The US government faces an unprecedented level and sophistication of cyberattacks, orchestrated by nation-states, organized crime and malicious insiders. In fact, cyberespionage, privilege misuse and errors by insiders were identified at the top causes of breaches across the public administration, according to the latest Verizon Data Breach Incident Report. Threats won't abate anytime soon.
Federal agencies have long used network segmentation as a way to limit the risk of security breaches and protect sensitive and classified information. Protecting high-value information is essential for the safety of the American people, and network segmentation is a requirement of FISMA, CERT, NIST and others. With a sharp focus on IT modernization, consolidation and shared services, federal networks are increasingly being called upon to support multiple missions and objectives.
While network segmentation is a best practice, it is also complex and costly. Segmenting wireless networks to support both classified and unclassified information requires a physical air gap. For federal agencies and even largest enterprises, that means buying duplicate sets of APs, controllers, and management consoles to ensure the necessary traffic isolation and mitigate the risk of cyberattacks.
A Better Way to Isolate
Aruba has changed that. With MultiZone, a capability of ArubaOSv8 operating system, federal IT can create separate zones to allow multiple data classifications to share the same network infrastructure. With MultiZone, sensitive unclassified networks can be separated from classified networks, while sharing the same physical access point and RF environment and maintaining traffic isolation. This would also allow separation of open networks and sensitive unclassified networks.
Different government agencies operating in the same facility can share a common network infrastructure. Visitors and contractors can have Wi-Fi access to their own resources, with the appropriate levels of control, but leveraging a shared physical infrastructure. In the private sector, MultiZone could be used to support multiple tenants on the same network infrastructure.
- Is secure. Each zone has its own controller, and the APs can communicate securely with multiple controllers. Role-based access and policy enforcement rules are enforced on the zone controller, so security is tailored to the requirements of the mission. Each zone can be configured and managed by a different team. MultiZone is built on the foundation of the Aruba Secure Core, the most advanced embedded security in the industry. Aruba's architecture is different from all other wireless LAN vendors, and encryption is maintained from the client to the core. Aruba APs do not perform encryption or decryption, and thus do not contain any encrypted keys. The APs receive encrypted wireless frames from the radios and immediately package the encrypted frames into an IP tunnel to the mobility controller. The controller processes and decrypts the frames.
- Saves money. MultiZone minimizes wasteful spending on duplicative networks while taking advantage of the existing wireless infrastructure to meet security requirements. In the past, meeting separation requirements meant buying, installing and managing double of everything, from access points to controllers to management consoles. Software licensing costs are also reduced.
- Speeds time-to-operation. MultiZone simplifies the Authority to Operate (ATO) / Risk Management Framework (RMF) process to certify that the systems meet all of the Government requirements to become operational. Using MultiZone means individual zones may be certified independently and become operational without having to wait for other organizations/zones to complete. For a system supporting different classifications, such as unclassified and sensitive information, each would manage their own ATO/RMF process.
Aruba has long been a leader delivering secure wired and wireless networks to all parts of the federal market. The Aruba solution, including ClearPass network access control, is Common Criteria and FIPS-certified. That's why many civilian agencies have already deployed ArubaOSv8, and it is being certified under the NSA's Commercial Solutions for Classified (CSfC) for the Campus WLAN Capabilities Package 2.0.
