As the federal government moves to a mass teleworking environment, the Defense Information Systems Agency recently released a Department of Defense telework do’s and don’ts list for network utilization and cybersecurity. This provides guidance for employees to help defend the DoD Information Network (DoDIN) from an adversary attack.
Every organization works to balance security and operations. Striking this balance is more important now than ever, as Defense agencies scale up their remote workforce, while continuing to protect sensitive information and maintain a high operations tempo.
The architecture, one that includes the Internet Access Points (IAP), Cloud Access Points (CAP), and Joint Regional Security Stacks (JRSS), was not built to scale to handle this amount of remote work. And, the amount of traffic that is hairpinning from the remote user through the DoD security stacks onto the DoDIN and back out to the internet is overwhelming the Joint Information Environment (JIE) infrastructure.
The JIE architecture was not designed for modern networks and never accounted for a business continuity plan that had to support the entire workforce rapidly shifting to teleworking. The capabilities focus on securing the network, rather than the data or user. As more DoD employees and contractors work remotely and data volumes increase, hardware cannot scale to support them. This has created ongoing concerns with performance, reliability, latency, and cost.
It is time to bring true visibility and transparency to the whole security posture of the DoDIN to improve user experience for the on-site and remote workforce, and to ensure protection of the DoD’s most valuable asset: data.
A shift to data security to support teleworking
The current JIE architecture is costly, complicated, inefficient, and overly redundant. By policy, teleworkers are forced to connect via legacy virtual private network technology. But VPNs cannot scale to cover a complete mobile workforce. Additionally, legacy VPN technology places users on the DoDIN, which significantly increases security risk, and often provides poor security controls and visibility for IT administrators to manage and maintain the environment.
After the initial connection to the VPN, agencies must send all traffic through the IAP (inbound) – which is routed down private circuits to and through the JRSS to the service’s VPN concentrator – to then be placed on the service’s network. From there, user traffic (to the internet or cloud) would then hairpin back through the JRSS, across the same private circuit to the IAP/CAP, processed by those stacks, and out to their destined services. Unfortunately, that’s not the end of the story. For the user to receive the response traffic, it must return back through that same path. This not only delivers a poor user experience, but also increases costs because every round-trip packet crosses the highly coveted and expensive circuit paths and infrastructure four times.
In addition, there have been increased cyber risks and adversary attacks as more civilian, military, and contractor employees connect to the DoDIN, remotely.
The department needs a simplified solution to improve efficiency and encourage the innovation needed to assure a tactical advantage into the future. To manage growing bandwidth requirements and the massive influx of data flows, future security models must shift the focus from network security to data security.
Redesigning “Defense in Depth”
Today, users do not reside in the same location as their data. Instead of bottlenecking connectivity through regionally aligned security stacks, agencies need security for their data, regardless of location – and they need it inline to where their services reside.
Ideally, innovative security models will redesign the “defense in depth” paradigm to make network devices and security appliances fade into the background. Then, agencies can embrace a centrally enforced policy plane that maintains consistent data security at any time, in any location, and from any device.
The military services should be able to securely take advantage of innovative ways to collect, store, and process data. They need the ability to do this from any location. It’s time to shift the paradigm and eliminate stacks of security appliances that degrade operational capabilities and user experience.
The first step to make this security posture shift, is to decouple the required security functions from the current hardware/software that houses it. Then, move the security apparatus inline to the destination. Finally, agencies can innovate by rebuilding the necessary security requirements into a micro service architecture. This also creates a common management and logging approach to help services troubleshoot and monitor more efficiently.
To do this, agencies should look to Secure Access Service Edge (SASE), a new model termed by Gartner. Under this approach, security functions move to the location of the users, data, and applications, rather than securing traditional network perimeters. As a cloud-based “as-a-service” architecture, SASE provides direct access to the internet/cloud, while pushing security as close to the user/data/device as possible – to the edge.
In addition, rather than adding additional stacks of security functions, SASE unifies security functions, such as secure web gateway, next-generation firewall, data loss prevention, cloud-based sandboxing, browser isolation, and zero trust network access into one framework. This reduces the cost and management of accounting for ad-hoc solutions being implemented, which was previously necessary to fill gaps in security across the DoDIN.
Reduce the attack surface through zero trust access
With security functions, such as Zero Trust Access (ZTA), built into the model, defense agencies will be able to maintain segmentation and visibility, and provide a granular approach for auditing and control – all while improving the user experience.
ZTA requires that all users be verified, before granting access to the applications and data. By defining security policies, IT administrators will be able to centrally enforce which authorized users have access to which agency resources through a secure, encrypted, inside-out connection – and in optimal cases, the connection will be encrypted end-to-end by the organization's own certificate authority. Users are never placed on the network.
By removing the need for network appliance-based security, this approach reduces the attack surface and improves the overall cybersecurity posture.
Modernize DoD security for today and tomorrow
Essye Miller, the principal deputy to the Pentagon’s CIO,recently shared that the DoD’s network is under “unprecedented” demand as they move to maximum telework capacity.
"With the increased telework capability comes an increased attack surface for our adversary. They're already taking advantage of the situation in the environment that we have on hand," Miller said.
To address these concerns, the DoD set up a “Teleworking Readiness Taskforce” of CIOs and senior IT officials to ease teleworking challenges and improve the DoD's overall cybersecurity posture.
The time is now to modernize and update the DoD security approach. Agencies should adopt and embrace a cloud native “as-a-service” SASE model that will not only address Federal teleworking challenges, but also provide a “future-proof” scalable security solution.
Patrick Perry is director of emerging technology for federal, Defense and the intelligence community at ZScaler, a cybersecurity company.