Security compliance and collaboration: The role of network isolation
- By George Kamis
- Jun 15, 2020
When it comes to protecting sensitive government information, airport security offers a compelling parallel. People need to travel, and they must be validated and inspected before boarding an aircraft. Similarly, agencies must establish communication between networks but without putting classified data at risk. Cross-domain solutions offer checks, much like airport security protocols, to allow secure data sharing between and within segmented networks. This helps agencies effectively and efficiently accomplish their missions.
Cross-domain solutions must meet increasingly rigorous compliance requirements, though. The Raise the Bar initiative, which was unveiled in late 2018 by the National Security Agency’s National Cross Domain Strategy and Management Office, set a higher standard for cross-domain security beyond even the National Institute of Standards and Technology’s Risk Management Framework controls. It also continues to evolve. Recent memos show that a move to hardware-based separation and solutions providing one-directional data flow, combined with cross-domain solutions, will be required by the end of 2021 for certain high-risk networks.
The building blocks
An effective and compliant cross-domain architecture between networks of different classification levels is made up of many pieces, similar to airport security. Together, they allow end users to collaborate when and where they need to, without onerous logistical barriers or putting critical information at risk.
When travelers arrive at the airport, they must pass through multiple security checks. This is very similar to the defense-in-depth practices for implementing cross-domain solutions that include firewalls, diodes and guards. At the airport, fliers must first check in with a Transportation Security Administration agent and present particular credentials, including a government-approved ID and a valid ticket. Similarly, firewalls, the first line of defense for most networks, monitor and control network traffic based on preset rules. Firewalls offer a very effective means of protecting the network, but it is a very high-level check.
For employees to successfully do their daily jobs, firewalls must be able to support a wide range of protocols for many applications: Zoom, Microsoft Teams, email, web browsing and more. Firewalls' biggest shortcoming is that the must support a wide range of communication traffic for an organization to effectively operate and can perform only a high-level check on the data.
When passengers walk through the security checkpoint, they’re subjected to a far more in-depth search. TSA agents inspect individuals and their belongings. If they’re accidentally carrying a pen knife or razor blade, for instance, agents detect that and remove it. Then, they either allow travelers to pass or decline their entry. Cross-domain guards work similarly. Unlike firewalls, which are all or nothing, guards utilize custom military-grade inspection routines, focusing on one protocol or dataset and looking at the data very carefully. Data can be completely rejected or sanitized to allow passage.
Guards follow extremely narrow criteria with regard to what is allowed through, but for a reason: to ensure the right data is being shared or transferred between boundaries. This permits the secure and seamless flow of information between multiple networks, be that machine-to-machine, person-to-machine or machine-to-person. Let’s say an agency, due to security restrictions, uses "SneakerNet" -- a highly manual physical transfer process where data on CD-ROMs is walked from one system to another. With the implementation of a guard, the agency could automate the process of declassifying a large pool of documents and transfer them from a network with a secret classification to a public one through data inspection and sanitization.
Maintaining compliance for the future
Once travelers exit the departure area of an airport, they cannot come back in. This parallels the hardware-based security cited earlier. One-way transfers are enabled by diodes: a unidirectional transfer device enforced through hardware. Data is transmitted one way, much like a traditional TV remote control device where an infrared light goes to the TV receiver, but no data is ever transmitted back to the remote. Once again, Raise the Bar guidance will soon mandate the use of diodes when either the source or destination is a high-threat network, like the internet. When classified networks are talking to one another, on the other hand, a hardware-based solution will not be required. Unlike guards, diodes don’t conduct a security check on what data is passed through.
The challenge with diodes is that one-way communication can impact data flows. The transfer has to be slowed down because there is no feedback as to whether the information has been received. For example, the National Oceanic and Atmospheric Administration as well as companies like DigitalGlobe and Planet Labs are increasingly providing the government with images from their satellites. The agencies must ingest that data and bring it up to a higher classification level. While a diode offers guaranteed one-way data delivery, it cannot conduct an in-depth data inspection to ensure that the data is not malware, unlike a guard.
The bottom line
It’s no secret that cyberattacks are an omnipresent threat for government agencies that must balance the need to isolate networks with the need for rapid communication between those networks, as is required for critical missions. If an airport only relied on one of the aforementioned protocols, it wouldn’t be considered secure. Similarly, government agencies must layer various technologies -- firewalls, guards and diodes -- for the sake of security and compliance. This layering allows for the sharing of information between classification levels and the ingestion of data from high-threat networks without creating untenable, unnecessary risk.
George Kamis is CTO for global governments and critical infrastructure at Forcepoint.