Sponsored: Paradox: 'Zero Trust' Means Trustworthy Communications
Working from home or remotely has always been a significant challenge for our federal workforce. The obstacles are not so much technical, rather it is the sensitivity of the data and communications that must traverse the network, and the sophistication, resources and determination of the adversarial powers that seek to disrupt or compromise them.
Unlike the commercial marketplace where a security breech might result in lost revenue, stolen IP or a fine, in the federal mission space the cost of failure could be the loss of critical infrastructure or even loss of life.
In 2018 only 22% of federal workers were permitted to telework from home. Today almost three-fourths telecommute, a 53% increase driven in large part by the COVID epidemic and related “maximum telework” directives from Capitol Hill.
Tremendous pressure was put on Government IT to transition the in-person federal workplace to remote or home offices. Much of the focus was put on communication and collaboration solutions offering chat, video conferencing, filesharing, etc.
Unfortunately, the urgency and speed of the situation opened the door to software products designed to meet business not government requirements. In many cases the due diligence runway of vetting such capabilities was reduced from miles to feet. Zoom, the most popular of these offerings, grew so quickly that on a single day in March 2020, nearly 600,000 people downloaded their app.
To their credit, IT managed to make the shift in record time, but as the tensile strength of these products was pushed to the limit, security vulnerabilities and shortcomings became exposed. By April 2020 a number of Zoom vulnerabilities came to light prompting the DoD to temporarily make the popular product off limits to department personnel.
Zoom is not alone. Forbes reported in May of a new Microsoft Teams password hacking threat to 75 million users. ZD Net reported in July that “Security researchers found more than 17,000 Slack credentials for roughly 12,000 Slack workspaces being sold online.” Gartner Group summed up the situation well:
“The COVID-19 crisis has driven astronomical increases in adoption of meeting solutions, with users often prioritizing ease of use and deployment over security. As the dust settles, application leaders must now focus on both product features and their own best practices to ensure meetings are secure.”
Well, it is 2021, and the dust is settling.
I am not trying to pick on Zoom, or for that matter Slack, Teams, Dropbox or even WhatsApp. These are all highly effective applications. When used in the non-sensitive business environments they were designed for, they can lift operational efficiencies and potentially drive sales, reduce costs, and improve the bottom line.
However, these tools were not designed to withstand the highly contested and attacked network environments that our military and civilian government must operate in.
They are incapable of providing the necessary confidentiality and integrity of vital information, be it within the DoD or intelligence space, nor can they effectively protect commercial IP, trade secrets, or PII (Personably Identifiable Information) in shared, collaborative environments.
Users in these high-risk environments should only use “Zero-Trust” based solutions where security is the key design feature. In these systems by default nobody is trusted either inside or outside of the infrastructure – eliminating inside threats, permission creep, and unintentional exposure.
Mobile apps like Signal Private Messenger and enterprise software like SpiderOak’s CrossClave have fully embraced this security first design principle engineering true end to end encryption into their applications from the ground up.
SpiderOak’s CrossClave utilizes a No-Knowledge approach specifically designed to meet the high risk, high sensitivity requirements of the Department of Defense and Intelligence communities.
CrossClave encrypts everything using NSA CNSAS cryptography. Keys to ciphers are held only by endpoints with a need to know, never by the server or administrators. CrossClave may be configured to use a specified algorithm, or even interface with hardware-based encryption modules. The software also leverages blockchain/distributed ledger capabilities to address data integrity and nonrepudiation of all data transaction and modification.
This “No-Knowledge” approach means only approved individuals with a mission-specific need to know can access your information. No-Knowledge by default prohibits the accumulation of unnecessary permissions and out of date access rights by implicitly denying access to an object unless that access has been explicitly granted by the data owner, i.e., you. Not even SpiderOak administrators can access them. It’s not just “end to end encryption;” it’s a No-Knowledge System.
Moving forward, mission owners who must operate in high-risk environments with sensitive data should think twice before using business focused collaboration and seriously consider No-Knowledge options where security is the key design feature.