120 likes | 349 Views
Trusted Computing in Government Networks May 16, 2007. Richard C. (Dick) Schaeffer, Jr. Information Assurance Director National Security Agency. Information Assurance at NSA. Information Assurance Directorate (IAD)
E N D
Trusted Computing in Government Networks May 16, 2007 Richard C. (Dick) Schaeffer, Jr. Information Assurance Director National Security Agency
Information Assurance at NSA • Information Assurance Directorate (IAD) • Provides products and services critical to protecting U.S. National Security information and Information systems • National Information Assurance Research Laboratory (NIARL) • Carries out research and design of technologies needed to enable IA solutions for the National Security Community • Where SELinux was created and is currently maintained
IA Mission Drivers • Rapid introduction of new technology & services • IA solutions must be available at the speed of the IT business and customer cycles • Commercial IT dominates most systems; commercial IA growing • Leveraging/influencing commercial activity is vital • Global communications and connectivity expanding • National IA needs are growing while resources remain fairly constant
Government/Industry Partnerships • To meet national IA needs requires cooperative partnerships • Multi-layered approach • Define System-level Solutions • Operational Capability Needs • Appropriate IA for Operational Environment • Determine that System Components (COTS & GOTS) provide necessary capabilities and assurance • Technology Guidance • Evaluation • Develop and Provide User Guidance • Configuration Guides • Systems Security Engineering
Timing IA Integration • IA Activities provide benefit all along the product/system life-cycle • Early in the Development (maximum affect) • Microsoft Security Design Lifecycle (SDL) • Solution and Technology IA Design Guidance • Near Product/System Completion • Vulnerability Analysis • Evaluation • During Operation • Appropriate Usage Guidance • Configuration Guidance (e.g., Microsoft Windows)
Balanced IA • Not all systems require equal security functionality and assurance • Operational factors dictate necessary security functions • Data sensitivity and perishability • System connectivity • Criticality of operation • Operational environment
The Right Security Functionality • Lessons learned from Multi-Level Security (MLS) systems • SELinux embodies a sound architecture for flexible Mandatory Access Control • Open Source Community has helped to shape the end result • Continuing to work toward further advances
Achieving Higher Assurance • Crucial to NSA and its clients and customers • Getting the right functionality with medium assurance through current efforts • EAL4 is not the end of the road, just a start • Higher levels of assurance (EAL4+ and beyond) critical to meeting the needs of the National Security Community
High Assurance Platform (HAP) • NSA program fusing advanced commercial initiatives with NSA certified trusted applications into a customizable platform security architecture • Leverage COTS to maximum extent possible • Hardware assisted virtualization and security • Enable solution integrators to compose a high assurance platform instance from available components that can: • Isolate and separate security domains • Provide assured information sharing across security domains
IA Tools • Automated tools needed to counter immense product and system complexity, particularly for high assurance • Tools applied across the life-cycle • Development • Risk and design analysis tools • Threat modeling tools • Analysis • Source and binary code analysis tools • Operation • Patch management tools • Configuration checking and consistency tools
Gaining Commercial Acceptance • The technical challenges facing the National Security Community are the same, the stakes are quite different • Unique perspective on threats and countermeasures to share with industry • Our role is to not just “tell” industry what to do; we must also contribute to the “solution” space
Reaching the Goal • Significant progress to date! • Need to keep advancing in all areas: • Enhanced Security Functionality • Increased Assurance • More Robust Tools • Improved Commercial Acceptance • Expanded Partnerships