Interviewee: Vesh Bhatt, co-founder and CTO of Attila Security.
Security is a big subject, but that doesn’t mean you can’t learn a lot in a short amount of time. We know people are busy, but for those that are still hungry for better ways to approach securing their organizations or clients, we’ve created Small But Mighty.
Twice each month, hosts from Attila Security’s Sales and Marketing teams host a 15-minute coffee chat with innovators and thought leaders in the cybersecurity space to provide big insights in a bite-sized format.
Watch the video conversation here, or check out the summary or full transcript below.
Learn more about the topics discussed in this video:
- CSfC Mobile Access Capability Package (MACP) Architecture Examples
- Resources on CSfC
- What is a retransmission device?
Vesh Bhatt heads up technical operations at Attila Security, a private security company. He has a solid background in cybersecurity and is a leader in the field, overseeing projects that leverage his background in R & D for the Department of Defense and launching prototypes of new generation tech for Attila.
Joe and Stacy are also on, from the Attila team.
What’s in the Cup?:
He’s a coffee hobbyist and the coronavirus pandemic forced his hand to bring his enthusiasm in-house. Stacy’s rocking the old-school standard, with a cup of Folgers. Joe’s guzzling a Costco brand, Columbia Supremo, which sounds fancy but is down-to-earth.
Today’s Topic: Deployment options for CSfC Mobile Access Capability Package architectures
Attila has some unique approaches that provide cutting edge security solutions. Within CSfC and the MACP, we’ve been working closely to develop better options for our customers. These solutions for mobile security are meant for mobile access, and as such, must be easy to use and move around with. This requires an environment in which tech can safely be used on-the-go. An issue in this environment has always been getting two VPNs to run on a single device. That issue remains even today.
There is a lot of R & D and experimentation to launch these kinds of solutions. With certain devices, a lack of low-level access to operating systems makes this nearly impossible. Once such access is activated, it’s difficult to maintain securely with regular updates or troubleshoot in coordination with the OS. Biweekly OS updates create a huge burden, then, on the maintenance end.
The professionals who use these systems, such as law enforcement or military personnel, should never have to “stop to install an update.” Even the fact that solution sets have to be ever-ready to deploy in live use is a huge barrier to efficient operations.
Read the Complete CSfC Guide
Your Complete Guide to Building a CSfC Approved Solution.
Solutions to MACP issues
MACP draft version 2.4 calls out the need for things like retransmission devices or outer VPN gateways. Attila’s GoSilent Cube solution works perfectly in this position. This allows users to keep the outer VPN on dedicated hardware, which means you only need a single software VPN installed on end-user devices. This works in a way that aligns with the design of commercial vendors.
Commercial vendors never expected their solutions to have two software VPNs installed (and playing nicely). Having a dedicated gateway provides plug and play functionality.
Retransmission devices are required in the MACP because devices with cellular capabilities run into what is called “the baseband problem.” This is basically that the 4G chip, CPU and memory are all built to share access and other elements that are great for speed but not so great for security.
The issue becomes that the cellular carrier often has access to the 4G chip on a device. If a user is in the U.S. and working for the U.S. Government, that may be fine. However, once you start running on foreign cellular networks, it may or may not be trustworthy.
As classified data runs over these devices at increased levels of classification, governmental organizations recognize the need for hardware separation. That way, nothing outside of your control has device access. The retransmission device does two things:
- On one end, it connects to 4G or wifi and provides internet
- On the LAN side, it puts out a wireless hotspot or uses ethernet to connect end user devices
Read the Case Study: CSfC Case Study
Attila’s GoSilent implemented as a secure, portable, low cost, high-bandwidth VPN for CSfC communications campus-wide.
Attila’s hardware VPN capabilities not only ensure compliance with future requirements but also alleviate the concerns and maintenance tail of running two software VPNs on a device.
The fact that the outer VPN is dedicated, and separate, means that devices can easily be upgraded or updated with no negative effects. If, today, a user has one version of a phone and wants a newer model, that person would have to navigate issues with the two VPNs.
This is also a challenge with vendor changes. All of this can add expense. Attila’s tech revolutionizes the capacity of teams to deploy better solutions with the ultimate checks and balances of security.
Unique architectures with the GoSilent Cube
Read this full article that breaks down specific MACP deployment architectures that employ the GoSilent Cube.
Benefits of CSfC
The GoSilent Cube elevates a user's ability to deploy, maintain and manage data and devices. Currently, some teams are just using hotspots straight off the shelf. That doesn’t have centralized management capabilities, which can make it a huge challenge to maintain.
What’s absent in other CSfC components is to bolt this on to a solution you already have. In many cases, the GoSilent can be added to an already existing architecture or components already in use to make the entire architecture CSfC compliant.
Go Silent is the perfect addition, because it’s plug and play with any IP enabled device. From the end user perspective, all they have to do is connect through any local or public internet connection. And, through remote oversight and management, users won’t be able to modify important settings that affect security of data transmission.
Read the Full Transcript
Hello and welcome to Small But mighty security might be a big subject, but that doesn't mean people can't learn a lot in a short amount of time. We know people are busy, but they are still hungry for ways to approach securing their organizations or their clients. That's why twice each month we'll be hosting 15 minute coffee chats with innovators and thought leaders in the cybersecurity space to provide big insights in a bite size format. I'm Stacy. And this is Joe from the Attila marketing team. And today we are here with Vesh, founder, co founder, and CTO of Attila. Hi Vesh.
Hey Stacy, how are you?
So I'm great. Thank you. Because I'm about halfway through my first cup of coffee, which is how long it takes me to get there. Speaking of, because this is a coffee chat, let's talk a little bit about what everybody's got in their mug this morning or afternoon, depending on when you're watching.
Who wants to go first?
Oh, I think we probably need to let Vesh go first. Cause I'm pretty sure his is exciting.
I know his will be exciting. So I'm just drinking an Americana right now. Recently got an espresso machine, so having fun, just trying different bean blends that I can get my hands on. The one today is called hologram. It's a blend from Counter Culture, and I think they're based out of North Carolina. That's where their headquarters is so I can get fairly fresh beans here in the local grocery stores from them
And the the full on espresso machine. That's a, that's a big jump up from my Mr. Coffee.
Yeah. I mean, I think once Corona started, it was a lot harder for me to go down and try different coffee shops, which is one of my favorite hobbies. So I decided, you know, I think this is a good time to start experimenting and figuring out how they do it so well.
Yeah. I think we've all become temporary baristas because we don't have ours available. Well, I'm with my old standard of Folgers and Joe, I don't know if you're in the same boat as me.
I'm boring. I'm always boring. With the coffee anyway. I'm drinking Costco's brand Columbia Supremo, so it sounds really fancy, but it does sound fancy. Kirkland's finest.
Well with that today, we're here to talk a little bit about some of the unique deployment options that we've been working on with some of our clients here at Attila for CSfC mobile access capability package architectures. So Vesh, do you want to talk a little bit about how we've been approaching that and how we've seen some different requests come through?
Yep. Happy to. So within CSfC and the mobile access capability package one of the difficult things, especially since the word mobile and the fact that you're trying to create a solution set that is very easy for individuals to carry and move around with and pretty much being able to set up and weave into an environment immediately, or being able to use it on the go.
One of the issues with that and has always been trying to get two VPNs to run on a single device. In fact, that's probably one of the hardest things at this point today. Mainly because it comes with a lot of experimentation and R & D type of work that you have to do to get it working in the first place. It's almost impossible to get it running on some devices because you don't have that low level of access to the operating system, or you have to modify the routes or other settings.
And then once you do get it up and running, it's really difficult to maintain and update. And to make sure it's working as you get updates for the OS itself. Because a lot of the times updating the iOS is going to break whatever you set up in there. And nowadays when you have updates almost every two weeks to a month now that's a lot of time wasted in the maintenance tail just for the upkeep of the solution.
And imagine dealing with that in the field as like a law enforcement or military organization, like I can't do this, I have to install an update, hold on.
Right, right. Or just the fact that you have to have the solution set ready to deploy at any second for a lot of these use cases, you can't tell them, Hey, can you just wait another three hours while I finish this and then maybe it'll work for another two days.
So a lot of the customers that we've been working with recognized this and along with that with the next NSA CSfC draft release that they have today, which I believe is geared to be released later this summer MACP version two dot four, that specifically calls out the need for something like a retransmission device or a dedicated outer VPN gateway, which Attila's GoSilent Cube solution works perfectly in that position. And what that allows you to do is basically keep the outer VPN on a dedicated hardware VPN firewall device.
That way you only have to install a single software VPN client on your end user devices and it becomes plug and play. And it works in a way that the commercial vendors have designed their technology from the get go.
I don't think any of the commercial vendors on that designed their solution and expected there to be a second VPN running alongside of it. So having that dedicated outer VPN gateway allows you to easily set that up separately and have that plug and play functionality with basically any device off that list.
So, Vesh I've got a question. You also mentioned another configuration as a retransmission device. How does that differ from what you just described with the consistent outer tunnel option?
So with a retransmission device really that requirement is there because if you take like a 4G or in the future of 5G cell phone, basically anything with cellular capabilities today, the concern and risk they're trying to address with that is what's referred to as the base band problem, which is basically the 4G chip and the CPU, and the memory are all built as a system on a chip on that device or those types of devices which basically means they share memory access and other things which are really nice for speed and things like that.
But when it comes down to security, the problem then comes in that the carrier that you're working with for that cellular connectivity often has access to that 4G chip on that device. Which might be okay if you're in the U S and you're working for the US government, but as soon as you go outside you're running on some foreign country cellular network, which may or may not be trustworthy at that point.
And just to alleviate any concerns that are, especially since you're going to be running more and more classified data, or these devices at higher level classifications and other things I believe they decided to just say, okay, we're going to require this for everyone.
You're going to have that hardware separation. That way, nothing outside of your control has direct access into the devices. So what the retransmission device is doing is basically on one end, it's going to be connecting to four G or wifi, basically the backhaul or upstream network.
And it's basically the internet whatever source of internet you can get wherever you are. And then on the local area network side, it's going to put out a wireless hotspot, or you're going to have an ethernet connection to it to connect your end user devices.
Gotcha. Okay. That explains it, that, that actually helps me understand why the cube is, is something that's considered in that, in that scenario, along with that we're adding in the VPN capabilities, well, to not only meet the future requirements, but then alleviate the concerns and the maintenance tail of running two software VPNs on a single device.
It sounds like putting two siblings in a room together and expecting them to get along. Said clearly from experience. So what, what are some of the the unique architectures you've been putting together for, for clients and how are they using the Cube as part of their deployment?
That's a great question. And before I go directly into that, one other thing I wanted to mention which I think will be reflected in the specific use cases I talk about is that the fact that the outer VPN is dedicated you can easily upgrade your devices as you go in the future as well. Because let's say today, you have a certain version of a phone next year and you want comes out and you want to do a hardware refresh for that.
Now you have to go figure out how those two VPNs will work on this new version of the phone, or if you want to switch from one vendor to another, you have to go and redo all of that, including the R & D, not just a maintenance tail, which can get pretty expensive. So in the use cases we have today one of the larger ones that we've seen today is using virtual desktops within the mobile access capability package.
Because what that allows you to do is ensure that all your classified data is going to be back at the data center. You're only going have brief session information, or like the actual screen that the person's viewing on the user's device.
And then if you're using the dual data at rest or something like a Zero client you've reduced that risk drastically where even if that exists, it's going to be really hard near impossible to get access to that data.
So what that allows the customers to do is to take a laptop with the dual data at rest encryption package, or a zero client or a tablet, connect that to her, go silent, cube, the ethernet or wifi, and be able to use a software inner VPN. And a lot of the times these customers already have a software VPN that's already on the approved list, so they can stay using that.
And then they might also have VDI in place as well. So they install their VDI client like they do today. And that's really it for the end user device side and the GoSilents. They provisioned beforehand centrally and hand those out. And from there on it's as easy as connecting to the internet on the GoSilent and then being able to access their virtual desktop remotely.
We also have use cases where we're working with tactical radios as well, where that's the backhaul that, that goes rides on, and then in that case that becomes the go silent. There becomes more of an inner VPN, whereas traditionally as a retransmission device or a dedicated outer VPN gateway, it's the outer VPN. So that oOSilent Cube has the flexibility to work as both.
And along with the centralized management, the Cube offers, it becomes really easy to deploy and maintain and manage these in an easier way than what's available today with the retransmission devices that people are using. Because today that might just be a hotspot that you grab off the shelf from a carrier like Verizon or AT&T.
And you know, that doesn't really have centralized management capabilities. Each one is managed individually. So that also becomes nightmare.
So, I mean, it sounds like across both of the use cases you just talked about what's unique. And probably something that you don't find in any of the other CSfC approved components is the ability to kind of bolt this on to a solution you already have, rather than having to build a solution from the ground up, which saves time in the building. And then again, in the maintenance.
Yep, exactly. Now with the whole premise behind CSfC being that you're using a layer defense or defense in depth, it becomes a lot easier to look at what you have today. Before you go out and start building and all that evaluate what you have today, see how much of that meets the requirements and see what you have to add to meet the other requirements.
So it becomes a lot easier, a lot of the times you're already going to have a VPN. You're already going to have some sort of devices and some of the other requirements like firewalls and things like that as well. So it's a lot easier to use what you have today because you don't have to retrain your existing IT or admin personnel. And then add what you don't have in the GoSilent is perfect addition to that because it's plug and play with any IP enabled device there.
So there's still no training, not having to retrain them. You don't have to train them on the new thing. That's great.
Right. And especially when you're pre configuring the VPN material on there and then using role based access controls, you basically make it so that the user only has to connect, to GoSilent to their local internet connection, whether that's through wifi or ethernet.
And then the only other option I have is connecting or disconnecting the VPN. They wouldn't have the option to modify any of the details or change any of the other things that you don't want them touching in there. All of that would be done centrally through our system settings. Whether that's like the password complexity or log in timeouts or DOD login banner, anything like that.
Well, this is great. I know it's a big subject to try and cover in 15 minutes, which is why we're going to include in the show notes. Some links to some really specific diagrams that you've provided for us, as well as some case studies of all of this in action, in case anybody would like to go dive deeper and spend the time it takes to truly understand each individual architecture as a post interview timeframe. So with that Joe, unless you had any other questions or clarifications, I was gonna close us out.
Yeah, no, I think I'm good. It's been very informative. I definitely even learn something here myself. So thanks Vesh.
I appreciate it. I know we have access to Vesh every day of our lives and we still learn something every time we talk. Well, thanks so much for your time today, Vesh and to all of our viewers, make sure you join us twice a month for our 15 minutes security chats. Learn more about securing your organization. Thanks everybody. Bye.