Ensuring Cross-Domain Security with SecureView MILS Workstations

Ensuring Cross-Domain Security with SecureView MILS Workstations Industry Perspective Brought to you by:

SecureView MILS Workstations

1

“Cyber threats are rising rapidly and government needs an alternative, secure solution to the present operating environment where multiple machines are required for multiple types of information .� 1

Dell Industry Perspective

Ensuring Cross-Domain Security with SecureView MILS Workstations Cyber threats are rising rapidly and government needs an alternative, secure solution to the present operating environment where multiple machines are required for multiple types of information. This Industry Perspective explains the robust, unparalleled advantages of SecureView, a low-cost, MILS (Multiple Independent Levels of Security) workstation with accredited cross-domain security developed in close collaboration between the Air Force Research Laboratory, Intel® and Citrix. Specifically, we’ll discuss how SecureView: Runs on any personal computer with Intel® Core™ i5 vPro™ or Intel® Core™ i7 vPro™ processor

Allows a single computer to host multiple guest virtual machines at different classification levels, and Supports Windows, Linux, and Solaris as well as both rich and thin client computing models. Moreover, this report explains the unique SecureView 2.0 Support provided by Dell, which includes factory integration, onsite deployment services and accreditation support that saves government critical time and dollars to remain several steps ahead of cyber intruders.

Features a ‘Type 1’ client hypervisor (Citrix XenClient XT),

SecureView MILS Workstations

2

I. Th e C ybersecurity Chal l e nge Here’s the stark reality: federal agencies have seen an 800% increase in cybersecurity incidents over the last seven years. Moreover, a February 2013 Government Accountability Office (GAO) report opens with this ominous statement: Threats to systems supporting critical infrastructure and federal information systems are evolving and growing. Advanced persistent threats—where adversaries that possess sophisticated levels of expertise and significant resources to pursue its objectives repeatedly over an extended period of time— pose increasing risks.

Nu mber of i nci de nt s re po rte d to U S - CERT f ro m fe de ra l age nc i e s ( Fiscal yea rs 20 0 6-201 2)

These rising threats will have an impact on all spheres of society, from individual citizens to private businesses to the government entities that aim to protect and serve them. As a result, our nation’s collective defensive posture will require coordination among all of these entities as well. While government is analyzing and adapting to the evolving threats, private enterprise is designing and deploying solutions that build a battery of products aimed at fortifying critical information and infrastructure. That’s why private sector companies are eager to engage in the battle alongside government, building products and solutions that defend against attacks. One of those companies is Dell, which has developed a portfolio of security solutions called “Connected Security.”

I I . O ve r v i e w of D e ll “Conne cte d S e cu ri ty ”

Number of Incidents

48,562

50,000 45,000

41,776

42,854

40,000

Embed security at the time of manufacture

35,000 29,999

30,000

Protect against threats and mitigate risks - from device to cloud - with predictive intelligence

25,000 20,000

16,843

15,000 10,000

11,911

Respond to breaches to predict and eradicate immediately

5,503

5,000 0 2006

2007

2008

2009

2010

2011

2012

Fiscal Year

Figure 1: Source: GAO February 2013 Cybersecurity Report

3

Dell’s security solutions are simple, yet comprehensive:

Dell Industry Perspective

Dell Connected Security enables government agencies to connect and share intelligence across the entire enterprise. With an IT workforce that is stretched and strained in a period of austerity and uncertainty, Connected

Security boosts productivity while protecting sensitive information, supporting compliance and maintaining core operations. Dell Connected Security is built upon a foundation of best-in-class solutions and human intelligence that provides improved insight and decision-making. The goal is to achieve the following outcomes for an agency: Protected data: Secure data wherever it goes (laptops, desktops, tablets, smartphones, external media and the cloud) without disrupting the end user or IT processes. Protected identity and access: Know who has access to critical information, gain insight into who’s doing what, when and how, and enable IT staff to comply with virtually any audit or compliance request — all with diminished complexity.

Protected network: Enable deep protection and control without compromising network performance, scanning all traffic coming into the network and control bandwidth consumed by video and sensitive data being uploaded to shared sites. Predictive protection: Leverage Dell’s cyber-threat researchers as they hunt down and track malicious activity worldwide. Their intelligence feeds into Dell’s managed security, consulting and incident response services to provide your business with predictive, continuous and responsive security. Within this comprehensive arsenal of products and services stands one of Dell’s secret weapons: Dell SecureView Support.

Figure 2: Dell Connected Security

SecureView MILS Workstations

4

III. S e cureV iew: A M o de l i n C ros s -S ecto r Col l a b oratio n The US Air Force Research Laboratory (AFRL) needed a secure, robust workstation that would support high-performance applications and provide independent and concurrent access to multiple security domains from a single-client system. The solution needed to prevent data from leaking, be deployable with minimal impact to an agency and be ready within four hours. In response to this need, AFRL worked collaboratively with Intel® and Citrix to build this precise environment in less than 10 months. The specifics of that solution are laid out in a white paper titled, “SecureView: Government/Industry Collaboration Delivers Improved Levels of Security, Performance, and Cost Savings for Mission-Critical Applications.” The white paper explains: SecureView’s technology foundation is In­tel® Core™ vPro™ processors technology and Citrix XenClient XT—technologies that efficiently combine hardware and software to improve security, manageability, and performance of the client computing environment. SecureView is a flexible virtualization solution that runs on clients in either client-hosted or server-hosted modes of operation. Server-hosted modes use a thin virtual machine (VM), with a minimal operating system running on the client and applications executing on server infrastructure within the environment. In client-hosted modes, the end point operates a full operating system and applications execution within virtual containers.

5

Dell Industry Perspective

SecureView provides integrated, hardwarebased functionality that supports multiple operating system environments and security domains on each end-user PC desktop or notebook via virtual containers. These capabilities are supported by Intel® Virtualization Technology (Intel® VT)5 and provide safeguards, via Intel® Trusted Execution Technology (Intel® TXT)6 to protect each virtual environment from malware contamination. Intel® Advanced Encryption Standard New Instructions (Intel® AES-NI)7 accelerates disk encryption. These hardware-aided security technologies render SecureView clients inherently less vulnerable than traditional software-only approaches. In addition to providing an exceptionally secure environment, the product reduced Total Cost of Ownership (TCO) by up to 67 percent. SecureView has been deployed at more than one dozen federal agencies as of November 2012, and the solution has already saved the government millions of dollars in development and TCO expenses, and achieves objectives in security, performance and cost. More information about SecureView and Dell’s support of this solution are found below.

I V. O ve r v i e w of D e ll’s S e cu re V i e w M I L S Work stat i on S u p p ort In order to better understand the value of SecureView to government, GovLoop interviewed subject matter expert Scott Stevens, Dell’s Senior Security Strategist. Stevens said that SecureView, “solves three core problems for government when it comes to the outdated hardware configuration shown in the AFRL

S ec ureV i ew A n n u a l TCO c o m pa re d to o the r A rch i tec tu res 400 205% higher cost

300

176% higher cost

% Higher Annual TCO compared to SecureView 83% higher cost

200

0% higher cost

100

0

Baseline SecureView

Environment 1 Single-level security, three PCs

Environment 2 Single-level security, one PC and two thin clients

Environment 4 Environment 3 Multi-level security, Multi-level security one PC withIntel® Core™ one thin client vPro™ processors and Citrix Xen Client XT

Figure 3: Source: AFRL SecureView White Paper white paper: security, cost, and space.” Each of these factors is outlined below:

SECURITY: 2 Use Cases - Classified and Non-Classified As stated at the outset, the cyber threat is growing with each passing day. That’s why President Obama released an Executive Order titled, “Improving Critical Infrastructure Cybersecurity” in February 2013, which directs the National Institute of Standards and Technology (NIST) to lead the development of a Cybersecurity Framework that aims to establish “a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.”

SecureView provides this flexible level of information security as it was designed to work locally or remotely through Microsoft, Citrix or VMware. “In classified environments, such as the military or intelligence agencies - for instance, working online when a satellite is overhead, then shifting offline afterwards SecureView does not require alterations or specialized software under this type of deployment,” said Stevens. In non-classified situations, the biggest problem that agencies have is the risk of malware, viruses and malicious sites infiltrating a network. “The same user may require both restricted, classified access to internal content,” Stevens noted, “while also needing to reach online for information.” Colloquially, Dell calls this a “browser in a box” where users have full access to the network at all times but are also able to restrict unwashed internet access to mitigate cybersecurity issues.

SecureView MILS Workstations

6

An additional feature is that every time an individual logs into a browser, there is a fresh install so that any site with malware doesn’t get installed to the network because it’s a unique log in every time.

SPACE: 3 Deployments, Unlimited Configurations The federal government knows it needs to reduce its physical property footprint. In fact, the Administration reported a $5.1 billion savings in FY 2012 by “reducing Federally-occupied space and/or using and operating space more efficiently.” The Office of Management and Budget (OMB) recently identified over 12,000 properties that are either for sale or sold as part of an effort to save $3.5 billion by the end of last year. In fact, the White House has proposed a “Freeze the Footprint” policy that encourages agencies to “consolidate, colocate, better utilize and employ 21st century workforce strategies” to achieve real property cost savings. SecureView assists agencies to meet this mandate by reducing the amount of hardware located in government space. Stevens said that SecureView does that by enabling a three-fold deployment with multiple configurations: A. Multiple Monitors for Multiple Networks: “In some cases, a user will have multiple monitors with each monitor representing a different network that is accessed by that machine,” Stevens said. By moving one’s mouse to a specific monitor, that network is now the one the viewer is using while the others run in the background. B. Keyboard-Monitor (KVM): Another configuration allows the user to have just one moni-

7

Dell Industry Perspective

tor, but a keyboard switch allows the user to maneuver between the networks. C. Multi-View: Finally, users may wish to have just one screen, but display multiple pieces of information at once. A new “multi-view” feature allows users to see a single screen that presents information from all networks operating at the same time. Choosing between these views is based on the preferences of the individual or the parameters of a situation. Some individuals will operate most efficiently with a single screen space while others will want to have visuals on multiple screens. “Power users will still have the power of six monitors where they dedicate one screen to each of the networks,” Stevens noted. “At the same time, mobile users will access information on high performance devices where multi-view will be a critical necessity.”

COST: 2 for 1 Value The President’s Digital Government Strategy states that, “we must ensure that as the government adjusts to this new digital world, we build the modern infrastructure needed to support digital government efforts and leverage the Federal Government’s buying power to reduce costs.” When it comes to cost considerations, SecureView presents a 2 for 1 savings for government. That’s because SecureView is a MILS (multiple independent levels of security) system, which allows agency personnel to access several machines and networks simultaneously. A MILS environment gives users access to multiple networks on one device, which creates significant cost savings.

Stevens indicated that, “Dell’s goal is to cut an agency’s procurement, support and licensing cost in half.” He explained, that instead of buying 90,000 workstations, an agency will only require 45,000 and rather than paying for End User License Agreements (ELA) for 90,000 desktops, an agency will pare that payment down to the cost of 45,000 units. “In fact, some Microsoft licenses allow an agency to install up to four instances of the operating system and applications on devices under one license, Stevens noted. “With these kinds of savings, SecureView offers the most efficient cost structure on the market.”

SECUREVIEW 2.0 SUPPORT: DELL’S UNIQUE ADVANTAGE While an agency could purchase SecureView machines ‘out of the box,’ there’s a critical value-add that Dell offers with its SecureView 2.0 Support. “There are a thousand network interfaces out there and Dell has certified a handful of them,” explained Stevens. “There’s a reason we’ve only certified that small number – it’s because not all of them work. If an agency tries to perform this certification by itself, it will be a nightmare. Dell has done that testing and certifying, and can guarantee an agency that the machines will arrive onsite ready for deployment. “ It’s the three SecureView 2.0 Support services – factory integration, onsite deployment services, and accreditation support – that puts Dell in a unique position among vendors when it comes to speeding time to deployment.

V. S u mmar y SecureView responds directly to the Administration’s mandate for a Cybersecurity Framework that identifies cross-sector security standards, guidelines and products that protect critical infrastructure. SecureView has been deployed at more than a dozen agencies with demonstrated impact on cost, performance, security and space – known challenges that are at the top of our nation’s policy priorities. Finally, SecureView is deployable within hours and is ready to meet the demands of an increasingly mobile workforce. As a result, when the rising threats come, our nation will stand ready.

Re sou rce s AFRL SecureView White Paper H.R. 1734 - Civilian Property Realignment Act Agency Financial Management Snapshots via Performance.Gov Executive Order - Improving Critical Infrastructure Cybersecurity

SecureView MILS Workstations

8

About DELL

About GovLoop

Federal agencies have the same IT needs and opportunities as their private sector counterparts, but they demand a different approach. Dell can help. As a trusted partner of government agencies, we understand your budgets, your complex security and compliance requirements, and your drive toward successful collaboration among agencies.

GovLoop’s mission is to “connect government to improve government.” We aim to inspire public sector professionals by serving as the knowledge network for government. GovLoop connects more than 65,000 members, fostering cross-government collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington D.C with a team of dedicated professionals who share a commitment to connect and improve government.

We strive to help you reach better government efficiency through technology. Our caseby-case approach helps you determine the right technology and services for your agency, including cloud computing, data center modernization, employee mobility initiatives and cybersecurity. Learn how our comprehensive portfolio of solutions help you plan, implement and maintain your IT initiatives. Find out more at Dell Federal Government.

9

Dell

For more information about this report, please reach out to Andrew Krzmarzick, Director of Community Engagement, GovLoop, at andrew@govloop.com, or follow him on Twitter: @krazykriz. GovLoop
 734 15th St NW, Suite 500 Washington, DC 20005 Phone: (202) 407-7421 Twitter: @GovLoop Web: www.GovLoop.com

Intel, the Intel logo, Intel Atom and Intel Atom Inside are trademarks of Intel Corporation in the U.S. and/or other countries. Industry Perspective