What comes after air gaps? DARPA asks world for ideas

From nakedsecurity.sophos.com

Air-gapping important computers and data is a security idea that has run its course and urgently needs to be replaced with something better.

That’s according to the US Defense Advanced Research Projects Agency (DARPA), which armed with up to $1.5 billion of funding has started canvassing for better ideas through a program appropriately called the Guaranteed Architecture for Physical Security (GAPS).

As DARPA’s briefing points out, air gapping is conceptually simple but has a fundamental problem – getting it to work comes at a heavy cost:

Keeping a system completely disconnected from all means of information transfer is an unrealistic security tactic. Modern computing systems must be able to communicate with other systems, including those with different security requirements.

In other words, for today’s computers to do useful work, they need to be connected to other computers in some way, the very thing that renders air gapping or data isolation insecure. Adding special protocols to compensate for this ends up making life expensive and difficult.

Interfaces to such air-gapped systems are typically added in after the fact and are exceedingly complex, placing undue burden on systems operators as they implement or manage them.

Read more…