1 / 12

Trusted Computing in Government Networks May 16, 2007

Trusted Computing in Government Networks May 16, 2007. Richard C. (Dick) Schaeffer, Jr. Information Assurance Director National Security Agency. Information Assurance at NSA. Information Assurance Directorate (IAD)

samara
Download Presentation

Trusted Computing in Government Networks May 16, 2007

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Trusted Computing in Government Networks May 16, 2007 Richard C. (Dick) Schaeffer, Jr. Information Assurance Director National Security Agency

  2. Information Assurance at NSA • Information Assurance Directorate (IAD) • Provides products and services critical to protecting U.S. National Security information and Information systems • National Information Assurance Research Laboratory (NIARL) • Carries out research and design of technologies needed to enable IA solutions for the National Security Community • Where SELinux was created and is currently maintained

  3. IA Mission Drivers • Rapid introduction of new technology & services • IA solutions must be available at the speed of the IT business and customer cycles • Commercial IT dominates most systems; commercial IA growing • Leveraging/influencing commercial activity is vital • Global communications and connectivity expanding • National IA needs are growing while resources remain fairly constant

  4. Government/Industry Partnerships • To meet national IA needs requires cooperative partnerships • Multi-layered approach • Define System-level Solutions • Operational Capability Needs • Appropriate IA for Operational Environment • Determine that System Components (COTS & GOTS) provide necessary capabilities and assurance • Technology Guidance • Evaluation • Develop and Provide User Guidance • Configuration Guides • Systems Security Engineering

  5. Timing IA Integration • IA Activities provide benefit all along the product/system life-cycle • Early in the Development (maximum affect) • Microsoft Security Design Lifecycle (SDL) • Solution and Technology IA Design Guidance • Near Product/System Completion • Vulnerability Analysis • Evaluation • During Operation • Appropriate Usage Guidance • Configuration Guidance (e.g., Microsoft Windows)

  6. Balanced IA • Not all systems require equal security functionality and assurance • Operational factors dictate necessary security functions • Data sensitivity and perishability • System connectivity • Criticality of operation • Operational environment

  7. The Right Security Functionality • Lessons learned from Multi-Level Security (MLS) systems • SELinux embodies a sound architecture for flexible Mandatory Access Control • Open Source Community has helped to shape the end result • Continuing to work toward further advances

  8. Achieving Higher Assurance • Crucial to NSA and its clients and customers • Getting the right functionality with medium assurance through current efforts • EAL4 is not the end of the road, just a start • Higher levels of assurance (EAL4+ and beyond) critical to meeting the needs of the National Security Community

  9. High Assurance Platform (HAP) • NSA program fusing advanced commercial initiatives with NSA certified trusted applications into a customizable platform security architecture • Leverage COTS to maximum extent possible • Hardware assisted virtualization and security • Enable solution integrators to compose a high assurance platform instance from available components that can: • Isolate and separate security domains • Provide assured information sharing across security domains

  10. IA Tools • Automated tools needed to counter immense product and system complexity, particularly for high assurance • Tools applied across the life-cycle • Development • Risk and design analysis tools • Threat modeling tools • Analysis • Source and binary code analysis tools • Operation • Patch management tools • Configuration checking and consistency tools

  11. Gaining Commercial Acceptance • The technical challenges facing the National Security Community are the same, the stakes are quite different • Unique perspective on threats and countermeasures to share with industry • Our role is to not just “tell” industry what to do; we must also contribute to the “solution” space

  12. Reaching the Goal • Significant progress to date! • Need to keep advancing in all areas: • Enhanced Security Functionality • Increased Assurance • More Robust Tools • Improved Commercial Acceptance • Expanded Partnerships

More Related