Embed Size (px)
Citation preview
Putting Secure Putting Secure Information Sharing Information Sharing and Access and Access Management Into Management Into PracticePractice
Putting Secure Putting Secure Information Sharing Information Sharing and Access and Access Management Into Management Into PracticePractice
John HewieJohn HewieMicrosoft CanadaMicrosoft Canada
Tim UptonTim UptonTitus Labs Inc.Titus Labs Inc.
How do we share information in a How do we share information in a secure and cost effective manner secure and cost effective manner that allows for timely and effective that allows for timely and effective access by the right individuals ?access by the right individuals ?
How do we move from “need to How do we move from “need to isolate” to “need to share securely”?isolate” to “need to share securely”?
Many policies exist that encumber Many policies exist that encumber information sharing across department / information sharing across department /
agencyagency
The ChallengeThe Challenge
SIPRNETSIPRNET GWANGWANNSANETNSANET(IWS)(IWS)
JIWCSJIWCS(IWS)(IWS)Site TS/SI/TK/BSite TS/SI/TK/B
Ops NetOps Net
Stu-IIIStu-III
Red PhoneRed Phone
JWICS VTCJWICS VTC
OSINTOSINT
READOUTREADOUTMulti-NetMulti-Net
(IWS)(IWS)
SecureSecurePolycomPolycom
The Current SolutionThe Current Solution
Physical separation is the normPhysical separation is the normEach network will have its own storage, network, servers Each network will have its own storage, network, servers and desktopsand desktops
This results in:This results in:High total cost of ownershipHigh total cost of ownership
For example, USCENTCOM operates several distinct For example, USCENTCOM operates several distinct networks at same classification level but with different networks at same classification level but with different caveatscaveats
Multiple accounts per userMultiple accounts per user
Difficult collaborationDifficult collaboration
Duplication of informationDuplication of information
Complex security managementComplex security management
Information sharing via sneaker net or retyping Information sharing via sneaker net or retyping informationinformation
Today’s Solution - Multiple Today’s Solution - Multiple EverythingEverything
SISA - “Secure Information Sharing SISA - “Secure Information Sharing Architecture”Architecture”Partnership between Microsoft, Cisco, EMC, Partnership between Microsoft, Cisco, EMC, Decru and TitusDecru and TitusAn approach for collapsing many physical An approach for collapsing many physical networks into virtual “compartments” on networks into virtual “compartments” on oneone physical networkphysical networkOriginal goals for military sharing requirements Original goals for military sharing requirements but solution components applicable to anyone but solution components applicable to anyone who has a need to share information securely.who has a need to share information securely.
SISA is a secure collaboration framework built upon a single SISA is a secure collaboration framework built upon a single physical networkphysical network
What is SISA?What is SISA?
Secure Information Sharing Secure Information Sharing ArchitectureArchitecture
Use a single source for authentication: Active DirectoryUse a single source for authentication: Active DirectoryEnforce user specific rights and network privileges based group Enforce user specific rights and network privileges based group membershipmembership
Ensure best security protection against known and unknown Ensure best security protection against known and unknown threatsthreats
Validate security posture of each host systemValidate security posture of each host systemAutomatically enforce system update remediationAutomatically enforce system update remediationConsolidated monitoring of computer and network securityConsolidated monitoring of computer and network securitySecure data at rest and in transitSecure data at rest and in transit
Make it affordableMake it affordableLeverage existing hardware, software and training investmentsLeverage existing hardware, software and training investments
Protect compartmented data within a single IT systemProtect compartmented data within a single IT systemLeverage guidance defined in DCID 6-3Leverage guidance defined in DCID 6-3
PProtection level 3 (PL3) addresses compartmentalization rotection level 3 (PL3) addresses compartmentalization at the same “ security classification” levelat the same “ security classification” level
ApproachApproach
Architectural Service Architectural Service ComponentsComponents
Access Protection ServicesAccess Protection Services
End-
Dev
ice
End-
Dev
ice
Lock
dow
n an
d Hea
lth
Lock
dow
n an
d Hea
lth
Net
wor
k Pr
otec
tion
/
Net
wor
k Pr
otec
tion
/
Polic
y En
forc
emen
t
Polic
y En
forc
emen
t
Content Protection ServicesContent Protection Services
Data Protection ServicesData Protection Services
WatchDog ServicesWatchDog Services
Net
wor
k Pa
th
Net
wor
k Pa
th
Isol
atio
n
Isol
atio
n
App
licat
ion
Aut
hN
App
licat
ion
Aut
hN
and
Aut
hZ
and
Aut
hZ
Doc
umen
t an
d Fi
le
Doc
umen
t an
d Fi
le
Encr
yption
Encr
yption
App
licat
ion
App
licat
ion
Lock
dow
n
Lock
dow
n
Dat
a at
Res
t Is
olat
ion
Dat
a at
Res
t Is
olat
ion
and
Encr
yption
and
Encr
yption
Inte
llige
nt A
uditin
g
Inte
llige
nt A
uditin
g
Access Protection Services Access Protection Services for End-Devicesfor End-DevicesEstablish healthy end-devices, protection against malicious code attacksEstablish healthy end-devices, protection against malicious code attacks
Group Policy, Cisco Security Agent (CSA)Group Policy, Cisco Security Agent (CSA)
Access Protection Services Access Protection Services for Networks for Networks Port authentication, path isolation, policy enforcement on network devicesPort authentication, path isolation, policy enforcement on network devices
802.1x, NAC, Domain isolation (IPSec), VLANs802.1x, NAC, Domain isolation (IPSec), VLANs
Content Protection Services Content Protection Services Collaboration services with protection against inadvertent disclosure of files, Collaboration services with protection against inadvertent disclosure of files, documents and emails documents and emails
AD, Office, RMS, Titus LabsAD, Office, RMS, Titus Labs
Data Protection ServicesData Protection ServicesProtection of data at restProtection of data at rest
DECRU, VSANS (Cryptainers)DECRU, VSANS (Cryptainers)
Watchdog ServicesWatchdog ServicesIntelligent auditing, intrusion attempt detection, anomalous behavior reportingIntelligent auditing, intrusion attempt detection, anomalous behavior reporting
CS-MARSCS-MARS
Component DescriptionsComponent Descriptions
Content Protection ServicesContent Protection Services
US Department of US Department of Veterans AffairsVeterans Affairs
US Veterans Affairs250,000 users
Experienced largest information security breach (26.5 millions records)
Issued Request for Proposal:(low hanging fruit of the SISA architecture)“Classification of e-mail messages”“Easy to use, non-intrusive”“Interact with Windows RMS”“Deploy in 90 days”
Veterans Affairs Service Veterans Affairs Service ComponentsComponents
Access Protection ServicesAccess Protection Services
End-
Dev
ice
End-
Dev
ice
Lock
dow
n an
d Hea
lth
Lock
dow
n an
d Hea
lth
Net
wor
k Pr
otec
tion
/
Net
wor
k Pr
otec
tion
/
Polic
y En
forc
emen
t
Polic
y En
forc
emen
t
Content Protection ServicesContent Protection Services
Data Protection ServicesData Protection Services
WatchDog ServicesWatchDog Services
Net
wor
k Pa
th
Net
wor
k Pa
th
Isol
atio
n
Isol
atio
n
App
licat
ion
Aut
hN
App
licat
ion
Aut
hN
and
Aut
hZ
and
Aut
hZ
Doc
umen
t an
d Fi
le
Doc
umen
t an
d Fi
le
Encr
yption
Encr
yption
App
licat
ion
App
licat
ion
Lock
dow
n
Lock
dow
n
Dat
a at
Res
t Is
olat
ion
Dat
a at
Res
t Is
olat
ion
and
Encr
yption
and
Encr
yption
Inte
llige
nt A
uditin
g
Inte
llige
nt A
uditin
g
SISA Key BenefitsSISA Key BenefitsTiered approach that delivers multiple layers of security controlsTiered approach that delivers multiple layers of security controls
Commercial off-the-shelf infrastructure that takes advantage of Commercial off-the-shelf infrastructure that takes advantage of current investments and skill setscurrent investments and skill sets
Familiar user interfaces to speed trainingFamiliar user interfaces to speed training
Authentication at the user, machine, and port levelsAuthentication at the user, machine, and port levels
Network admission control that applies policy-based admission Network admission control that applies policy-based admission criteria to each endpoint before allowing connectioncriteria to each endpoint before allowing connection
Encryption for stored and in-transit data Encryption for stored and in-transit data
Cryptographic segmentation of stored data for significant Cryptographic segmentation of stored data for significant consolidation cost savingsconsolidation cost savings
Access to stored data based on permissions set in Microsoft Access to stored data based on permissions set in Microsoft Active DirectoryActive Directory
Digital rights management of e-mail and attachmentsDigital rights management of e-mail and attachments
Security monitoring and reporting tools that provide pertinent, Security monitoring and reporting tools that provide pertinent, actionable information for managersactionable information for managers
Where are We?Where are We?
CENTCOM functional prototype CENTCOM functional prototype completed June 2006completed June 2006
NSA review completed January 2007NSA review completed January 2007
Working with SOCEUR for upcoming Working with SOCEUR for upcoming exerciseexercise
Working on refresh of the architectureWorking on refresh of the architecture
Want to Know More?Want to Know More?http://www.microsoft.com/industry/government/http://www.microsoft.com/industry/government/
sisa.mspx sisa.mspx
