the Joint Information Environment -- effectively a meaningful way to improve its ability to share information between the services, industry partners, and other government agencies. The Joint Information Environment will take all of those separate networks and collect them into a shared architecture.

As a Pentagon spokesman put it, information is meaningless unless it is delivered into the hands of those who need it. And because there are so many separate networks, information sharing isn't as efficient as it could be.

Sound familiar?

When it's complete, the Joint Information Environment will enable every user to get onto an approved device, from anywhere -- at home, at work, or on the move -- and get the information they need in a secure, reliable fashion.

The services will continue to support their own networks under the aegis of the Defense Information Systems Agency. The Joint Information Environment will eliminate redundancies in those networks, however. For example, instead of operating a parallel Army-only network for Army units that are stationed at a predominantly Air Force joint base, the Air Force will operate a single shared network for all personnel assigned to the base.

Developing the Joint Information Environment also involves moving toward DOD-wide services rather than every component buying, operating, and maintaining their own services, the Pentagon spokesman said.

"For example, rather than having every command operate their own email system, today the services have been combining those into a more efficient way of offering those things up at the service level," according to the DOD press release.

The enterprise email system, spearheaded by the Army, currently supports more than 550,000 users. The DOD intends to develop that system further by eventually providing every DOD user with an email address that is his regardless of command or location.

Ultimately, DOD users will have access to their email anywhere in the world, on any network operated by a DOD agency.

So let's regroup and figure out what this means for civilian information security professionals:

1. Enable every user to securely access data from any device, anywhere he is.
Hypothetically speaking, if you're working from home on your laptop and using your company's VPN to access your email, then switching over to your smartphone or BlackBerry to access your resources from the road, your ability to access information is seamless. In other words, it's no longer the device that becomes the first line of identity and authentication -- it's the user. Your policy and privileges follow you wherever you go regardless of the type of device used to access the network.

2. Authenticate users equally.
This is the ability for disparate divisions of the same company, even remote locations and offices of affiliates, agents, and partners, to be defined as a user in Active Directory and authenticated to the same shared network. I can't say conclusively whether the traditional VPN tunnels will be history given this type of environment (based on the Joint Base Air Force example of a shared network included in the press release, it seems likely), but, if so, it takes a lot of the upkeep and maintenance out of the equation.

3. Centralize users into a common directory.
As for security, sometimes centralization of users into a common directory like the kind suggested by the Joint Information Environment can actually be a positive development. Ultimately it requires fewer high-value IT staff of the DOD (in this case) to perform authentication checks and, as outlined in the press release itself, will allow the DOD to actually reduce the number of data centers over 10 years, from 1,500 to 250. It will also, of course, reduce infrastructure, such as computer systems, power supplies, and other equipment and applications required for their operation.

4. Achieve common ground.
Remaining data centers will share a common architecture and similar rate structure, again increasing the efficiency of the data center and, by default, how the data stored there is accessed, used, and accounted for.

5. Simplify services.
By reconfiguring how services are deployed (including email, natively developed DOD specific applications, etc.), including how they are operated, purchased, and maintained, the Joint Information Environment can help the DOD scale services based on an enterprise-wide model that's dependent on the number of users rather than the net number (or type) of devices.

Based on these outcomes alone, I think the implications presented by this technology are bold, even game-changing, both for the public as well as private sectors.

Brian Royer, a security subject matter expert, Sophos U.S., is partnering with SophosLabs to research and report on the latest trends in malware, web threats, endpoint and data protection, mobile security, cloud computing and data center virtualization.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
11/15/2012 | 2:27:22 PM
re: DoD's Bold Initiative: Secure The User, Not The Device
We have learned nothing from the anarchy of the last 5 years. Users/Machines compromised in the millions (especially consumers) and yet we still travel down this "BYOD" road towards fantasy land where the security of the endpoint doesn't matter. -We are either ignoring or pretending to have solved a problem that just keeps getting worse.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.