Cybersecurity sometimes calls for an obvious solution. If most attacks on the network come in through the web browser, why not simply disconnect the browser from the network?
Analysts at Gartner call this “remote browser isolation,” and they say it can reduce cyber risk across the enterprise.
The Defense Information Systems Agency put out a call to industry in June to determine whether an enterprise cloud-based internet isolation capability would be feasible. Now the agency says it is moving ahead with the idea.
The threat landscape
Defense planners say that they need a fundamentally new approach to cybersecurity because the threat landscape has changed in recent years.
“The browser has evolved and become more powerful than what it was years ago. It’s executing thousands of lines of code and bringing a lot of content back to that endpoint,” said Steve Wallace, technical director at DISA’s development and business center.
Two years ago, the agency started to explore the emerging browser-based threat. It hit upon a new approach that calls for browsing to take place on a commercial cloud, one that is not connected to Defense Department servers. In these cases, the end user will still interact with the internet, but all that will actually get through to the user is an image of the browsing session.
“This new technology would move [browsing] traffic at a collection point off of the DoD network and into a secure commercial cloud,” said Angela Landress, DISA’s Cloud-Based Internet Isolation program manager.
If hackers tried to exploit the browser, “all of that potentially malicious code or content wouldn’t touch the DoD network. Instead, it would be contained in the commercial data center, sanitized, inspected there,” she said. “It presents a much safer way to browse.”
DISA heard from 45 companies in response to a request for information and planners say this interest is driving an aggressive timeline. An initial prototype implementation to 100,000 users could come this spring, Landress said.
DISA officials say they don’t yet know whether the agency would award the project to a single vendor or to multiple contractors. “We’re going through our acquisition strategy right now. It could go either way,” Wallace said.
Sound strategy?
Technology analysts and cyber experts alike generally give high marks to a cloud-based strategy for isolating browsing activity, although some raise questions about how exactly this could be rolled out at scale.
As a general rule, “it’s good practice to segregate high-risk internet data from operational network,” said George Kamis, chief technology officer for global governments and critical infrastructure at security firm Forcepoint. “The DoD will certainly increase their security posture by implementing a cloud-based internet isolation solution.”
In addition to tightening security, the cloud approach also could have an operational impact, making it easier for soldiers in the field to access critical information.
Processing in the cloud rather than at the tactical edge, expeditionary forces with constrained communications could find their connectivity enhanced. “Sending pixels and compressed audio is less of an overall bandwidth requirement,” said Scott Scheferman, the director of global services for security solutions provider Cylance.
At the same time, experts raise concerns about the possible negative effects of shifting browsing to the commercial cloud.
“An isolation browser can impact user experience and usability,” Kamis said. Such tools “generally require users to take extra steps to enter and use that environment, and the browser is often restricted and pre-configured. This can impact productivity.”
Moreover, cloud-isolated browsing could lull users into a false sense of security.
“Obviously browsing is a risk, but the growth area in cyberattacks comes through content downloads and email attachments — Word attachments, PDFs and video files,” said Sherban Naum, senior vice president at cyber provider Bromium. “There is value in divorcing your browsing from the internet, but with an email attachment an attacker could still circumvent that entire process.”
While DISA planners recognize concerns around this emerging cyber strategy, they express confidence that the new architecture could be successfully deployed.
A simplified approach
Cyber strategies are naturally sophisticated: Engineers build up firewalls and other defensive mechanisms; they implement protocols that can slow computing and put in place elaborate security hoops through which end users must jump. DISA is eyeing cloud-based browsing as a way to cut through the clutter.
“We’re looking to turn the problem on its head,” Wallace said. “Rather than adding more boxes, which adds more latency — then the users become more and more frustrated with the performance — we’re looking for a different way to do this.”
While it’s clear that a browser-based approach will not stop all cyberattacks, DISA is playing the odds here. Some 30 to 70 percent of cyberattacks come through the browser, Wallace said. A single solution that short-circuits those incursions would go a long way toward hardening the network. This approach could even help to curtail so-called phishing attacks — scams that come to the user via email.
“Typically, in the phishing attack, it’s embedding a link that sends that user to a given website where they then hit malware,” Wallace said. If such an attack made it through via email, the cloud-based approach would keep it at arm’s length. “That browsing session will launch out in the cloud. That malware will be executed out there and not on the endpoint or within the DoD networks.”
A successful pilot program conducted a year ago led DISA officials to believe in the basic viability of this emerging strategy. “We do know technically that this works,” Wallace said. While he noted the relatively small number of vendors in the space could pose a technical hurdle, others have suggested that DISA’s interest could accelerate the pace of development.
“With over 3 million DoD users, the amount of spending is going to be significant and will drive startups to create innovative new offerings,” said Matt Chiodi, the vice president of cloud security at RedLock. “DoD will literally drive the market to create new tech to meet this demand.”