230 likes | 560 Views
Meeting NASA ’ s Data-At-Rest Encryption Requirements NASA Encryption Requirements Team Executive Briefing With Recommendations January 15, 2008. Meeting NASA ’ s DAR Requirements Background. June 2006: OMB M-06-16, “ Protection of Sensitive Agency Information ”
E N D
Meeting NASA’s Data-At-Rest Encryption Requirements NASA Encryption Requirements Team Executive Briefing With Recommendations January 15, 2008
Meeting NASA’s DAR RequirementsBackground • June 2006: OMB M-06-16, “Protection of Sensitive Agency Information” • Requires Encryption For Sensitive Data (unless data is determined to be non-sensitive) • Mandate not uniformly addressed resulting in misunderstood requirements and questionable guidance • May 2007: JSC Issues RFI to Leading Encryption Vendors • Based on requirements gathered from across the Johnson Space Center • June 2007: DoD/GSA Announce DAR SmartBuy Vendors • July 2007: NASA OCIO Chartered the Encryption Requirements Team • Gather and establish NASA requirements for encryption solutions that meet OMB direction • Use requirements to select and establish an Agency solution for encrypting NASA devices and information and to purchase approved products from the Federal SmartBuy vehicle. • Evaluate technology solutions and recommend an approach that meets NASA requirements • Establish a standard and fold it in to NASA-STD-2804/5
Meeting NASA’s DAR RequirementsBackground • Approach • Use inter-agency team to • Collect NASA Requirements • Validate DoD Requirements • Establish NASA DAR Encryption Requirements • Request Independent Analysis and Recommendation from LMIT • Identify DAR Requirements • Down Select Vendors for Evaluation • Conduct Testing and Deliver Recommendation • Leverage JSC Evaluation as Appropriate • Conduct Gap Analysis between JSC and NASA Requirements • Utilize Knowledge and Expertise developed at JSC in support of their evaluation • Develop Agency Recommendation • Merge Independent LMIT and JSC test results • Evaluate Findings and Recommendations • Select Vendor and Conduct Pilot Test • Engage Selected Vendor in Implementation Strategy • Negotiate Pricing and Draft Acquisition Strategy
Meeting NASA’s DAR RequirementsRequirements • DoD Requirements • 104 Requirements identified as either Critical, Important, or Desirable • 34 Critical Requirements, including • FIPS 140-2 Validated • Full Disk Encryption (FDE) and Filesystem-Level Encryption (FSE) • Minimal User Intervention • PKI and Smartcard Compatibility • FDE Pre-boot Authentication • Central Management Console • High concentration of Critical Tech Support, Licensing, and Training requirements (18 - 50%) • JSC Requirements • Vendors Asked to Respond to 227 Unranked Requirements • 34 Requirements Internally Identified as either Required, Desired, or Optional • 22 Required, including • FIPS 140-2 Validated • 508 Compliant • Ability to Encrypt Removable Devices • Key Escrow • Central Management • Minimal User Intervention • Not dependent upon network connectivity • PIV II Smartcard Compatibility • Full Disk Encryption • Support for Single Sign-on
Meeting NASA’s DAR RequirementsRequirements • LMIT Requirements • 11 Requirements Necessary for Consideration • FIPS 140-2 Validated • Full Disk Encryption • Minimal User Intervention • Interoperability with NASA Active Directory • Support for multiple users (DoD “I”) • Central Management Console • Key Escrow (DoD “I”) • PIV II Smartcard Compatibility • Ability to Remotely Wipe the Device • Log Failed Login Attempts • Maintain Data Integrity • NASA Requirements • NASA unique requirements used to adjust DoD requirements • Gap analysis performed against JSC RFI and Internal Requirements Rankings • Resulting decision was to adopt JSC Requirements • LMIT Requirements mapped entirely into NASA Requirements
Meeting NASA’s DAR RequirementsSelection • Gartners Magic Quadrant Summary of Leading DAR Encryption Vendors: • Vendors under consideration all listed in the upper right quadrant • JSC Selected 5 Vendors for evaluation based • on RFI results • Only 4 vendors were able to participate in proof-of-concept testing • LMIT Selected 3 Vendors for evaluation based • on DAR requirements mapping
Meeting NASA’s DAR RequirementsSelection • JSC Evaluation • Conducted in-house proof-of-concept • Evaluated 7 weighted criterion as either Low, Medium, or High • Business/Background • Experience • Financial • Professional Services • Solution Architecture • Ability to Meet Specific Requirements • Price • LMIT Evaluation • Conducted in-house functional testing to validate vendor claims • Evaluated 3 additional criterion critical to NASA interoperability • Availability of Mac OS X Client • Deployment Options Into Current NASA Active Directory Environment • Ease of Migration from Current AD Environment to NCAD AD Environment • Also Evaluated Infrastructure and Deployment Complexity • Number of required servers • Firewall requirements • Centralized Management and Reporting
Meeting NASA’s DAR RequirementsSelection • JSC Selection: Safeboot • One of only two products committed to cross-platform support • Support for PIV II Smartcards and ActivIdentity Middleware • Flexible and Complete Licensing • Gartner Magic Quadrant • Lowest Price • Impressive List of Government and Industry Customers • LMIT Selection: Safeboot • Provides Full Disk Encryption • Supports PIV II Smartcards • Supports Treo and other PalmOS devices • Supports Windows Mobile devices • Mac OS X Client Available FY08 • Integrates Cleanly and Efficiently with Active Directory • No anticipated issues supporting NCAD migrations • Single Management Console can support entire Agency • Elegant and Flexible Technical Architecture • Lowest Price (Significantly) • NASA Encryption Requirements Team Recommends Safeboot • Supported by Rigorous Independent Evaluations • Best Technical Solution and Best Price • Extraordinary Vendor (VAR and OEM) Support
Meeting NASA’s DAR RequirementsSafeboot Executive Overview SafeBoot - A worldwide operating IT security company • Quick Stats More than 3 million active licenses Over 3000 customers in 74 countries >98.6% client retention >150 Fortune 500 customers Worldwide support with 24 x 7 x 365 Less than 2% employee attrition 20 consecutive quarters of growth Strong financials and debt free Dun & Bradstreet 3A1 rating Most certifications and accreditations i.e. only vendor worldwide with Common Criteria Level 4 of 2006
Meeting NASA’s DAR RequirementsSafeboot Executive Overview SafeBoot – The leading enterprise class security company • SafeBoot Certifications Revenues 2001-2006E $ 35 m • 2006 Common Criteria Level 4 (EAL4) • FIPS 140-1 and FIPS 140-2 • BITS certified • CSIA certified • NIST AES 256 • DSA/DSS (#53 & #112) • SHA-1 (#71 & #254) • DES (#145) $ 30 m $ 25 m $ 20 m $ 15 m $ 10 m 2001 2002 2003 2004 2005 2006 Operating Profit 2001-2006E $ 12 m $ 10 m $ 8 m $ 6 m $ 4 m • SafeBoot Distinctions $ 2 m 2001 2002 2003 2004 2005 2006 • Recognized leader in Gartners Magic Quadrant • Software 500 ranked #378 • SC Magazine’s 2006 Readers Trust Award for “Best Authentication Solution” and “Best Identity Management Solution” • SC Magazine’s Global Award 2004 for “Best Encryption Solution • Member – Microsoft Secure IT Alliance • Member – Secured Partner Program • Member – Trusted Computing Group Revenue Distribution 4% 30% AsiaPac 35% Europe 31% USA
SafeBoot Data Encryption Meeting NASA’s DAR RequirementsSafeboot Executive Overview SafeBoot – The most secure data protection solution • SafeBootis a suite of enterprise-class IT security products for the protection of data on mobile devices. • Device Encryption - Encrypts mobile devices using military strength certified algorithms • Content Encryption - Encrypts selected files, file types, folders or work groups • Port Control - Allows enterprises to monitor the use of and set policies for ports • Secure USB Memory - Encryption of USB memory sticks using military certified algorithms • SafeBootis built around a unique central management center to control corporate security policies • Highly scalable enterprise class solution • Policy driven remote “stealth” installation of all SafeBoot products • Remote security policy management with rich feature set • Produces audit trail of all mobile devices in an enterprise environment to meet compliance requirements
SafeBoot Data Encryption Meeting NASA’s DAR RequirementsSafeboot Executive Overview Device Encryption – Protection of Entire Device • The entire device is encrypted • FIPS 140-2 certified • Common Criteria Level 4 certified • BITS certified • CSIA certified • Secure user authentication • 2-factor • 48 different tokens incl. fingerprint are available • Mix and match tokens / smartcards / passwords • Integrated central administration console for all devices • Audit capability • Full audit trail for device protection • Fulfills all audit and compliance requirements
Meeting NASA’s DAR RequirementsSafeboot Executive Overview Content Encryption – Selective File and Folder Protection • Selective encryption of files and folders • Encrypts classes of data (i.e. Word, Excel) • Encrypts file and folders • Encrypts groups of users (i.e. HR division) • Encrypts email attachments • Removable media encryption (i.e. CD-ROM’s) SafeBoot Data Encryption • Central management of users • All users are centrally managed • Fully integrated with device encryption • Mix and match capability
Meeting NASA’s DAR RequirementsSafeboot Executive Overview Port Control – Management of “Ports” • Controls “ports” of laptops and PC’s • Selective control of all ports • Activates and de-active • Selective use of devices (i.e. only encrypted USB memory) • Prohibits use of unauthorized devices (i.e.iPods, MP3 players) • Security policies can be set • (i.e CD’s can only be burned in encrypted mode) Serial Parallel CD/DVD WiFi USB • Central management of users • All users are centrally managed • Fully integrated with device and content encryption • Mix and match capability PCMCIA IR Bluetooth Firewire
Meeting NASA’s DAR RequirementsSafeboot Executive Overview 4th Generation Security – State of the art software • Key differentiators • Auditing and compliance reporting are unmatched • Integration of device and content encryption and port control • Integrates seamlessly with existing infrastructure • (AD-connectors, Novel NDS, Microsoft and Entrust PKI and so on) • Non-intrusive to end-user and corporate network • (extremely thin client <3MB) • Most certifications and accredidations • User synchronization • (i.e. passwords, de-activations)
Meeting NASA’s DAR RequirementsSafeboot Executive Overview Customers – The most prominent companies in the world • Typical customer profile Fortune 5000 company 1000+ laptops or desktops Global footprint Mobile or distributed workforce Subject to data protection privacy laws All industry verticals • Fortune 500 Customers Over 150 are SafeBoot customers GE, KPMG, SAP, Fujitsu, BT, HSBC, ABN Amro, Sun Life, Northwestern Mutual, and many more have made SafeBoot a mandatory security standard
Meeting NASA’s DAR RequirementsAcquisition Strategy • Safeboot Incentives for Agencywide Licensing Are Impressive • JSC Cost Estimate for Entire Center (12,000 Licenses): $750,000 • LMIT Cost Estimate for ODIN Systems: $1,00,000 • Cost Estimate for all of NASA (74,000 Licenses + 3 years maintenance): $1,198,00 • Q. What’s Included? • A. Pretty Much Everything • Full Disk (Device) Encryption (DE) • Content (File/Folder) Encryption (CE) • Port Control (PC) • Management Console • All Connectors Necessary for Active Directory Integration and Mobile Device Support • Help Desk Web Interface • Three Years of Maintenance • Single License covers up to 5 devices (per-user licensing) • Home Use of all licenses • 74,000 licenses with 10% growth allowance (7,400 licenses) • Access to named Safeboot Engineer for remote support • Lots of onsite design, engineering, and deployment support • $11.56 per license • $2.31 per license maintenance after first year • NASA Contractors qualified to purchase at these same prices Cost If Purchased off the GSA SmartBuy: $3,000,000+
Meeting NASA’s DAR RequirementsAcquisition Strategy • Most Appropriate Acquisition Strategy is an ODIN Infrastructure Upgrade Proposal • ODIN Desktops will all be affected • NASA’s Partnership with LMIT should be leveraged • MFR 137 • NASA will own the licenses, LMIT will manage their acquisition and distribution • Components of an IUP • Software Licensing • Hardware and Infrastructure • Engineering • Software Deployment • Project Management • User Awareness and Training
Meeting NASA’s DAR RequirementsAcquisition Strategy ROM IUP Pricing LMIT Costs Are Estimated For Planning Purposes Only
Meeting NASA’s DAR RequirementsImplementation Strategy • Assumptions • Center Deployments Begin After Domain Consolidation • Must Use Agency User IDs (AUID) • Safeboot administration will be managed centrally • ODIN seats will receive Safeboot client software via standard distribution channels • Non-ODIN seat deployment will be handled by workgroup administrators • NAD users will be provided access to client software and must install it themselves • NASA will approve operating policies and establish process for their maintenance • Observations • Numerous low-cost options exist for redundancy and high availability • After initial client encryption, communication with Safeboot Server is not required for client functionality • Client will sync with the server when connectivity is restored • Severs can become temporarily unavailable without affecting normal operations • User data can be restored even in the absence of network connectivity
Meeting NASA’s DAR RequirementsImplementation Strategy Notional Architecture
Meeting NASA’s DAR RequirementsUse Cases • Laptop User • Device Encryption will be used to encrypt the entire device • Content Encryption will be used to ensure removable media is also encrypted • Desktop User • Device Encryption will be used to encrypt the entire device • Content Encryption will be used to ensure removable media is also encrypted • Desktop User needs to take work home and use his personal computer to continue editing his documents • DE and CE on the work desktop enable the use of any thumb drive • Contents of thumb drive are encrypted • CE must be installed on the home computer to enable thumb drive decryption and/or securely store the documents • Thumb drive remains encrypted at all times • DE not recommended for home computers • Laptop/Desktop User needs to store documents unencrypted on thumb drives (or CD’s) to distribute at a trade show • CE would normally prevent this • User must call the Help Desk and request this capability • Encryption will be disabled on some or all of the removable media devices • A control process will need to be implemented
Meeting NASA’s DAR RequirementsEncryption Requirement Team • OCIO Guidance and Support • Rob Binkley • Diana Kniffin • Marion Meissner • Dana Mellerio • ETADS Support • Gary Gapinski, Lead Engineer • Richard Haas • Pete Wheeler • LMIT • Joe Sigmon, LMIT Lead NASA Team Darryl Barnes, ARC Eduardo Bertot, KSC Donald Calkins, JPL Ron Colvin, GSFC Elton Comer, JSC David Epperson, NSSC Walter Franklin, MSFC Norbert Gillem, ARC Craig Grube, GSFC Christopher Jorgensen, GSFC Sheryl Locke, JSC David Meza, JSC Evaluation Team Lead Stephan Naus, GSFC Christine Reynolds, SSC James Rouse, LARC Will Spencer, DFRC Kanitra Tyler, GSFC Bryan Walls, GSFC Sherman Nicholas Wilson, MSFC Thomas Wolfe, JPL