Conducting mission critical operations in field, emergency, temporary, remote or distributed situations requires communications systems that maintain Confidentiality, Integrity, and Availability (CIA). Organizations must maintain CIA when using network-based, wired, line-of-site radio, radio, cellular, microwave, laser or Satellite Communication (SATCOM)-based communications, especially when relying on third parties to provide network communications transport services, or when using wireless communications technologies where transmission can be easily intercepted. To maintain CIA, organizations can use various encryption technologies at various technology layers, including, but not limited to, the ISO (International Organization for Standardization) data link, network, or transport layers. Organizations use protocols that include Media Access Control Security (MACsec), Virtual Private Network (VPN), or Secure Sockets Layer/Transport Layer Security (SSL/TLS) to ensure that information transmission cannot be stolen, tampered with, or disrupted. However, the setup and configuration of systems used to implement encryption in transit are exceedingly complex, and easy to mis-configure, which leads to downtime or poor security configurations that leave information vulnerable. Exacerbating the problem is the increasing use of a Public Key Infrastructure (PKI), which is used to distribute and manage encryption keys required on both sides of an encrypted link. PKI systems add a layer of complexity that is well beyond the training and expertise of most networking professionals, which leads to additional downtime and security vulnerabilities.
Organizations that need to deploy transmission security over large distances, or in dangerous or remote locations, are disadvantaged by current technology due to a lack of trained staff able configure and manage link encryption technology. In addition to setup, and configuration changes that are required to adjust to changing circumstances, the management of digital certificates and encryption keys adds additional technical skills not typically available in dangerous or remote locations, which makes the implementation of link encryption in transit difficult and expensive.
Recent advancements in encryption technologies now available in Commercial-Off-The-Shelf (COTS) equipment have been deemed secure enough by the United States National Security Agency (NSA), when configured correctly, to be used by United States military, intelligence, and civilian organizations to implement link encryption for the transmission of classified information, up to and including Top Secret information. The NSA approves these types of systems under a new program called “Commercial Solutions for Classified” (CSfC). To be approved under this program, however, organizations must deploy two sets of encryption technology, each from a different vendor (or using different, unrelated platforms). While this new capability enables a variety of new, important use cases, it implements additional complexity that requires yet even more training and configuration.
To deploy these systems, organizations typically include various types of networking and security equipment, including routers (used to direct the flow of voice/data), optimization equipment (used to reduce the size of network traffic over long distance radio links), VPN gateways and clients (providing encryption), firewalls, intrusion detection/prevention systems, event log managers, servers, Certificate Authorities (CA), and time servers. For systems that include encrypted Wide Area Network (WAN) access, systems may include digital radios and satellite modems. For systems that include encrypted Wi-Fi or cellular access, equipment can include Wi-Fi or base station routers, wireless controllers, packet cores, and mobile device managers. Lastly, users that connect to such systems may use devices such as laptops, smartphones, and tablets that also participate in the encryption solution by hosting encryption endpoint (client) technology.
Almost always, the equipment listed above is manufactured by different companies, providing different services, each with unique user interfaces and operator training requirements. This results in expensive training costs to educate operators on the equipment, lengthy setup times that often result in communications delays, system or communications downtime, including when equipment is mis-configured, and system unavailability, such as when a lack of trained experts results in systems being left unused. Perhaps as misleading for these types of systems is when they are configured to “work”, but do so in an insecure manner—leading to organizations placing trust in untrustworthy systems.
In order to set up and configure the equipment appropriately, operators must be trained to diagnose and troubleshoot multiple, different, network, and security devices. In some cases, due to security policies in organizations requiring separation of duties, a single trained person may not be able to troubleshoot a problem—for example where a VPN administrator does not have sufficient authority to use a CA to sign a certificate. In such a case, end-to-end troubleshooting is made difficult because of errors introduced in handing off tasks from one individual to another, particularly when multiple manual steps are required.