Security compliance and collaboration: The role of network isolation

 

Connecting state and local government leaders

Agencies must layer various technologies -- firewalls, guards and diodes -- to securely share of information between classification levels and ingest data from high-threat networks without creating untenable, unnecessary risk.

When it comes to protecting sensitive government information, airport security offers a compelling parallel. People need to travel, and they must be validated and inspected before boarding an aircraft. Similarly, agencies must establish communication between networks but without putting classified data at risk. Cross-domain solutions offer checks, much like airport security protocols, to allow secure data sharing between and within segmented networks. This helps agencies effectively and efficiently accomplish their missions.

Cross-domain solutions must meet increasingly rigorous compliance requirements, though. The Raise the Bar initiative, which was unveiled in late 2018 by the National Security Agency’s National Cross Domain Strategy and Management Office, set a higher standard for cross-domain security beyond even the National Institute of Standards and Technology’s Risk Management Framework controls. It also continues to evolve. Recent memos show that a move to hardware-based separation and solutions providing one-directional data flow, combined with cross-domain solutions, will be required by the end of 2021 for certain high-risk networks.

The building blocks

An effective and compliant cross-domain architecture between networks of different classification levels is made up of many pieces, similar to airport security. Together, they allow end users to collaborate when and where they need to, without onerous logistical barriers or putting critical information at risk.

When travelers arrive at the airport, they must pass through multiple security checks. This is very similar to the defense-in-depth practices for implementing cross-domain solutions that include firewalls, diodes and guards. At the airport, fliers must first check in with a Transportation Security Administration agent and present particular credentials, including a government-approved ID and a valid ticket. Similarly, firewalls, the first line of defense for most networks, monitor and control network traffic based on preset rules. Firewalls offer a very effective means of protecting the network, but it is a very high-level check.

For employees to successfully do their daily jobs, firewalls must be able to support a wide range of protocols for many applications: Zoom, Microsoft Teams, email, web browsing and more. Firewalls' biggest shortcoming is that the must support a wide range of communication traffic for an organization to effectively operate and can perform only a high-level check on the data.

When passengers walk through the security checkpoint, they’re subjected to a far more in-depth search. TSA agents inspect individuals and their belongings. If they’re accidentally carrying a pen knife or razor blade, for instance, agents detect that and remove it. Then, they either allow travelers to pass or decline their entry. Cross-domain guards work similarly. Unlike firewalls, which are all or nothing, guards utilize custom military-grade inspection routines, focusing on one protocol or dataset and looking at the data very carefully. Data can be completely rejected or sanitized to allow passage.

Guards follow extremely narrow criteria with regard to what is allowed through, but for a reason: to ensure the right data is being shared or transferred between boundaries. This permits the secure and seamless flow of information between multiple networks, be that machine-to-machine, person-to-machine or machine-to-person. Let’s say an agency, due to security restrictions, uses "SneakerNet" -- a highly manual physical transfer process where data on CD-ROMs is walked from one system to another. With the implementation of a guard, the agency could automate the process of declassifying a large pool of documents and transfer them from a network with a secret classification to a public one through data inspection and sanitization.

Maintaining compliance for the future

Once travelers exit the departure area of an airport, they cannot come back in. This parallels the hardware-based security cited earlier. One-way transfers are enabled by diodes: a unidirectional transfer device enforced through hardware. Data is transmitted one way, much like a traditional TV remote control device where an infrared light goes to the TV receiver, but no data is ever transmitted back to the remote. Once again, Raise the Bar guidance will soon mandate the use of diodes when either the source or destination is a high-threat network, like the internet. When classified networks are talking to one another, on the other hand, a hardware-based solution will not be required. Unlike guards, diodes don’t conduct a security check on what data is passed through.

The challenge with diodes is that one-way communication can impact data flows. The transfer has to be slowed down because there is no feedback as to whether the information has been received. For example, the National Oceanic and Atmospheric Administration as well as companies like DigitalGlobe and Planet Labs are increasingly providing the government with images from their satellites. The agencies must ingest that data and bring it up to a higher classification level. While a diode offers guaranteed one-way data delivery, it cannot conduct an in-depth data inspection to ensure that the data is not malware, unlike a guard.

The bottom line

It’s no secret that cyberattacks are an omnipresent threat for government agencies that must balance the need to isolate networks with the need for rapid communication between those networks, as is required for critical missions. If an airport only relied on one of the aforementioned protocols, it wouldn’t be considered secure. Similarly, government agencies must layer various technologies -- firewalls, guards  and diodes -- for the sake of security and compliance. This layering allows for the sharing of information between classification levels and the ingestion of data from high-threat networks without creating untenable, unnecessary risk.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.