The Need for Data Protection
In an era where mobile devices serve as indispensable tools for government, federal agencies, and military personnel, the imperative to secure classified information has never been more critical.
Data can be categorized into three primary forms based on its usage and state within a computing environment. Data at rest refers to information stored on storage devices when not actively in use, such as files on hard drives or data in databases, while data in transit, represents the information actively being transferred between systems or devices, usually over networks. Data in use refers to the information being processed or accessed by applications, users, or systems.
The seamless integration of mobile technology into the daily operations of these entities presents unprecedented opportunities for efficiency and communication. In this article, we will focus on the importance of safeguarding data in transit on mobile devices accessing classified information, considering the unique challenges faced by the U.S. government, federal agencies, and the military, dealing with the dynamic landscape of cyber threats and the need for seamless yet secure communications.
Different Types of Networks
In the context of classified networks, three main types of network environments are typically used, referred to as "black," "gray" and "red" based on their security levels and functions, that color-coded network classifications being commonly associated with military and government settings.
First, the red network represents the internal, secure, and classified network, designed to handle confidential, secret, or top-secret information, to which access is restricted and tightly controlled to authorized personnel with the necessary security clearances.
Second, the black network refers to any unclassified or public networks, such as the internet, considered non-secure by nature and used for general, unclassified communication. Since it is inherently less secure, measures must be taken to prevent unauthorized access to sensitive information from the red network.
Finally, in between lies the grey network, an intermediate network that acts as a buffer zone between the red (classified) and black (unclassified) networks. It allows for communication between the two networks while minimizing the risk of unauthorized access or data leakage, applying security measures and controls to ensure that only authorized and properly authenticated traffic passes between the red and black networks.
Double Encryption of Data in Transit
The National Security Agency (NSA)'s “Rule of Two” is a data security guideline emphasizing the implementation of two entirely independent layers of cryptography for data protection, involving the use of dual security measures, such as employing hardware encryption at the lowest level alongside software encryption at the application layer, ensuring a robust defense against potential security threats.
In the case of data in transit, a double encryption strategy typically involves implementing a Virtual Private Network (VPN) for overall data encryption and incorporating either a second VPN or another secure communication protocol such as Transport Layer Security (TLS) within that primary VPN connection, ensuring data is encrypted twice during transmission.
Benefits
Double encryption of data in transit provides an extra layer of security for sensitive information as it travels across different networks, enhancing data protection by making it significantly more difficult for unauthorized entities to intercept, decipher, or tamper with the transmitted data. The use of two independent encryption mechanisms adds a level of complexity that strengthens resilience against advanced cyber threats, offering a robust defense strategy. By mitigating the risk of interception and enhancing the confidentiality and integrity of data, double encryption is particularly advantageous in safeguarding critical information during transmission, aligning with stringent security standards and addressing the evolving challenges of cybersecurity.
Uses Cases
We will discuss how double encryption of data in transit can be achieved with two common scenarios.
Double-Encryption with Double VPN
The first use case consists in providing double encryption to an approved mobile application that needs to access data and documents in the red network, for example Google Chrome web browser to access some webpage on the Intranet, or ISEC7 Mobile Exchange Delegate (MED) client to synchronize emails, calendar and other items with an internal, secure messaging server.
A first VPN connection, referred to as the outer tunnel, is established with a VPN gateway located in gray network and is applied device-wide, meaning that all device traffic leaving out of and coming into the device will be encrypted and routed through that tunnel.
From there, a second VPN connection, referred to as the inner tunnel, will be established with a VPN gateway located in red network, within the outer tunnel; in that case, it can either be device-wide (“VPN cascading”) or restricted to only a limited set of mobile apps (“per-app VPN”), depending on either there is a need for all mobile apps on the device to be able to access the red network, or only a number of them.
Double-encryption with Double-VPN
Double-Encryption with CSfC-Compliant Applications
Another approach is to use mobile applications that have been specially designed to establish their own secure connection, following the recommendations and requirements of the Commercial Solutions for Classified (CSfC), a U.S. government program developed by the National Security Agency (NSA) and the Central Security Service (CSS), that aims to leverage Commercial-off-the-shelf (COTS) products to create secure, classified communication solutions. CSfC-complaint solutions can securely transport highly sensitive information, extending up to Top Secret (TS) classification.
Example of CSfC-compliant solutions include BlackBerry SecuSUITE®, a cross-platform solution offering end-to-end encryption of voice and text messaging, and Hypori Virtual Mobility™, a Virtual Mobile Infrastructure (VMI) solution providing unparallel secure access to enterprise apps with total separation of personal and enterprise.
In that case, the outer tunnel is established with a VPN gateway located in gray network and is applied device-wide, meaning that all device traffic leaving out of and coming into the device will be encrypted and routed through that tunnel, same as earlier.
However, the inner tunnel will then be established directly by the CSfC-compliant client on the device with its respective back-end server located in the red network, typically using a secure TLS connection, and this within the existing outer tunnel; in that case, this inner tunnel will be restricted to only that specific application.
Note that other CSfC-compliant mobile apps can however make use of that same, device-wide outer tunnel to connect to the gray network and establish their own secure connection with their respective back-end server in the red network, to access classified data.
Double-encryption with CSfC-complaint BlackBerry SecuSUITE® solution.
Double-encryption with CSfC-compliant Hypori Halo™ solution.
Drawbacks and Limitations
While double encryption of data in transit surely brings many benefits, it also has its drawbacks, that include potential performance degradation due to the additional processing required for double encryption, as well as increased complexity in managing and maintaining the keys and algorithms involved. Additionally, if one layer of encryption is compromised, the second layer provides only partial protection, and managing key distribution securely becomes more critical to overall system integrity.
Continuous Monitoring with ISEC7 Sphere
Continuous monitoring of Commercial Solutions for Classified (CSfC) applications involves the ongoing and systematic assessment of security controls and processes to ensure the sustained effectiveness of classified communication solutions, including real-time scrutiny of network traffic, system logs, and other relevant data to detect and respond promptly to potential security threats or anomalies. This allows organizations to proactively identify vulnerabilities, assess the compliance of CSfC applications with security standards, and implement timely corrective measures. This dynamic approach aligns with the evolving nature of cybersecurity threats, enabling a rapid response to emerging risks and contributing to the overall resilience and security posture of classified communication systems.
Continuous Monitoring of CSfC Solutions
ISEC7 Sphere is often compared with security information and event management (SIEM) solutions. Event log monitoring and management is only one integral component of ISEC7 Sphere, which is used to collect, aggregate, correlate, and analyze security event data from CSfC components. Data is sent to (Syslog) or collected (SNMP, API, WMI, PowerShell, etc.) from ISEC7 Sphere from the following sources: hardware devices, virtual machines, security appliances, and software and services running within the solution network(s).
End user devices transmitting Classified, Controlled Unclassified Information, or sensitive information require additional levels of protection to ensure national security data remains secure. The NSA Mobile Access Capability Package provides the roadmap for protection requirements, however there is no one-size-fits-all product to meet your organization’s unique needs and the MACP itself encourages product diversity and redundancy for resilience. Those solutions should work in concert with the rest of your security apparatus to ensure your overall security posture is where it needs to be to protect your data and ultimately your liability. As a Command-and-Control (C&C) tool, ISEC7 Sphere provides a control plane over these solutions ensuring interoperability and monitoring for potential cyber threats. The team at ISEC7 has years of experience working with leading companies with NIAP validated products to build the complete environment required for classified end user computing. Our breadth of offerings enables us to quickly understand your use cases and build solutions to meet each customer’s specific needs while maintaining compliance with the MACP. Please reach out to the team at ISEC7, and we can complete a security assessment and help you navigate the options available to you to help strengthen and protect your infrastructure.
Comments