Information Agency Changes Security Approach
From handheld to the cloud, new technologies are driving new approaches to data assurance.
The increasing use of readily available and inexpensive commercial technologies by the military is changing the way the Defense Information Systems Agency provides information assurance. As these technologies are integrated into the Defense Department information infrastructure, the agency is adjusting its approaches to providing security for its networks and the data that reside on them.
These new information assurance efforts range from better security embedded earlier in individual devices to multilayered approaches for large amounts of data. Similarly, as risks have become more diverse and dangerous, the agency is looking to revamp the approach to certifying security across the government. Both innovative capabilities and new threats have contributed to changes in information assurance methodologies.
William A. Keely, deputy chief technology officer for mission assurance at the Defense Information Systems Agency (DISA), relates that each new off-the-shelf information technology, whether commercial or government, introduces new attack vectors that must be addressed to maintain effective security. Mobile computing has introduced portable devices such as smartphones into the defense community, and outsourcing to a cloud service provider represents a new approach to data management. As different as these capabilities are, they both present new challenges for information assurance.
Ensuring these technologies meet information assurance standards requires a new approach. For the past 20 years, the agency has published a security technical implementation guide, or STIG, for every relevant information technology in the Defense Department. These STIGs serve as a target for commercial information technology providers as well as tools to be applied by system administrators and certifiers.
Keely notes that, traditionally, a lag of six months to a year would exist between the appearance of a new system and the issuance of an associated STIG. To eliminate that lag in this era of rapidly changing information technology, DISA has been working closely with vendors to have them perform much of the needed STIG development while producing their new technology. The agency then reviews each STIG and adjusts it as needed. “We recently had a good success with Samsung, where the STIG was produced before the device was released,” he relates.
The advent of mobile devices has been a catalyst for DISA working more closely with commercial providers on security standards development, Keely allows. By working with the manufacturers sooner, the agency benefits from having them integrate security into their testing approach as they develop the system. “We’re hoping it’s baking in security better,” he offers.
In addition to changing the military’s capabilities, this approach also will increase the security of commercial devices being sold to the public, Keely says. He points out that a smartphone manufacturer reduces its costs when it is able to incorporate an advanced capability into its entire product line, as opposed to manufacturing two different hardware versions. This security, which owes its existence to a military influence, simply can be switched on by a manager instead of appearing only via a separate product. “By getting it early in their [devices’] lifecycle, they can have the capability to do that—and we have vendors telling us they are doing it,” he states.
“This relatively small change in the process, from our perspective, is going to have some really big dividends,” Keely adds.
Keely asserts that “mobility is inevitable,” and forces in the field will benefit from its capabilities. Embracing mobile networking will improve communication and collaboration, he continues, with only a smattering of mission-specific applications. However, the future may see a lot of mission-specific applications for the mobile environment. This evolution will require a good mobile device manager, good mobile devices and embedded mobile applications, Keely says, and DISA is working in all three areas.
The agency’s Network Services Directorate hosts a strong process for reviewing applications inside of a week, he reports. Analyzing the application, subjecting it to a full risk assessment and producing it this rapidly will require a new mobile device manager (MDM). This MDM currently is in the acquisition process, he notes.
The concerns about bring-your-own-device (BYOD) environments have not yet affected the overall approach to information assurance at DISA. BYOD brings “a special set of challenges” because of the introduction of many unknown factors into a network, Keely says, and DISA is not sure how it ultimately will address the issue.
The Office of the Secretary of Defense (OSD) will issue policy decisions regarding BYODs, he says, and different designated approving authorities (DAAs) likely will opt to accept the risk to incorporate BYODs into their organizations. Some DAAs could incorporate BYODs on a local or pilot basis, but this approach is not happening across the board. Keely notes that some federal agencies view BYODs as a significant way of saving money.
DISA is examining a variety of technologies to address the issue. Bootable media, for example, would allow users to insert a jump drive into their home computer, which then would boot up using the portable drive’s operating system. This approved operating system would run the personal computer instead of the machine’s native system. Keely also suggests that mobile devices might reside within a type of militarized container that improves security.
The advent of cloud computing has brought different challenges and with them a different approach to information assurance. Kelly notes that STIGs tend to focus on one level for the nonsecure Internet and another level for the classified side. These STIGs have not been sensitive to the actual mission criticality, and this one-size-fits-all approach has resulted in increased across-the-board costs along with diluted security for the most critical systems.
So, for the cloud, DISA has developed five security levels built around a risk management approach. Keely explains that these five levels were determined by examining the types of data that would be inherent in the cloud, not by assessing the security capabilities available. This data-centric approach to establishing necessary security ensures that a mission requirement can be applied to the proper level of security. “The data levels that are required drove the capabilities necessary to secure that data,” he says.
In turn, cloud service providers must be evaluated against these five security levels to determine which levels of mission criticality they can support, Keely continues. This graduated security scale allows DISA to spend less on security for the lowest levels as well as the appropriate amount on security for higher levels, he expresses.
“This is something we should have done before, but the cloud was the catalyst,” he allows. Inserting the lower levels into the clouds will be easy, especially where the military does not need high security levels with their accompanying costs.
The Joint Information Environment (JIE) is bringing a new set of issues as it takes shape, especially as the department embraces the cloud environment to a greater degree. It will require changing the way information defense perimeters are established, Keely points out. “The JIE is the first time that we have taken a step back and tried to re-engineer the entire GIG [Global Information Grid], and one of the big drivers of that engineering is the security side.”
Keely explains DISA currently has multiple layers of defense, many of which use the same intrusion detection system technology with identical policies. For some kinds of attacks, these multiple layers may not be adding any significant protection. The agency’s goal is to place better defenses at the perimeter of the Defense Department as well as better defenses at the application level. This will require enhancing host-based security along with protections at Internet access points, he observes. In addition to those two areas, protection must be improved at core data centers.
“Instead of having security permeate throughout the whole architecture, we would force traffic to go through all three of those points. Data coming in would have to hit our core data center prior to going to a user enclave and hitting a host,” he suggests. “That would give us more effective and less expensive security.”
Some significant challenges remain for achieving this construct. This approach must work effectively while countermeasures also are rapidly deployed through DISA by the U.S. Cyber Command (CYBERCOM), Keely allows. “Right now, the environment is so complex that some countermeasures take a long time to apply, and we want the JIE to help drive that timeline to be much shorter,” he states.
For information assurance, DISA views itself as CYBERCOM’s technical arm—its program executive office—for the core infrastructure, Keely offers. On the operations side, the agency serves to implement the directions that come from CYBERCOM.
Keely states that DISA is pushing for new system certifications across the breadth of government. Too much of certification is based on passive controls and protections, while mission risk has many more aspects than just whether someone can break into the network.
He breaks down this new certification effort into eight different levels: concern over traditional passive controls; the level of the ability to detect malicious activity by adversaries; the ability to diagnose; the ability to collaborate with others, especially in aiding in system monitoring; the adoption of intelligence; the ability to develop a course of action for responding to an adversary; the ability to distribute that course of action across an entire system; and the feedback loop to examine residual risk and determine whether a course of action has been effective.
“If you don’t have any of those, you’ve increased the risk to your system,” Keely maintains. “So, that’s where we want to drive our risk management framework.”
This will require policy change from the OSD, he continues. He notes DISA has been working with the office on changing the certification and accreditation process.
Information assurance efforts originally aimed to protect the network, but the past few years have seen a shift toward protecting data. That shift continues, Keely offers, but network protection remains a priority. He points out that networks could be commandeered by an adversary that would affect data processing and delivery. An enemy even could use a purloined network to attack other countries, he suggests.
DISA has a research and development budget for pilot activities that is managed by the agency’s chief technology officer with support from the DISA community. While Keely describes it as a small budget, it helps bring ideas into the agency that can be folded into standing programs. This touches on many of the key focus areas such as mobile and the cloud, but it also includes other areas such as mission data maneuverability.
“This is the one battlespace where we actually have created the terrain on which we are fighting,” he points out. “So, we want the ability to modify that terrain as we take on the challenges from our adversaries.
“And, we would like to have ways to maneuver our adversaries,” he admits.