DISA’s Internet Isolation Tech Aids Workers in COVID-19 Isolation
Demand for cloud-based cybersecurity may quicken the CBII program.
With more U.S. Defense Department personnel working from home during the COVID-19 pandemic, the Defense Information Systems Agency (DISA) is experiencing a surge in demand for its prototypical technology developed under the Cloud-Based Internet Isolation program and is seeking to more quickly deliver the technology to larger numbers of users.
The program, known as CBII, uses a little technological sleight of hand to keep nonsecure Internet browsing in the secure Amazon Web Services cloud rather than on the Department of Defense Information Network (DODIN). When users connect to any website, what they actually see is a replica of that website hosted in Amazon’s cloud. They still access the same content and interact in the same way, except that the defense network is isolated from those websites. DISA officials publicly unveiled the program at the AFCEA TechNet Cyber 2019 Conference.
“DISA's Cloud-Based Internet Isolation prototype effort moves nonmission-essential Internet browsing off the endpoint to a cloud-based environment, significantly reducing the risk and attack surface of the DODIN and relieving congestion at the Internet access points,” explains Sherri Sokol, DISA’s new CBII program manager.
DISA officials are developing prototypes under two transaction authority contracts with By Light Professional IT Services and Sealing Technologies. Those prototypical systems have been shared equally among multiple mission partners, including all four military services, U.S. Central Command, U.S. Special Operations Command and various defense agencies.
The goal has been to deliver each solution to 50,000 users before moving into production. Now that telecommuting has become the new norm, DISA officials say they are seeing a surge in demand, especially from one particular defense organization they declined to name. “The CBII user base has increased 327 percent since mid-March when COVID-19 changes began, and we expect that number to keep climbing,” Sokol says, adding that the numbers are “changing by the minute.”
Steve Wallace, DISA’s systems innovation scientist and Emerging Technology Directorate chief, says that delivering the systems to users had been going a bit more slowly than he preferred, but that is no longer the case. “With this pandemic coming on, we’re seeing greater interest. We can’t say exactly who just yet, but we have one organization within the department that has started to mass onboard users to help support their efforts with the COVID response,” he says.
And that presents a new problem. “Our new problem is that we’ve got to stay below a certain license threshold in order to stay within the bounds of our licensing agreement with the vendors. So we’ve got a different kind of problem. It’s the best kind of problem to have,” Wallace states.
In response to the greater demand, particularly from that one unnamed organization, DISA has requested the vendor servicing that organization increase the rate at which seats are available. “We’re looking to see if we can get some relief with one of them [the vendors] in terms of an emergency surge to be able to service one of the agencies within the department,” he adds, declining to name the agency or the affected vendor. “Our goal is that once we hit our number we can quickly move into a production contract and then move forward from there, and then we can start onboarding in large waves.”
And they now expect to reach those numbers much more quickly. “The uptick in need brought on by the COVID crisis is allowing us to hit our target number of users for the prototype more quickly,” Sokol says.
The agency officials did not request an accelerated schedule from the second vendor simply because they have not yet seen a similar surge in demand from that vendor’s users. If need be, however, they will. “In reaction to COVID, we saw one [vendor] that needed the surge, so we went after that particular one. If the other’s user base has a similar need, we will certainly do the same thing over there.”
Wallace says the surge is going well so far. “We’re seeing both vendors being able to onboard users at a rapid pace. They’re able to grow with us. We haven’t seen any concerns or constraints on their side with respect to being able to grow.”
The agency also is tweaking capabilities to better support users in isolated environments. “We’ve made a number of changes working with the vendors to support users that are, for instance, aboard a ship where you’re dealing with issues of high latency and packet logs,” Wallace says.
In that particular case, the Internet browsing aboard the ship was simply too slow. “They were seeing performance issues while accessing the Internet, and by changing the path that CBII takes, it dramatically increased performance,” Wallace reports.
Additionally, Sokol says, the agency recently set up a capability specifically to help organizations expedite streaming media applications for personnel who need to use them. “CBII is also the department's solution for those who have a mission-essential reason to request access to streaming media, like YouTube, which has been blocked per DOD policy during COVID-19. The DISA's CBII team created a special tenant on each platform for this specific solution.”
The CBII prototypes also are delivering some unexpected but welcome surprises. For example, DISA officials report a dramatic drop in the number of documents downloaded to the local network. “We’re seeing about a 70 percent reduction in terms of the files that are coming down to the endpoint. I don’t think we expected it to be that high,” Wallace says. “It’s important because you’re not bringing those files into the network. The fact that we’re rendering them remotely is good enough.”
But it’s more than just documents that are not being downloaded, Sokol indicates. “Using CBII, the agency has seen approximately a 25 percent reduction in what reaches the endpoint versus what source code is sent to the vendor cloud through native web browsing,” she says. “For services requiring larger bandwidth, such as video streaming, the reduction is closer to 40 percent. Even with reductions, the CBII user experience maintains the same quality as the direct access browsing experience while freeing up bandwidth for additional mission essential traffic.”
The program also has allowed the agency to reduce stress on virtual private networks (VPNs) during the pandemic. “Because of the increased use of CBII and the security features it offers, DISA is able to reroute the agency's nonmission-essential web browsing traffic during COVID-19 and reduce the stress on our VPN concentrators from a peak utilization of 94 percent down to approximately 50 percent,” Sokol says.
If you liked this article, you may also be interested in: