UNCLASSIFIED Cloud Based Internet Isolation Sherri Sokol CBII

UNCLASSIFIED Cloud Based Internet Isolation Sherri Sokol CBII PM, DISA 13 January 2020 UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 1

UNCLASSIFIED Agenda Why Cloud Based Internet Isolation Current State / Milestones Solution Overview/Demo Global Scale and Technical Discussions Onboarding Next Steps Questions UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 2

UNCLASSIFIED DOD’s Global Internet Browsing 2. 84% Not Categorized CONUS at 82% of Bandwidth Capacity. Europe at 77% of Bandwidth Capacity. 68. 54% East PAC at 77% of Bandwidth Capacity. “Likely Non-Mission” 28. 62% “Likely Mission” West PAC at 75% of Bandwidth Capacity. IAPs Upgraded 4 Times from Jan 2014 -Aug 2019. (as of Aug 2019) (end of Aug 2019) • • DOD’s Global Internet Browsing Do. D-Wide Internet Browsing ~68 % of DOD-Wide Internet Browsing Likely Non-Mission (e. g. social media, videos, streaming music, etc…). Peak Hour Traffic (Mbps) Global NIPR IAPs at Peak Hour Internet Consumption 45, 000 35, 000 25, 000 15, 000 0 Jan Sept 2014 May 2015 Jan 2016 Sept 2016 May 2017 Jan 2018 Sept 2018 May 2019 Jan 2014 -Aug 2019: Percent of Likely Non-Mission Traffic Holds, But Amount of Throughput Used More Than Doubled. As demand for internet bandwidth increases, so does DOD’s exposure to cyber threats and the required investments in Internet Access Points (cybersecurity capabilities and bandwidth capacity). (DISA/EE 23 Analysis – Data Source: Centaur) UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 3

UNCLASSIFIED CBII Mission Summary Cloud Based Internet Isolation (CBII) removes one of the biggest bandwidth hogs and cybersecurity risks--the internet browser--as a threat vector and secures the department's data and networks by taking users' non-. mil/non-. gov internet browsing off the endpoint and isolating it in the cloud. Better Security UNCLASSIFIED Bandwidth Optimization Easy to Implement TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! No Fee For Service 4

UNCLASSIFIED CBII Prototype 2 solutio ns Menlo and Symantec. Prototype through end of March when start to move to the enterprise solution. 100, 000 users Total user base (50 k on each vendor solution. ) 10 mission partners and growing Mission partner participation and feedback are critical in shaping this Navy, service. Air Force, Army, NGB, DCMA, DCSA, DHA, DLA, NSA, & DISA. UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 5

UNCLASSIFIED CBII Traffic Flow EBI UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 6

Prevent Attacks and Enable a Fast UX UNCLASSIFIED No Code Executed on the Endpoint FASTER BROWSING DUE TO BANDWIDTH OPTIMIZATION • Less data transporting to endpoints frees up bandwidth. • Performing security activities (file antivirus scanning, detonation, hash comparison) in the cloud instead of at the internet access points alleviates congestion. BETTER SECURITY ADMINISTRATION • Increased granular control for user policies. • Logs are closely associated with the user and can be exported to Splunk for analysis. File downloads are inspected 2 x (in the cloud and via the typical route at the IAP) UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 7

UNCLASSIFIED DEMO CBII Symantec User Experience Demo UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 8

Bandwidth Optimization / Security : Wikipedia. org UNCLASSIFIED Top left- web page without isolation. Bottom left- full source of code executed when the webpage is requested by the user. UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 9

Bandwidth Optimization / Security : Wikipedia. org UNCLASSIFIED Website with isolation. Green bar at the top of the page indicates to the user that the website is being isolated. UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 10

Bandwidth Optimization / Security : Wikipedia. org UNCLASSIFIED Top left – Isolated source code Lower left – Non-isolated source code The isolated website contains just a small fraction of source code. Only the rendered page reaches the endpoint. The original source code is executed only in the CBII environment. UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 11

Bandwidth Optimization / Security UNCLASSIFIED Non-isolated users surf with endpoint information exposed, revealing more information than intended or desired. UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 12

Bandwidth Optimization / Security UNCLASSIFIED Isolated users surf with endpoint information concealed within the CBII environment, using virtual instances that prevent nefarious code transmitting back to the endpoint. UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 13

CBII Prototype Distribution UNCLASSIFIED The CBII prototype currently uses the AWS Gov. Cloud East and West environments. Access to the environment is facilitated by the outbound user traversing the IAP to reach the infrastructure for isolation. Commercial cloud instances are being implemented in US East, US West, Frankfurt, Tokyo, Bahrain. UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 14

Next Steps: Onboarding Process § Have your requirements met, questions answered, and issues resolved before the transition to enterprise deployment with DISN subscription—scheduled to begin March 28. § Training for GSD, DGOC, and migrating mission partners. UNCLASSIFIED Step 1: Select Initial Test Users Identify 3 -5 initial test users with system privileges. Step 2: Connectivity Test Vendor assists with manual browser configuration in Firefox using PAC file. § Support available directly from the PMO and vendors 24/7. Able to apply best practices from the few issues already solved. Can use DCS (or test application accounts if available) to speed resolution of new issues. Step 3: Initial Test Phase § After onboarding, please provide feedback (via survey and/or helpdesk) so DISA can quickly resolve any issues and you can shape the final CBII service to meet your needs. Step 4: Widespread Deployment UNCLASSIFIED Testers browse as usual, providing feedback if they encounter issues resulting in a swift resolution. A group policy object (GPO) is pushed to organizational units using your active directory. TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 15

UNCLASSIFIED Questions? UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 16

UNCLASSIFIED DEFENSE INFORMATION SYSTEMS AGENCY The IT Combat Support Agency www. disa. mil UNCLASSIFIED /USDISA @USDISA TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 17

UNCLASSIFIED Backup Slides UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! 18

Current Network Path UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! UNCLASSIFIED 19

User Troubleshooting UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! UNCLASSIFIED 20

CBII Download UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! UNCLASSIFIED 21

CBII Upload UNCLASSIFIED TRUST IN DISA: MISSION FIRST, PEOPLE ALWAYS! UNCLASSIFIED 22