1 / 17

Putting Secure Information Sharing and Access Management Into Practice

Putting Secure Information Sharing and Access Management Into Practice. John Hewie Microsoft Canada. Tim Upton Titus Labs Inc. The Challenge. How do we share information in a secure and cost effective manner that allows for timely and effective access by the right individuals ?

asabi
Download Presentation

Putting Secure Information Sharing and Access Management Into Practice

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Putting Secure Information Sharing and Access Management Into Practice John Hewie Microsoft Canada Tim Upton Titus Labs Inc.

  2. The Challenge • How do we share information in a secure and cost effective manner that allows for timely and effective access by the right individuals ? • How do we move from “need to isolate” to “need to share securely”? Many policies exist that encumber information sharing across department / agency

  3. The Current Solution OSINT JIWCS (IWS) GWAN SIPRNET NSANET (IWS) Site TS/SI/TK/B Ops Net Red Phone READOUT Multi-Net (IWS) JWICS VTC Secure Polycom Stu-III

  4. Today’s Solution - Multiple Everything • Physical separation is the norm • Each network will have its own storage, network, servers and desktops • This results in: • High total cost of ownership • For example, USCENTCOM operates several distinct networks at same classification level but with different caveats • Multiple accounts per user • Difficult collaboration • Duplication of information • Complex security management • Information sharing via sneaker net or retyping information

  5. What is SISA? • SISA - “Secure Information Sharing Architecture” • Partnership between Microsoft, Cisco, EMC, Decru and Titus • An approach for collapsing many physical networks into virtual “compartments” on one physical network • Original goals for military sharing requirements but solution components applicable to anyone who has a need to share information securely. SISA is a secure collaboration framework built upon a single physical network

  6. Demo Title Secure Information Sharing Architecture

  7. Approach • Use a single source for authentication: Active Directory • Enforce user specific rights and network privileges based group membership • Ensure best security protection against known and unknown threats • Validate security posture of each host system • Automatically enforce system update remediation • Consolidated monitoring of computer and network security • Secure data at rest and in transit • Make it affordable • Leverage existing hardware, software and training investments • Protect compartmented data within a single IT system • Leverage guidance defined in DCID 6-3 • Protection level 3 (PL3) addresses compartmentalization at the same “ security classification” level

  8. Architectural Service Components Access Protection Services End-Device Lockdown and Health Network Protection/Policy Enforcement Network Path Isolation Content Protection Services Application AuthN and AuthZ Document and File Encryption Data Protection Services ApplicationLockdown WatchDog Services Data at Rest Isolation and Encryption Intelligent Auditing

  9. Component Descriptions • Access Protection Services for End-Devices • Establish healthy end-devices, protection against malicious code attacks • Group Policy, Cisco Security Agent (CSA) • Access Protection Services for Networks • Port authentication, path isolation, policy enforcement on network devices • 802.1x, NAC, Domain isolation (IPSec), VLANs • Content Protection Services • Collaboration services with protection against inadvertent disclosure of files, documents and emails • AD, Office, RMS, Titus Labs • Data Protection Services • Protection of data at rest • DECRU, VSANS (Cryptainers) • Watchdog Services • Intelligent auditing, intrusion attempt detection, anomalous behavior reporting • CS-MARS

  10. Demo Title Content Protection Services

  11. Customer Title US Department of Veterans Affairs

  12. US Veterans Affairs 250,000 users Experienced largest information security breach (26.5 millions records) Issued Request for Proposal: (low hanging fruit of the SISA architecture) “Classification of e-mail messages” “Easy to use, non-intrusive” “Interact with Windows RMS” “Deploy in 90 days”

  13. Veterans Affairs Service Components Access Protection Services End-Device Lockdown and Health Network Protection/Policy Enforcement Network Path Isolation Content Protection Services Application AuthN and AuthZ Document and File Encryption Data Protection Services ApplicationLockdown WatchDog Services Data at Rest Isolation and Encryption Intelligent Auditing

  14. SISA Key Benefits • Tiered approach that delivers multiple layers of security controls • Commercial off-the-shelf infrastructure that takes advantage of current investments and skill sets • Familiar user interfaces to speed training • Authentication at the user, machine, and port levels • Network admission control that applies policy-based admission criteria to each endpoint before allowing connection • Encryption for stored and in-transit data • Cryptographic segmentation of stored data for significant consolidation cost savings • Access to stored data based on permissions set in Microsoft Active Directory • Digital rights management of e-mail and attachments • Security monitoring and reporting tools that provide pertinent, actionable information for managers

  15. Where are We? • CENTCOM functional prototype completed June 2006 • NSA review completed January 2007 • Working with SOCEUR for upcoming exercise • Working on refresh of the architecture

  16. Want to Know More? http://www.microsoft.com/industry/government/sisa.mspx

More Related