search

GSA / modernization

Report to the President on IT Modernization
https://itmodernization.cio.gov
59 stars 12 forks source link

Comment from email: Comments from BlackRidge Technology on IT Modernization #44

Open jkraden-gsa opened 6 years ago

jkraden-gsa commented 6 years ago

Comments from BlackRidge Technology on the draft Report to the President On Federal IT Modernization are attached. If you have any questions or comments, please reach out to me at the contact information below or to John Hayes, CTO and Founder of BlackRidge Technology (copied above). Best regards, Orlie

-- Ms. Orlie Natalie Yaniv Founder and Managing Member Orlie Yaniv Strategies LLC

BR_IT Modernization Final.docx (1).pdf

konklone commented 6 years ago

[Inlining attached PDF comment.]

BlackRidge​ ​Technology​ ​International,​ ​Inc. 10615​ ​Professional​ ​Circle,​ ​Suite​ ​201 Reno,​ ​NV​ ​89521

John​ ​Hayes CTO​ ​and​ ​Founder,​ ​BlackRidge​ ​Technology jhayes@blackridge.us

   BlackRidge​ ​Technology's​ ​Comments​ ​on​ ​the​ ​Draft​ ​Report​ ​to​ ​the​ ​President​ ​on
                               Federal​ ​IT​ ​Modernization

BlackRidge​ ​appreciates​ ​the​ ​opportunity​ ​to​ ​provide​ ​comments​ ​on​ ​the​ ​draft​ ​Report​ ​to​ ​the President​ ​on​ ​Federal​ ​IT​ ​Modernization​ ​(Report).

BlackRidge​ ​recommends​ ​that​ ​that​ ​the​ ​American​ ​Technology​ ​Council​ ​("ATC")​ ​ensure​ ​that​ ​its​ ​plan for​ ​IT​ ​modernization​ ​includes​ ​sufficient​ ​flexibility​ ​to​ ​allow​ ​the​ ​federal​ ​government​ ​to​ ​leverage the​ ​benefits​ ​of​ ​emerging,​ ​transformational​ ​technology.​ ​This​ ​concept​ ​is​ ​particularly​ ​critical​ ​for ensuring​ ​the​ ​security​ ​and​ ​management​ ​of​ ​a​ ​consolidated​ ​federal​ ​network​ ​that​ ​uses​ ​shared services​ ​in​ ​cloud​ ​environments.​ ​To​ ​keep​ ​pace​ ​with​ ​motivated​ ​and​ ​well-funded​ ​adversaries​ ​that are​ ​rapidly​ ​evolving​ ​their​ ​attack​ ​capabilities,​ ​the​ ​government​ ​needs​ ​to​ ​be​ ​able​ ​to​ ​rapidly​ ​acquire emerging​ ​security​ ​capabilities.

In​ ​its​ ​Report,​ ​the​ ​ATC​ ​defines​ ​IT​ ​modernization​ ​as​ ​the​ ​consolidation​ ​of​ ​networks​ ​and​ ​the​ ​use​ ​of shared​ ​services​ ​to​ ​enable​ ​future​ ​network​ ​architectures.​ ​If​ ​architected,​ ​managed,​ ​and​ ​secured effectively,​ ​this​ ​approach​ ​will​ ​enhance​ ​both​ ​efficiency​ ​and​ ​security.​ ​If​ ​not​ ​done​ ​effectively,​ ​this approach​ ​has​ ​the​ ​potential​ ​to​ ​introduce​ ​risk.

To​ ​more​ ​effectively​ ​manage​ ​risk,​ ​BlackRidge​ ​recommends​ ​that​ ​the​ ​ATC​ ​consider​ ​security approaches​ ​that​ ​leverage​ ​new​ ​technology​ ​to:

• Shift​ ​the​ ​economic​ ​burden​ ​from​ ​the​ ​defense​ ​to​ ​the​ ​offense​ ​by​ ​increasing​ ​adversary​ ​risk​ ​and cost; • Add​ ​identity​ ​management​ ​protection​ ​to​ ​the​ ​transport​ ​layer​ ​of​ ​the​ ​Open​ ​System Interconnection​ ​(OSI)​ ​stack.​ ​As​ ​discussed​ ​in​ ​detail​ ​below,​ ​the​ ​capability​ ​to​ ​effectively​ ​manage identity​ ​at​ ​the​ ​transport​ ​layer​ ​before​ ​a​ ​TCP/IP​ ​connection​ ​is​ ​established​ ​exists​ ​today.​ ​This Transport​ ​Access​ ​Control​ ​(TAC)​ ​capability​ ​prevents​ ​an​ ​adversary​ ​from​ ​conducting​ ​remote network​ ​reconnaissance​ ​thereby​ ​increasing​ ​the​ ​effort​ ​and​ ​costs​ ​required​ ​to​ ​launch​ ​a successful​ ​attack;​ ​and • Ensure​ ​network​ ​security​ ​policy​ ​operates​ ​independent​ ​of​ ​network​ ​design​ ​and​ ​topology. BlackRidge​ ​Technology​ ​International,​ ​Inc. 10615​ ​Professional​ ​Circle,​ ​Suite​ ​201 Reno,​ ​NV​ ​89521

                                         Transport​ ​Access​ ​Control

To​ ​prevent​ ​adversaries​ ​from​ ​scanning,​ ​discovering,​ ​mapping,​ ​and​ ​conducting​ ​reconnaissance​ ​of federal​ ​government​ ​networks,​ ​BlackRidge​ ​recommends​ ​that​ ​the​ ​government​ ​incorporate capability​ ​that​ ​allows​ ​organizations​ ​to​ ​block​ ​malicious​ ​and/or​ ​unauthorized​ ​traffic​ ​from​ ​their environments​ ​at​ ​the​ ​very​ ​first​ ​packet​ ​of​ ​a​ ​TCP/IP​ ​session.

By​ ​cutting​ ​off​ ​communication​ ​prior​ ​to​ ​establishing​ ​a​ ​TCP/IP​ ​session,​ ​this​ ​capability​ ​effectively disrupts​ ​the​ ​cyber​ ​kill​ ​chain​ ​at​ ​the​ ​earliest​ ​possible​ ​moment​ ​while​ ​allowing​ ​authorized​ ​and authenticated​ ​networking​ ​sessions​ ​to​ ​proceed.​ ​This​ ​capability​ ​can​ ​be​ ​realized​ ​by​ ​using non-interactive​ ​authentication​ ​(authentication​ ​before​ ​any​ ​response​ ​is​ ​made​ ​to​ ​a​ ​network authentication​ ​request)​ ​coupled​ ​with​ ​network​ ​identity.​ ​ ​An​ ​example​ ​of​ ​this​ ​is​ ​the​ ​Transport Access​ ​Control​ ​(TAC)​ ​capability.

The​ ​ability​ ​to​ ​stop​ ​an​ ​adversary​ ​at​ ​the​ ​transport​ ​layer​ ​of​ ​the​ ​open​ ​system​ ​interconnection​ ​(OSI) model​ ​prior​ ​to​ ​establishing​ ​a​ ​communication​ ​channel​ ​conceals​ ​network​ ​assets​ ​from​ ​scanning and​ ​discovery​ ​--​ ​essentially​ ​rendering​ ​the​ ​network​ ​invisible​ ​to​ ​unauthorized​ ​users​ ​and​ ​devices​ ​-- thereby​ ​reducing​ ​the​ ​attack​ ​surface​ ​and​ ​increasing​ ​the​ ​effort​ ​and​ ​costs​ ​required​ ​to​ ​launch​ ​a successful​ ​attack.

The​ ​TAC​ ​capability​ ​works​ ​by​ ​bringing​ ​trusted​ ​identity​ ​and​ ​authentication​ ​to​ ​the​ ​network​ ​by combining​ ​non-interactive​ ​authentication​ ​network​ ​identity​ ​in​ ​a​ ​fully​ ​automated​ ​fashion. Inserting​ ​identity​ ​into​ ​the​ ​first​ ​packet​ ​of​ ​a​ ​TCP/IP​ ​session​ ​to​ ​communicate​ ​identity​ ​across​ ​the network​ ​allows​ ​cloud​ ​and​ ​network​ ​services​ ​to​ ​determine​ ​the​ ​identity​ ​of​ ​the​ ​requester​ ​before responding​ ​to​ ​the​ ​TCP/IP​ ​request​ ​and​ ​block​ ​unauthorized,​ ​anonymous​ ​traffic​ ​at​ ​the​ ​very​ ​first packet,​ ​effectively​ ​disrupting​ ​an​ ​attacker’s​ ​OODA​ ​(observe,​ ​orient,​ ​decide,​ ​act)​ ​loop.

The​ ​TAC​ ​capability​ ​is​ ​currently​ ​being​ ​tested​ ​and​ ​fielded​ ​at​ ​the​ ​Department​ ​of​ ​Defense.​ ​While not​ ​yet​ ​deployed​ ​widely​ ​across​ ​industry​ ​and​ ​government,​ ​this​ ​revolutionary​ ​capability addresses​ ​a​ ​critical​ ​security​ ​flaw​ ​in​ ​the​ ​TCP/IP​ ​protocol​ ​and​ ​there​ ​is​ ​currently​ ​no​ ​other mechanism​ ​for​ ​blocking​ ​adversary​ ​scanning​ ​and​ ​reconnaissance​ ​without​ ​also​ ​blocking legitimate​ ​users.

TAC​ ​makes​ ​the​ ​network​ ​invisible​ ​to​ ​unauthorized​ ​users​ ​and​ ​devices,​ ​thus​ ​greatly​ ​reducing​ ​the attack​ ​surface,​ ​and​ ​functions​ ​independent​ ​of​ ​network​ ​design​ ​and​ ​topology,​ ​making​ ​the capability​ ​ideal​ ​for​ ​shared​ ​environments​ ​that​ ​mix​ ​users​ ​and​ ​resources​ ​with​ ​differing​ ​authorities and​ ​privileges. BlackRidge​ ​Technology​ ​International,​ ​Inc. 10615​ ​Professional​ ​Circle,​ ​Suite​ ​201 Reno,​ ​NV​ ​89521

                                          Specific​ ​Recommendations

To​ ​incorporate​ ​network​ ​identity​ ​and​ ​non-interactive​ ​authentication​ ​capability​ ​into​ ​the​ ​Report, BlackRidge​ ​recommends​ ​adding​ ​the​ ​bolded​ ​and​ ​underlined​ ​language​ ​below​ ​as​ ​follows:

• Page​ ​7,​ ​“Reduce​ ​the​ ​Federal​ ​attack​ ​surface​ ​through​ ​enhanced​ ​transport​,​ ​application​ ​and data-level​ ​protections”

“Rather​ ​than​ ​treating​ ​Federal​ ​networks​ ​as​ ​trusted​ ​entities​ ​to​ ​be​ ​defended​ ​at​ ​the​ ​perimeter, agencies​ ​should​ ​shift​ ​their​ ​focus​ ​to​ ​placing​ ​protections​ ​closer​ ​to​ ​data,​ ​specifically​ ​through improved​ ​management​ ​and​ ​authentication​ ​of​ ​devices​ ​and​ ​user​ ​access,​ ​as​ ​well​ ​as​ ​through encryption​ ​of​ ​data​ ​–​ ​both​ ​at​ ​rest​ ​and​ ​in​ ​transit.​ ​This​ ​approach​ ​curtails​ ​an​ ​attacker’s​ ​likelihood​ ​of gaining​ ​access​ ​to​ ​valuable​ ​data​ ​solely​ ​by​ ​accessing​ ​the​ ​network,​ ​and​ ​it​ ​has​ ​the​ ​potential​ ​to better​ ​block​ ​and​ ​isolate​ ​malicious​ ​activity.​ ​As​ ​agencies​ ​prioritize​ ​their​ ​modernization​ ​efforts, they​ ​should​ ​implement​ ​the​ ​capabilities​ ​that​ ​underpin​ ​this​ ​model​ ​to​ ​their​ ​high​ ​value​ ​assets​ ​first.

In​ ​addition,​ ​device​ ​and​ ​user​ ​identity​ ​should​ ​be​ ​conducted​ ​at​ ​the​ ​transport​ ​layer​ ​and​ ​extended to​ ​network​ ​sessions.​ ​The​ ​use​ ​of​ ​non-interactive​ ​authentication​ ​of​ ​network​ ​identity​ ​stops unauthorized​ ​communication​ ​at​ ​the​ ​transport​ ​layer,​ ​preventing​ ​adversaries​ ​from​ ​scanning, discovering,​ ​mapping,​ ​and​ ​conducting​ ​of​ ​reconnaissance,​ ​reducing​ ​the​ ​attack​ ​surface​ ​of​ ​both the​ ​network​ ​and​ ​its​ ​supported​ ​applications​ ​and​ ​services.”

• Page​ ​19,​ ​“Bring​ ​Government​ ​to​ ​the​ ​Cloud:​ ​Vendor-owned​ ​and​ ​operated​ ​servers​ ​and Government-operated​ ​applications​ ​with​ ​networks​ ​that​ ​utilize​ ​a​ ​secure​ ​connection​ ​— Infrastructure​ ​as​ ​a​ ​Service”

“Some​ ​service​ ​needs​ ​can​ ​only​ ​be​ ​met​ ​by​ ​developing​ ​custom​ ​software,​ ​or​ ​by​ ​buying​ ​software not​ ​available​ ​as​ ​a​ ​service.​ ​With​ ​this​ ​model,​ ​a​ ​cloud​ ​vendor​ ​owns​ ​and​ ​operates​ ​servers​ ​in​ ​a private​ ​sector​ ​data​ ​center,​ ​but​ ​connected​ ​through​ ​a​ ​secure​ ​connection.​ ​Secure​ ​connections could​ ​include​ ​HTTPS,​ ​TLS,​ ​Transport​ ​Access​ ​Control​ ​(TAC)​,​ ​peering,​ ​etc.​ ​This​ ​provides​ ​an infrastructure​ ​upon​ ​which​ ​agencies​ ​deploy​ ​applications​ ​that​ ​they​ ​create​ ​or​ ​acquire.​ ​This​ ​model can​ ​be​ ​utilized​ ​for​ ​secure,​ ​critical​ ​applications​ ​that​ ​are​ ​only​ ​available​ ​to​ ​Government​ ​users​ ​on​ ​a virtual​ ​private​ ​network​ ​(VPN)​ ​or​ ​other​ ​network-level​ ​and​ ​session-level​ ​isolation.” BlackRidge​ ​Technology​ ​International,​ ​Inc. 10615​ ​Professional​ ​Circle,​ ​Suite​ ​201 Reno,​ ​NV​ ​89521

• Page​ ​20,​ ​paragraph​ ​2

“These​ ​applications​ ​can​ ​be​ ​public​ ​services​ ​used​ ​by​ ​the​ ​general​ ​public​ ​or​ ​private​ ​internal​ ​services used​ ​by​ ​agency​ ​employees.​ ​In​ ​either​ ​case,​ ​agencies​ ​may​ ​consider​ ​cloud​ ​infrastructure​ ​as​ ​a service​ ​to​ ​be​ ​an​ ​extension​ ​of​ ​their​ ​existing​ ​private​ ​enterprise​ ​network,​ ​or​ ​they​ ​may​ ​treat​ ​it​ ​as​ ​a separate,​ ​isolated​ ​network.​ ​Regardless,​ ​users​ ​access​ ​the​ ​service​ ​through​ ​secure​ ​connections, which​ ​could​ ​include​ ​HTTPS,​ ​TLS,​ ​VPN,​ ​TAC​,​ ​or​ ​a​ ​dedicated​ ​line.”

• Page​ ​23,​ ​“Upon​ ​Approval​ ​of​ ​the​ ​President​ ​and​ ​within​ ​a​ ​Timeline​ ​of​ ​45​ ​Days:”

“OMB​ ​will​ ​issue​ ​updated​ ​identity​ ​policy​ ​guidance​ ​for​ ​public​ ​comment​ ​that​ ​will​ ​reduce​ ​agency burden​ ​and​ ​recommend​ ​identity​ ​service​ ​areas​ ​suitable​ ​for​ ​shared​ ​services.​ ​GSA​ ​will​ ​provide​ ​a business​ ​case​ ​to​ ​the​ ​Federal​ ​CIO​ ​on​ ​the​ ​consolidation​ ​of​ ​existing​ ​identity​ ​services​ ​to​ ​improve usability​ ​and​ ​drive​ ​secure​ ​access​ ​and​ ​interoperability.​ ​This​ ​action​ ​will​ ​enable​ ​secure​ ​access​ ​and collaboration​ ​as​ ​a​ ​service​ ​in​ ​a​ ​way​ ​that​ ​improves​ ​existing​ ​agency-specific​ ​implementations, which​ ​often​ ​have​ ​various​ ​levels​ ​of​ ​security​ ​and​ ​do​ ​not​ ​include​ ​interoperability.​ ​The​ ​policy guidance​ ​should​ ​include​ ​extending​ ​the​ ​use​ ​of​ ​existing​ ​identity​ ​infrastructure​ ​to​ ​the​ ​network for​ ​network​ ​session​ ​identification​ ​and​ ​authorization​ ​at​ ​the​ ​transport​ ​layer.​”

• Page​ ​30,​ ​"Risk-Based​ ​Capabilities"

Network​ ​Identity.

Networks​ ​were​ ​originally​ ​designed​ ​to​ ​facilitate​ ​communications​ ​between​ ​computers.​ ​The network​ ​attributes​ ​of​ ​addresses​ ​and​ ​what​ ​network​ ​nodes​ ​are​ ​connected​ ​to​ ​each​ ​other,​ ​called network​ ​topology,​ ​enabled​ ​networks​ ​to​ ​provide​ ​communications.​ ​The​ ​TCP/IP​ ​protocols,​ ​upon which​ ​modern​ ​computer​ ​networking​ ​is​ ​based,​ ​did​ ​not​ ​have​ ​security​ ​requirements​ ​when​ ​they were​ ​developed​ ​in​ ​the​ ​1970’s​ ​and​ ​80s.​ ​When​ ​these​ ​networks​ ​were​ ​later​ ​asked​ ​to​ ​provide security,​ ​the​ ​same​ ​network​ ​attributes​ ​of​ ​addresses​ ​and​ ​topology​ ​were​ ​used,​ ​even​ ​though these​ ​attributes​ ​were​ ​not​ ​designed​ ​with​ ​security​ ​in​ ​mind.​ ​This​ ​resulted​ ​in​ ​both​ ​weaknesses and​ ​complications​ ​for​ ​network​ ​security;​ ​network​ ​addresses​ ​cannot​ ​be​ ​authenticated,​ ​making them​ ​vulnerable​ ​to​ ​spoofing​ ​by​ ​adversaries​ ​and​ ​network​ ​topology,​ ​and,​ ​how​ ​the​ ​network​ ​is connected​ ​changes​ ​due​ ​to​ ​normal​ ​network​ ​operations.​ ​Ensuring​ ​that​ ​network​ ​security policies​ ​match​ ​the​ ​current​ ​network​ ​topology​ ​requires​ ​constant​ ​monitoring​ ​and​ ​coordination. Isolation​ ​using​ ​network​ ​addresses​ ​is​ ​vulnerable​ ​to​ ​both​ ​spoofing​ ​and​ ​requires​ ​constant monitoring​ ​to​ ​ensure​ ​correctness. BlackRidge​ ​Technology​ ​International,​ ​Inc. 10615​ ​Professional​ ​Circle,​ ​Suite​ ​201 Reno,​ ​NV​ ​89521 The​ ​re-use​ ​of​ ​network​ ​attributes​ ​not​ ​originally​ ​designed​ ​for​ ​security​ ​has​ ​led​ ​to​ ​network security​ ​is​ ​weak,​ ​complicated​ ​and​ ​fragile.

Introducing​ ​identity​ ​as​ ​a​ ​new​ ​network​ ​attribute​ ​eliminates​ ​these​ ​weaknesses.​ ​Identity​ ​can​ ​be authenticated,​ ​preventing​ ​spoofing​ ​by​ ​adversaries.​ ​Identity​ ​is​ ​also​ ​independent​ ​of​ ​the network​ ​topology;​ ​security​ ​policy​ ​rules​ ​do​ ​not​ ​have​ ​to​ ​be​ ​adjusted​ ​for​ ​network​ ​topology changes.​ ​ ​When​ ​Identity​ ​is​ ​used​ ​for​ ​network​ ​isolation,​ ​the​ ​networks​ ​are​ ​further​ ​secured against​ ​address​ ​spoofing​ ​and​ ​can​ ​be​ ​implemented​ ​without​ ​requiring​ ​constant​ ​monitoring​ ​for topological​ ​changes,​ ​reducing​ ​the​ ​management​ ​overhead​ ​while​ ​increasing​ ​security.

Non-Interactive​ ​Authentication.

Using​ ​non-interactive​ ​authentication​ ​(authentication​ ​before​ ​any​ ​response​ ​is​ ​made​ ​to​ ​a network​ ​authentication​ ​request)​ ​allows​ ​authentication​ ​to​ ​occur​ ​with​ ​a​ ​single​ ​packet, eliminating​ ​unauthorized​ ​network​ ​scanning,​ ​mapping,​ ​reconnaissance​ ​and​ ​discovery. Together,​ ​network​ ​identity​ ​and​ ​non-interactive​ ​authentication​ ​make​ ​the​ ​network​ ​invisible​ ​to unauthorized​ ​users​ ​and​ ​devices.