DISA tests cloud-based internet isolation
- By Stephanie Kanowitz
- May 28, 2019
With an eye toward boosting cybersecurity and protecting the Department of Defense Information Network, the Defense Information Systems Agency awarded a contract for a cloud-based internet isolation (CBII) prototype that moves web browsing from the desktop to the cloud -- effectively putting an “air gap” between the internet and enterprise networks and improving bandwidth utilization.
CBII has been used in the commercial sector to isolate Internet traffic, but has not been implemented at scale within DOD, officials said in the program's description. The prototype will be tested by 100,000 users and, if successful, will scale to encompass all 3.5 million users connected to the DODIN.
By isolating the 36% of internet threats that are browser based, CBII "will provide a secure space to allow unclassified traffic to traverse by isolating the traffic from the DoD Information Network,” a DISA spokesperson wrote in an email to GCN. “The user is able to interact with the website through the secure cloud, rather than on their device. This means that no non-mission-critical browser code will ever be executed on the user's endpoint, providing more security than the user has now.”
DISA selected systems integrator By Light Professional IT Services as the prime contractor for the CBII prototype, with Menlo Security supporting delivery of the solution. The platform works by taking a command to open a website and opening a virtual machine in the cloud. That virtual machine runs a new web browser created specifically for the requester, downloads the website and runs it in fully in the cloud. Menlo’s Adaptive Clientless Rendering (ACR) technology streams to the end user’s device only the visuals of the session, not the original content.
“The visuals cannot infect you, which is why at Menlo, we say we eliminate 100% of potential malware coming at you from the web,” the company's CEO and founder Amir Ben-Efraim said.
That’s different from current security processes in which users connect to a website through the local network. That traffic runs through security products such as a firewall, which evaluates the website as good or bad, preventing the connection if it determines the website to be the latter.
“The problem with this approach is that it doesn’t work,” Ben-Efraim said. “No one in the world knows what good or bad is anymore. It turns out in this modern malware world about 10% of malware is actually being missed."
ARC delivers not only CBII, but makes the experience native from end users’ perspective, he added. They don’t have to take any new or additional steps, and the experience should be the same from anywhere in the world. What’s more, the solution can scale as needed without causing performance degradation.
To run the solution, a client reconfigures the router and firewall and uses Menlo Security as the secure web gateway so that all internet traffic goes through Menlo.
Besides an improved security posture, another benefit that DISA expects to gain from CBII is to free up bandwidth for the Defensive Cyber Operations Tools at DISA-managed internet access points, the agency’s spokesperson said. That’s because ACR’s bandwidth is equivalent to or less than native bandwidth, making it more efficient.
“Stressed Department of Defense boundary defenses are caused by increasingly sophisticated browser-based attacks,” the spokesperson wrote. “Also, DOD Internet traffic growth through DISA-managed Internet Access Points is unsustainable. Internet isolation will address both of these challenges.”
DISA also expects to avoid costs in the form of upgrading expensive Defensive Cyber Operations tools and gaining work efficiency “because the platform will filter out the noise and allow analysts to focus on real threats to the network,” the spokesperson wrote.
DISA made the prototype award using Other Transaction Authority to gain more flexibly than traditional contracting allows. Initial users are beginning to use the solution now, and the prototype will continue until December, at which time DISA will select a single vendor and begin a full-scale implantation, the spokesperson said.
Editor's note: This article was changed May 30 to clarify the configuration of the solution.
Stephanie Kanowitz is a freelance writer based in northern Virginia.