The Defense Information Systems Agency (DISA) is considering limiting the network damage that can result from Web browsing by having employees take it outside.
DISA last week issued a Request for Information looking to build the business case for “cloud based Internet isolation,” which would move browsing activity off of a user’s desktop to a remote server outside of the Department of Defense Information Network (DODIN). As a result, any malware the user encounters would be essentially quarantined before it ever got inside DoD.
Internet isolation is a relatively new approach to cybersecurity, but it has been catching on as a way to provide a buffer zone against a common source of Internet attacks. Browser activity in which a user could visit a malicious website that surreptitiously downloads malware can expose an entire organization to compromise.
Browsers are the most-traveled software on any desktop, which makes them the most exposed. A common tactic of phishing emails is to entice a user to click on a link that, via the browser, takes them to a malicious website. Random browsing or shopping can bring users unwittingly to places that bear ill will. This makes them an attractive target for cyber attackers, who employ a variety of tactics to take advantage of any vulnerabilities.
Browsers do contain security controls, but they often have quite a few plug-ins (such as Flash, JavaScript, and Active X) that can contain vulnerabilities themselves and make managing and updating browsers difficult for network administrators. And browsers such as Internet Explorer, which is widely used in the Federal government, are tightly tied into their operating systems, which can increase the potential damage resulting from a browser-based attack.
Separating browser activity from the network can provide an additional, even vital, layer of security. DISA is considering using browser isolation to support about 3.1 million employees, or 60 percent of DoD’s users, according to the Request For Information (RFI). The cloud-based solution, which will have to comply with Federal cryptography and DoD public-key infrastructure requirements, would be hosted in a data center certified at Level II (moderate impact) of the Federal Risk and Authorization Management Program (FedRAMP) baselines.
Among other requirements the RFI set out are that the solution securely stores and transmits data to ensure confidentiality and source authentication. It also requires content control for uploading, downloading, and storage, as well as the ability to whitelist or blacklist selected sites. And finally it must support 10 gigabit/sec throughput 99 percent of the time.
Although browser isolation can be effective, it does have a few drawbacks. Among the biggest is cost, which could by why DISA’s RFI emphasizes that it is looking for the business case for using browser isolation. As explained in a post at the site Secjuice, many browser isolation solutions make use of virtualization within centralized architectures, which makes them expensive to scale. One way to bring down costs, the post suggests, is to use containerized, rather than centralized, browser isolation architectures.
Interested vendors have until June 29 to submit responses to the RFI.