Open jkraden-gsa opened 6 years ago
[Inlining attached PDF comment.]
BlackRidge Technology International, Inc. 10615 Professional Circle, Suite 201 Reno, NV 89521
John Hayes CTO and Founder, BlackRidge Technology jhayes@blackridge.us
BlackRidge Technology's Comments on the Draft Report to the President on
Federal IT Modernization
BlackRidge appreciates the opportunity to provide comments on the draft Report to the President on Federal IT Modernization (Report).
BlackRidge recommends that that the American Technology Council ("ATC") ensure that its plan for IT modernization includes sufficient flexibility to allow the federal government to leverage the benefits of emerging, transformational technology. This concept is particularly critical for ensuring the security and management of a consolidated federal network that uses shared services in cloud environments. To keep pace with motivated and well-funded adversaries that are rapidly evolving their attack capabilities, the government needs to be able to rapidly acquire emerging security capabilities.
In its Report, the ATC defines IT modernization as the consolidation of networks and the use of shared services to enable future network architectures. If architected, managed, and secured effectively, this approach will enhance both efficiency and security. If not done effectively, this approach has the potential to introduce risk.
To more effectively manage risk, BlackRidge recommends that the ATC consider security approaches that leverage new technology to:
• Shift the economic burden from the defense to the offense by increasing adversary risk and cost; • Add identity management protection to the transport layer of the Open System Interconnection (OSI) stack. As discussed in detail below, the capability to effectively manage identity at the transport layer before a TCP/IP connection is established exists today. This Transport Access Control (TAC) capability prevents an adversary from conducting remote network reconnaissance thereby increasing the effort and costs required to launch a successful attack; and • Ensure network security policy operates independent of network design and topology. BlackRidge Technology International, Inc. 10615 Professional Circle, Suite 201 Reno, NV 89521
Transport Access Control
To prevent adversaries from scanning, discovering, mapping, and conducting reconnaissance of federal government networks, BlackRidge recommends that the government incorporate capability that allows organizations to block malicious and/or unauthorized traffic from their environments at the very first packet of a TCP/IP session.
By cutting off communication prior to establishing a TCP/IP session, this capability effectively disrupts the cyber kill chain at the earliest possible moment while allowing authorized and authenticated networking sessions to proceed. This capability can be realized by using non-interactive authentication (authentication before any response is made to a network authentication request) coupled with network identity. An example of this is the Transport Access Control (TAC) capability.
The ability to stop an adversary at the transport layer of the open system interconnection (OSI) model prior to establishing a communication channel conceals network assets from scanning and discovery -- essentially rendering the network invisible to unauthorized users and devices -- thereby reducing the attack surface and increasing the effort and costs required to launch a successful attack.
The TAC capability works by bringing trusted identity and authentication to the network by combining non-interactive authentication network identity in a fully automated fashion. Inserting identity into the first packet of a TCP/IP session to communicate identity across the network allows cloud and network services to determine the identity of the requester before responding to the TCP/IP request and block unauthorized, anonymous traffic at the very first packet, effectively disrupting an attacker’s OODA (observe, orient, decide, act) loop.
The TAC capability is currently being tested and fielded at the Department of Defense. While not yet deployed widely across industry and government, this revolutionary capability addresses a critical security flaw in the TCP/IP protocol and there is currently no other mechanism for blocking adversary scanning and reconnaissance without also blocking legitimate users.
TAC makes the network invisible to unauthorized users and devices, thus greatly reducing the attack surface, and functions independent of network design and topology, making the capability ideal for shared environments that mix users and resources with differing authorities and privileges. BlackRidge Technology International, Inc. 10615 Professional Circle, Suite 201 Reno, NV 89521
Specific Recommendations
To incorporate network identity and non-interactive authentication capability into the Report, BlackRidge recommends adding the bolded and underlined language below as follows:
• Page 7, “Reduce the Federal attack surface through enhanced transport, application and data-level protections”
“Rather than treating Federal networks as trusted entities to be defended at the perimeter, agencies should shift their focus to placing protections closer to data, specifically through improved management and authentication of devices and user access, as well as through encryption of data – both at rest and in transit. This approach curtails an attacker’s likelihood of gaining access to valuable data solely by accessing the network, and it has the potential to better block and isolate malicious activity. As agencies prioritize their modernization efforts, they should implement the capabilities that underpin this model to their high value assets first.
In addition, device and user identity should be conducted at the transport layer and extended to network sessions. The use of non-interactive authentication of network identity stops unauthorized communication at the transport layer, preventing adversaries from scanning, discovering, mapping, and conducting of reconnaissance, reducing the attack surface of both the network and its supported applications and services.”
• Page 19, “Bring Government to the Cloud: Vendor-owned and operated servers and Government-operated applications with networks that utilize a secure connection — Infrastructure as a Service”
“Some service needs can only be met by developing custom software, or by buying software not available as a service. With this model, a cloud vendor owns and operates servers in a private sector data center, but connected through a secure connection. Secure connections could include HTTPS, TLS, Transport Access Control (TAC), peering, etc. This provides an infrastructure upon which agencies deploy applications that they create or acquire. This model can be utilized for secure, critical applications that are only available to Government users on a virtual private network (VPN) or other network-level and session-level isolation.” BlackRidge Technology International, Inc. 10615 Professional Circle, Suite 201 Reno, NV 89521
• Page 20, paragraph 2
“These applications can be public services used by the general public or private internal services used by agency employees. In either case, agencies may consider cloud infrastructure as a service to be an extension of their existing private enterprise network, or they may treat it as a separate, isolated network. Regardless, users access the service through secure connections, which could include HTTPS, TLS, VPN, TAC, or a dedicated line.”
• Page 23, “Upon Approval of the President and within a Timeline of 45 Days:”
“OMB will issue updated identity policy guidance for public comment that will reduce agency burden and recommend identity service areas suitable for shared services. GSA will provide a business case to the Federal CIO on the consolidation of existing identity services to improve usability and drive secure access and interoperability. This action will enable secure access and collaboration as a service in a way that improves existing agency-specific implementations, which often have various levels of security and do not include interoperability. The policy guidance should include extending the use of existing identity infrastructure to the network for network session identification and authorization at the transport layer.”
• Page 30, "Risk-Based Capabilities"
Network Identity.
Networks were originally designed to facilitate communications between computers. The network attributes of addresses and what network nodes are connected to each other, called network topology, enabled networks to provide communications. The TCP/IP protocols, upon which modern computer networking is based, did not have security requirements when they were developed in the 1970’s and 80s. When these networks were later asked to provide security, the same network attributes of addresses and topology were used, even though these attributes were not designed with security in mind. This resulted in both weaknesses and complications for network security; network addresses cannot be authenticated, making them vulnerable to spoofing by adversaries and network topology, and, how the network is connected changes due to normal network operations. Ensuring that network security policies match the current network topology requires constant monitoring and coordination. Isolation using network addresses is vulnerable to both spoofing and requires constant monitoring to ensure correctness. BlackRidge Technology International, Inc. 10615 Professional Circle, Suite 201 Reno, NV 89521 The re-use of network attributes not originally designed for security has led to network security is weak, complicated and fragile.
Introducing identity as a new network attribute eliminates these weaknesses. Identity can be authenticated, preventing spoofing by adversaries. Identity is also independent of the network topology; security policy rules do not have to be adjusted for network topology changes. When Identity is used for network isolation, the networks are further secured against address spoofing and can be implemented without requiring constant monitoring for topological changes, reducing the management overhead while increasing security.
Non-Interactive Authentication.
Using non-interactive authentication (authentication before any response is made to a network authentication request) allows authentication to occur with a single packet, eliminating unauthorized network scanning, mapping, reconnaissance and discovery. Together, network identity and non-interactive authentication make the network invisible to unauthorized users and devices.
Comments from BlackRidge Technology on the draft Report to the President On Federal IT Modernization are attached. If you have any questions or comments, please reach out to me at the contact information below or to John Hayes, CTO and Founder of BlackRidge Technology (copied above). Best regards, Orlie
-- Ms. Orlie Natalie Yaniv Founder and Managing Member Orlie Yaniv Strategies LLC
BR_IT Modernization Final.docx (1).pdf