Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

6/6/2018
12:45 PM
Scott Petry
Scott Petry
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

DOD Looks to the Cloud for Browser Security

The US Department of Defense just published its cloud browser strategy. What's yours?

On June 5, 2018, the Defense Information Systems Agency released an unclassified request for information (RFI) outlining its intent to procure a cloud browser for 3.1 million Department of Defense (DOD) employees.

The operators of the most-targeted network in the world have concluded that they'd be more secure and efficient if they kept all public web code off the department's network. This is significant for the entire cybersecurity market, not just the DOD. With this RFI, an arguably niche, disruptive security solution becomes mainstream. Cloud browsers are now something any organization concerned with online security must consider.

DOD personnel use the web for mission-related activities, support and logistics functions, and morale and well-being. With more than 4 million users worldwide, and with many people operating out of sensitive government facilities, the DOD is also a compelling target for cyberattack. The volume of attacks the department must deal with is mind boggling. On any given day, the DoD:

  • Contends with "800 million cyber incidents that threaten the network" (Pentagon spokesman Lt. Col. James Brindle)
  • Responds to "360 million targeted probes, compared to the 1 million probes an average major US bank gets per month" (DOD chief information assurance officer Robert Lentz)
  • Thwarts an "estimated 36 million e-mails containing malware, viruses, and phishing schemes" (Pentagon spokeswoman Heather Babb)

The Defense Information Systems Agency, or DISA, provides network services across the DOD. While the agency would like to limit support to mission-related network traffic — which it has tried to do previously — the public Internet has become a reality it must embrace.

In May 2007, the DOD started blocking access to 13 social media sites. There was strong reaction from both press and DOD insiders citing the requirement for deployed personnel to stay connected with loved ones back home, and the expectation of morale, recreation, and welfare on their personal time. 

The debate continued into 2009, when the DOD announced plans to expand the ban to additional "Web 2.0" sites, such as Twitter and Facebook. This time, the rationale wasn't network efficiency — rather, the security vulnerabilities associated with military personnel using social media sites.

Even within the DOD, there was no consensus. The commands were supportive of even more aggressive blocks, but appointees within the Office of the Secretary of Defense publicly stated their support for "Web 2.0" across the DOD, saying "What we can't do is let security concerns trump doing business."

The logjam was broken in June of that year, with the decision for Army bases to stop blocking sites: "It is 'the intent of senior Army leaders to leverage social media as a medium to allow soldiers to "tell the Army story" and to facilitate the dissemination of strategic, unclassified information,'" according to a news story from Wired.

With that, the DOD was back on defense — users got access to the Web, and it was up to the DISA to keep systems secure and available. And it has spent a lot of money to do that. Over the last three years, public records show that the DOD budgeted more than $18 billion for cybersecurity in 2016, nearly 30% increase over 2015. Open RFIs and purchase data shows that it has pursued advanced endpoint solutions, sandboxing, deeper network analysis, and more.

Yet pressure hasn't waned. The volume of non-mission-related traffic has increased dramatically, requiring continual infrastructure investment and aggressive traffic-shaping policies to give priority to mission traffic. Meanwhile, cyber threats have continued unabated.

Projecting the current "spend to protect" trend doesn't end in a happy place. Cybersecurity, according to Gartner, is a $100 billion industry annually, growing at almost 9% CAGR, yet 2017 was the biggest year on record for data breaches, ransomware, and other cybersecurity failures.

DISA, as the network operator for arguably the largest private network in the world, needed to consider solutions out of the box. The result is this RFI for a cloud-based browser. 

The concept of a cloud browser is obvious in hindsight. Instead of letting arbitrary web code enter the network and execute on the local device, the cloud browser executes all web code on a remote host. All rendered data is transformed into a known-safe, encrypted interactive display of the web session. This provides immediate isolation from any web threats. But a cloud browser does more: executing in a central location, regardless of the endpoint, the cloud browser becomes the point for improved network efficiency, centralized access policies, data loss prevention controls, audit and oversight of usage, full anonymity, and more. 

DISA has come to the same realization that other cloud browser customers have: current cybersecurity solutions analyze and act on content after it has reached the network or endpoint, an approach that does not scale with the threat environment. Cloud browsers make network operations more efficient:

  • Cloud browsers, which prevent any web-native code from executing locally keep malware isolated remotely, which makes them safer.
  • Cloud browsers deliver compressed and optimized data to the endpoint, which results in lower bandwidth consumption.
  • Not getting infected means IT has less burden with remediation and exceptions management, allowing them to focus on other tasks
  • And, cloud browsers provide centralized audit and oversight of web activity helping manage acceptable use, governance and compliance  

Authentic8 will respond to DISA's RFI. We think it's a strong message to the rest of the government — that current practices regarding web access and security aren't tenable. We also think it's a powerful signal to the commercial market as well. DISA's network is a national security asset. It's arguably the largest private network in the world, and it's certainly the most targeted. If the DOD is moving to a cloud browser, then the category needs to be taken seriously. What's your cloud browser strategy?

Related Content:

 

Top industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Click for more information

Scott Petry is Co-Founder and CEO of Authentic8. Prior to Authentic8, Scott founded Postini and served in a variety of C-level roles until its acquisition by Google in 2007. He served as Director of Product Management at Google until 2009. Prior to Postini, Scott was General ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4147
PUBLISHED: 2019-09-16
IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 158413.
CVE-2019-5481
PUBLISHED: 2019-09-16
Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
CVE-2019-5482
PUBLISHED: 2019-09-16
Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
CVE-2019-15741
PUBLISHED: 2019-09-16
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. An unsafe interaction with logrotate could result in a privilege escalation
CVE-2019-16370
PUBLISHED: 2019-09-16
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.