The National Security Agency wants to use commercially-built security products and the latest virtualization software. But the slow pace of getting products certified through NSA channels and the lightening fast pace of change in the IT industry is causing national-security heartburn.
The high-tech spy agency, which also guides Defense Department information security, has become an enthusiastic proponent of open standards-based technologies such as Trusted Network Connect (TNC) and Trusted Platform Module (TPM) put forward by the organisation Trusted Computing Group (which announced it expects to propose an end-to-end security framework for cloud computing around year-end).
This week the secretive NSA held its first conference related to its views on trusted computing. The NSA Trusted Computing Conference and Exposition in Orlando drew about 500 attendees and 39 exhibiting companies.
Michael Lamont, NSA chief of the network solutions office, noted in his keynote that since May of this year the national-security strategy has been "COTS [commercial off the shelf] first, not GOTS [government]."
Lamont said the NSA wants to influence how commercial technologies are developed, and hopes "richer collaboration could further harden national-security systems" and give commercial systems some "government-like security."
Trusted computing "will be a key enabling technology or set of technologies," said Neal Ziring, technical director, information assurance directorate, NSA, in his conference keynote address.
Ziring said the NSA, under its High Assurance Platform (HAP) program, is turning to a "deliberate reliance on commercial products for protecting even national-security information," and said "my customers are demanding mobility." In the future, NSA expects "COTS will be used to protect even the most sensitive classified information."
Products developed to adhere to the specifications of the Trusted Computing Group (TCG) are a big part of the vision.
Certification processes stall adoption
The NSA's customers are the vast US military and intelligence communities that require accredited software and hardware for use in sharing information from Top Secret through Secret and down to Classified and Unclassified. Products used for "Cross Domain Solutions" for instance, which provide the ability to access or transfer information between two or more security domains, have to be examined and certified to be accepted for use. But the NSA and military-supported certification processes, such as one called Common Criteria, are slow as molasses compared to the IT industry's lightening-fast innovations.
As if to underscore that point, Ian Pratt, vice president for advanced products at Citrix Systems, gave a keynote packed with heady technical detail on new virtualisation software from Citrix, including the Xen-based client hypervisor and multiple ways to run virtual machines while setting policy controls through so-called "service VMs." He explained how TCG-related technologies such as TPM would work, and added that in the future Citrix may come out with a "virtual TPM" that would run as a dedicated virtual machine.
The NSA is hearing demands from the military for high-security options built on virtualisation. The first desktop virtualisation designed HAP workstation built by General Dynamics was showcased in a video to show how a VMware based and hardened Red Hat based workstation using TNC and TCG-compliant hardware components such as TPM, as well as Intel's TXT and TVD, can support secure domain separation.
The HAP workstation, called "Trusted Virtual Environment", is said to allow for attestation, to store system measurements reliably and keep encryption keys safe. During remote attestation, network access can be denied to machines whose identity doesn't check out and compromised HAP workstations could be blocked.
But Bill Ross, director of cybermission assurance systems, C4 systems, at General Dynamics, bluntly told the NSA conference attendees that the current fast-paced and sometimes chaotic state of industry support for TCG-related technologies, along with lengthy accreditation times for HAP, is adding up to real obstacles.
"The rapidly changing hardware environment" has led to "rapid commercial product release and obsolescence," Ross said in his keynote talk about the difficulties of cobbling together various vendor products to build TAP-approved solutions such as the HAP workstation. "We're out of sync with changes in commercial technology."
"The problems are in what I'd call the techno-political realm," he added, noting that there are difficulties in convincing partners, which today include most prominently Intel, VMware, Dell, HP and others, that the effort is warranted.
"We didn't understand what motivated them," Ross pointed out. "We'll say, 'We'll pay you.'" But he admitted he was surprised to see "that rarely worked." Sometimes they'd say they wouldn't support a project because of what they called unclear "opportunity cost." The vendors want to know that their effort for TAP and TCG will lead to wider opportunities beyond just a single TAP project.
The lengthy and cumbersome certification process known as "Secret and Below Interoperability," among others, was an obstacle.
"Bottom line is, it was a lot of growing pains to navigate through the certification process," Ross said, and "it was difficult to keep the interest on multi-year periods."
Separately, Ross said it took 18 months to get the Trusted Virtual Environment TAP-certified workstation, which allows Top Secret and below communications, through the accreditation process, which was completed last year. The Trusted Virtual Environment workstation is being used by the Special Operations Command, across multiple services including the Army as well as NSA. But he said he didn't know the exact numbers because that's kept secret.
NSA, headquartered in Ft. Meade, Md., is not given to much public interaction, particularly with the media, and is clearly struggling with conflicting desires to keep its employees well hidden while also trying to greatly influence development of security technologies in the commercial sector.
NSA allowed systems engineer Boyd Fletcher as well as Fred Leong, NSA Trusted Computing Firmware Project Lead, to discuss some of their initiatives in conference presentations where press was in attendance.
Fletcher described efforts to help develop cross-domain solutions (CDS) in a virtualized environment based on Type 1 hypervisors in particular. Military data centers and in-the-field military are clamoring for virtualization options, and the benefits of virtualization are clear, he said.
The NSA still advocated that CDS run on a trusted operating system, and "maybe in the future will run on a trusted hypervisor," he said. But virtualization promises to help eliminate a lot of the manual labor associated with having administrators physically touching hardware associated with traditional CDS today.
Virtualization's remote console capability could allow for "live migration over thousands of miles, if necessary." But if that transition occurs, system management security will grow in importance, as well as looking at technologies such as network-address translation to make sure cloned CDs don't all have the same IP address, he pointed out.
But Fletcher acknowledged the accreditation process, which can take up to two years, isn't making change simple for CDS.
In addition, Fletcher is helping craft what are called "Virtualization Security Requirements" for use by developers and others, as well as a "Virtualization Security Controls Profile" aimed at analysing security capabilities in assorted virtual machines, including hardware, which is expected to be contributed to the fourth revision of the 800-53 security requirements document published by the National Institute of Standards and Technology.
Fletcher also said his group expects to have what's called a "Virtualization Protection Profile" for hypervisor and management that would constitute "security targets" that vendors could strive for as part of Common Criteria and the National Information Assurance Partnership program which administers the Common Criteria evaluations in the US.
NSA's security experts also appear ready to intercede when they think there's a problem brewing. Various security researchers have shown how it's possible to compromise computers through potential zero-day attacks on the System Management Mode (SMM), which is present in most x86 processors today, Leong said.
In his presentation, Leong alluded to work by Invisible Things Lab and others, which have made the case that rootkits can be dropped by an attacker via SMM.
Leong said the NSA is preparing a mitigation called the SMI Transfer Monitor (STM) to basically replace the current SMI Handler for SMM.
This would basically "sandbox the SMM code," said Leong, noting Intel is working with NSA on it and "Dell has actually modified its BIOS to support this." Sandia National Labs is assisting in testing of STM, and "there will be some performance overhead for doing this," he said.
Even as NSA strives to influence industry development of virtualisation and TCG-related technologies, the agency is grappling with how far it will go to push for a TAP mandate oriented toward national-security-related IT purchasing.
In his keynote address, Neil Kittleson, Trusted Computing Portfolio Manager at the NSA's Central Security Service Commercial Solutions Center, said "we need HAP," which has been forward in various reference implementations. The push for next year is advocacy of some kind of policy directive around HAP and technologies based on specifications from the Trusted Computing Group. He added, "Once we advocate these things, we have to deploy."