UNCLASSIFIED Cloud Based Internet Isolation Sherri Sokol CBII PM, DISA
22 Slides2.00 MB
UNCLASSIFIED Cloud Based Internet Isolation Sherri Sokol CBII PM, DISA 13 January 2020 UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 1
UNCLASSIFIED Agenda Why Cloud Based Internet Isolation Current State / Milestones Solution Overview/Demo Global Scale and Technical Discussions Onboarding Next Steps Questions UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 2
UNCLASSIFIED DOD’s Global Internet Browsing East PAC at 77% of Bandwidth Capacity. West PAC at 75% of Bandwidth Capacity. (as of Aug 2019) (end of Aug 2019) 45,000 2.84% Not Categorized (end of Aug 2019) CONUS at 82% of Bandwidth Capacity. Europe at 77% of Bandwidth Capacity. DOD’s Global Internet Browsing DoD-Wide Internet Browsing 68.54% 28.62% “Likely Mission” “Likely Non-Mission” 35,000 Peak Hour Traffic (Mbps) Global NIPR IAPs at Peak Hour Internet Consumption 25,000 15,000 IAPs Upgraded 4 Times from Jan 2014-Aug 2019. 68 % of DOD-Wide Internet Browsing Likely Non-Mission (e.g. social media, videos, streaming music, etc ). 5,000 0 Jan Sept 2014 2014 May 2015 Jan 2016 Sept 2016 May 2017 Jan 2018 May 2019 Sept 2018 Jan 2014-Aug 2019: Percent of Likely Non-Mission Traffic Holds, But Amount of Throughput Used More Than Doubled. As demand for internet bandwidth increases, so does DOD’s exposure to cyber threats and the required investments in Internet Access Points (cybersecurity capabilities and bandwidth capacity). (DISA/EE23 Analysis – Data Source: Centaur) UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 3
UNCLASSIFIED CBII Mission Summary Cloud Based Internet Isolation (CBII) removes one of the biggest bandwidth hogs and cybersecurity risks--the internet browser--as a threat vector and secures the department's data and networks by taking users' non-.mil/non-.gov internet browsing off the endpoint and isolating it in the cloud. Better Security UNCLASSIFIED Bandwidth Optimization Easy to Implement TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! No Fee For Service 4
UNCLASSIFIED CBII Prototype 2 solutions 100,000 users Menlo and Symantec. Prototype through end of March when start to move to the enterprise solution. Total user base (50k on each vendor solution.) 10 mission partners and growing Air Force, Army, Navy, NGB, DCMA, DCSA, DHA, DLA, NSA, & DISA. Mission partner participation and feedback are critical in shaping this service. UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 5
UNCLASSIFIED UNCLASSIFIED CBII Traffic Flow EBI EBI UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 6
UNCLASSIFIED Prevent Attacks and Enable a Fast UX No Code Executed on the Endpoint FASTER BROWSING DUE TO BANDWIDTH OPTIMIZATION Less data transporting to endpoints frees up bandwidth. Performing security activities (file antivirus scanning, detonation, hash comparison) in the cloud instead of at the internet access points alleviates congestion. BETTER SECURITY ADMINISTRATION Increased granular control for user policies. Logs are closely associated with the user and can be exported to Splunk for analysis. File downloads are inspected 2x (in the cloud and via the typical route at the IAP) UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 7
UNCLASSIFIED DEMO CBII Symantec User Experience Demo UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 8
UNCLASSIFIED Bandwidth Optimization / Security : Wikipedia.org Top left- web page without isolation. Bottom left- full source of code executed when the webpage is requested by the user. UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 9
UNCLASSIFIED Bandwidth Optimization / Security : Wikipedia.org Website with isolationGreen bar at the top of the page indicates to the user that the website is being isolated. UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 10
UNCLASSIFIED Bandwidth Optimization / Security : Wikipedia.org Top left – Isolated source code Lower left – Non-isolated source code The isolated website contains just a small fraction of source code. Only the rendered page reaches the endpoint. The original source code is executed only in the CBII environment. UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 11
UNCLASSIFIED Bandwidth Optimization / Security Non-isolated users surf with endpoint information exposed, revealing more information than intended or desired. UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 12
UNCLASSIFIED Bandwidth Optimization / Security Isolated users surf with endpoint information concealed within the CBII environment, using virtual instances that prevent nefarious code transmitting back to the endpoint. UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 13
UNCLASSIFIED CBII Prototype Distribution The CBII prototype currently uses the AWS GovCloud East and West environments. Access to the environment is facilitated by the outbound user traversing the IAP to reach the infrastructure for isolation. Commercial cloud instances are being implemented in US East, US West, Frankfurt, Tokyo, Bahrain. UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 14
UNCLASSIFIED Next Steps: Onboarding Process Have your requirements met, questions answered, and issues resolved before the transition to enterprise deployment with DISN subscription—scheduled to begin March 28. Training for GSD, DGOC, and migrating mission partners. Support available directly from the PMO and vendors 24/7. Able to apply best practices from the few issues already solved. Can use DCS (or test application accounts if available) to speed resolution of new issues. After onboarding, please provide feedback (via survey and/or helpdesk) so DISA can quickly resolve any issues and you can shape the final CBII service to meet your needs. UNCLASSIFIED Step 1: Select Initial Test Users Identify 3-5 initial test users with system privileges. Step 2: Connectivity Test Vendor assists with manual browser configuration in Firefox using PAC file. Step 3: Initial Test Phase Testers browse as usual, providing feedback if they encounter issues resulting in a swift resolution. Step 4: Widespread Deployment A group policy object (GPO) is pushed to organizational units using your active directory. TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 15
UNCLASSIFIED UNCLASSIFIED Questions? UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 16
UNCLASSIFIED DEFENSE INFORMATION SYSTEMS AGENCY The IT Combat Support Agency www.disa.mil UNCLASSIFIED /USDISA @USDISA TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 17
UNCLASSIFIED UNCLASSIFIED Backup Slides UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 18
Current Network Path UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! UNCLASSIFIED 19
User Troubleshooting UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! UNCLASSIFIED 20
CBII Download UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! UNCLASSIFIED 21
CBII Upload UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! UNCLASSIFIED 22