News & Commentary

6/6/2018
12:45 PM
Scott Petry
Scott Petry
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

DOD Looks to the Cloud for Browser Security

The US Department of Defense just published its cloud browser strategy. What's yours?

On June 5, 2018, the Defense Information Systems Agency released an unclassified request for information (RFI) outlining its intent to procure a cloud browser for 3.1 million Department of Defense (DOD) employees.

The operators of the most-targeted network in the world have concluded that they'd be more secure and efficient if they kept all public web code off the department's network. This is significant for the entire cybersecurity market, not just the DOD. With this RFI, an arguably niche, disruptive security solution becomes mainstream. Cloud browsers are now something any organization concerned with online security must consider.

DOD personnel use the web for mission-related activities, support and logistics functions, and morale and well-being. With more than 4 million users worldwide, and with many people operating out of sensitive government facilities, the DOD is also a compelling target for cyberattack. The volume of attacks the department must deal with is mind boggling. On any given day, the DoD:

  • Contends with "800 million cyber incidents that threaten the network" (Pentagon spokesman Lt. Col. James Brindle)
  • Responds to "360 million targeted probes, compared to the 1 million probes an average major US bank gets per month" (DOD chief information assurance officer Robert Lentz)
  • Thwarts an "estimated 36 million e-mails containing malware, viruses, and phishing schemes" (Pentagon spokeswoman Heather Babb)

The Defense Information Systems Agency, or DISA, provides network services across the DOD. While the agency would like to limit support to mission-related network traffic — which it has tried to do previously — the public Internet has become a reality it must embrace.

In May 2007, the DOD started blocking access to 13 social media sites. There was strong reaction from both press and DOD insiders citing the requirement for deployed personnel to stay connected with loved ones back home, and the expectation of morale, recreation, and welfare on their personal time. 

The debate continued into 2009, when the DOD announced plans to expand the ban to additional "Web 2.0" sites, such as Twitter and Facebook. This time, the rationale wasn't network efficiency — rather, the security vulnerabilities associated with military personnel using social media sites.

Even within the DOD, there was no consensus. The commands were supportive of even more aggressive blocks, but appointees within the Office of the Secretary of Defense publicly stated their support for "Web 2.0" across the DOD, saying "What we can't do is let security concerns trump doing business."

The logjam was broken in June of that year, with the decision for Army bases to stop blocking sites: "It is 'the intent of senior Army leaders to leverage social media as a medium to allow soldiers to "tell the Army story" and to facilitate the dissemination of strategic, unclassified information,'" according to a news story from Wired.

With that, the DOD was back on defense — users got access to the Web, and it was up to the DISA to keep systems secure and available. And it has spent a lot of money to do that. Over the last three years, public records show that the DOD budgeted more than $18 billion for cybersecurity in 2016, nearly 30% increase over 2015. Open RFIs and purchase data shows that it has pursued advanced endpoint solutions, sandboxing, deeper network analysis, and more.

Yet pressure hasn't waned. The volume of non-mission-related traffic has increased dramatically, requiring continual infrastructure investment and aggressive traffic-shaping policies to give priority to mission traffic. Meanwhile, cyber threats have continued unabated.

Projecting the current "spend to protect" trend doesn't end in a happy place. Cybersecurity, according to Gartner, is a $100 billion industry annually, growing at almost 9% CAGR, yet 2017 was the biggest year on record for data breaches, ransomware, and other cybersecurity failures.

DISA, as the network operator for arguably the largest private network in the world, needed to consider solutions out of the box. The result is this RFI for a cloud-based browser. 

The concept of a cloud browser is obvious in hindsight. Instead of letting arbitrary web code enter the network and execute on the local device, the cloud browser executes all web code on a remote host. All rendered data is transformed into a known-safe, encrypted interactive display of the web session. This provides immediate isolation from any web threats. But a cloud browser does more: executing in a central location, regardless of the endpoint, the cloud browser becomes the point for improved network efficiency, centralized access policies, data loss prevention controls, audit and oversight of usage, full anonymity, and more. 

DISA has come to the same realization that other cloud browser customers have: current cybersecurity solutions analyze and act on content after it has reached the network or endpoint, an approach that does not scale with the threat environment. Cloud browsers make network operations more efficient:

  • Cloud browsers, which prevent any web-native code from executing locally keep malware isolated remotely, which makes them safer.
  • Cloud browsers deliver compressed and optimized data to the endpoint, which results in lower bandwidth consumption.
  • Not getting infected means IT has less burden with remediation and exceptions management, allowing them to focus on other tasks
  • And, cloud browsers provide centralized audit and oversight of web activity helping manage acceptable use, governance and compliance  

Authentic8 will respond to DISA's RFI. We think it's a strong message to the rest of the government — that current practices regarding web access and security aren't tenable. We also think it's a powerful signal to the commercial market as well. DISA's network is a national security asset. It's arguably the largest private network in the world, and it's certainly the most targeted. If the DOD is moving to a cloud browser, then the category needs to be taken seriously. What's your cloud browser strategy?

Related Content:

 

Top industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Click for more information

Scott Petry is Co-Founder and CEO of Authentic8. Prior to Authentic8, Scott founded Postini and served in a variety of C-level roles until its acquisition by Google in 2007. He served as Director of Product Management at Google until 2009. Prior to Postini, Scott was General ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14492
PUBLISHED: 2018-07-21
Tenda AC7 through V15.03.06.44_CN, AC9 through V15.03.05.19(6318)_CN, and AC10 through V15.03.06.23_CN devices have a Stack-based Buffer Overflow via a long limitSpeed or limitSpeedup parameter to an unspecified /goform URI.
CVE-2018-3770
PUBLISHED: 2018-07-20
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.
CVE-2018-3771
PUBLISHED: 2018-07-20
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.
CVE-2018-5065
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-5066
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.