SITO Summit 2004: Senior Information Technolog Officer Summit

1
jXG2m95CnGl3j8TqH5biOMVOr3Q
May 30th 31st, 2007Chateau Laurier Ottawa
2
Putting Secure Information Sharing and Access
Management Into Practice
Tim Upton Titus Labs Inc.

• John Hewie
• Microsoft Canada

3
The Challenge

• How do we share information in a secure and cost
  effective manner that allows for timely and
  effective access by the right individuals ?
• How do we move from need to isolate to need to
  share securely?
• Many policies exist that encumber information
  sharing across department / agency

4
The Current Solution
OSINT
JIWCS (IWS)
GWAN
SIPRNET
NSANET (IWS)
Site TS/SI/TK/B Ops Net
Red Phone
READOUT Multi-Net (IWS)
JWICS VTC
Secure Polycom
Stu-III
5
Todays Solution - Multiple Everything

• Physical separation is the norm
• Each network will have its own storage, network,
  servers and desktops
• This results in
• High total cost of ownership
• For example, USCENTCOM operates several distinct
  networks at same classification level but with
  different caveats
• Multiple accounts per user
• Difficult collaboration
• Duplication of information
• Complex security management
• Information sharing via sneaker net or retyping
  information

6
What is SISA?

• SISA - Secure Information Sharing Architecture
• Partnership between Microsoft, Cisco, EMC, Decru
  and Titus
• An approach for collapsing many physical networks
  into virtual compartments on one physical
  network
• Original goals for military sharing requirements
  but solution components applicable to anyone who
  has a need to share information securely.
• SISA is a secure collaboration framework built
  upon a single physical network

7
Demo Title

• Secure Information Sharing Architecture

8
Approach

• Use a single source for authentication Active
  Directory
• Enforce user specific rights and network
  privileges based group membership
• Ensure best security protection against known and
  unknown threats
• Validate security posture of each host system
• Automatically enforce system update remediation
• Consolidated monitoring of computer and network
  security
• Secure data at rest and in transit
• Make it affordable
• Leverage existing hardware, software and training
  investments
• Protect compartmented data within a single IT
  system
• Leverage guidance defined in DCID 6-3
• Protection level 3 (PL3) addresses
  compartmentalization at the same security
  classification level

9
Architectural Service Components
Access Protection Services
End-Device Lockdown and Health
Network Protection/Policy Enforcement
Network Path Isolation
Content Protection Services
Application AuthN and AuthZ
Document and File Encryption
Data Protection Services
ApplicationLockdown
WatchDog Services
Data at Rest Isolation and Encryption
Intelligent Auditing
10
Component Descriptions

• Access Protection Services for End-Devices
• Establish healthy end-devices, protection against
  malicious code attacks
• Group Policy, Cisco Security Agent (CSA)
• Access Protection Services for Networks
• Port authentication, path isolation, policy
  enforcement on network devices
• 802.1x, NAC, Domain isolation (IPSec), VLANs
• Content Protection Services
• Collaboration services with protection against
  inadvertent disclosure of files, documents and
  emails
• AD, Office, RMS, Titus Labs
• Data Protection Services
• Protection of data at rest
• DECRU, VSANS (Cryptainers)
• Watchdog Services
• Intelligent auditing, intrusion attempt
  detection, anomalous behavior reporting
• CS-MARS

11
Demo Title

• Content Protection Services

12
Customer Title

• US Department of Veterans Affairs

13
US Veterans Affairs

• 250,000 users
• Experienced largest information security breach
  (26.5 millions records)
• Issued Request for Proposal
• (low hanging fruit of the SISA architecture)
• Classification of e-mail messages
• Easy to use, non-intrusive
• Interact with Windows RMS
• Deploy in 90 days

14
Veterans Affairs Service Components
Access Protection Services
End-Device Lockdown and Health
Network Protection/Policy Enforcement
Network Path Isolation
Content Protection Services
Application AuthN and AuthZ
Document and File Encryption
Data Protection Services
ApplicationLockdown
WatchDog Services
Data at Rest Isolation and Encryption
Intelligent Auditing
15
SISA Key Benefits

• Tiered approach that delivers multiple layers of
  security controls
• Commercial off-the-shelf infrastructure that
  takes advantage of current investments and skill
  sets
• Familiar user interfaces to speed training
• Authentication at the user, machine, and port
  levels
• Network admission control that applies
  policy-based admission criteria to each endpoint
  before allowing connection
• Encryption for stored and in-transit data
• Cryptographic segmentation of stored data for
  significant consolidation cost savings
• Access to stored data based on permissions set in
  Microsoft Active Directory
• Digital rights management of e-mail and
  attachments
• Security monitoring and reporting tools that
  provide pertinent, actionable information for
  managers

16
Where are We?

• CENTCOM functional prototype completed June 2006
• NSA review completed January 2007
• Working with SOCEUR for upcoming exercise
• Working on refresh of the architecture

17
Want to Know More?

• http//www.microsoft.com/industry/government/sisa.
  mspx

18
(No Transcript)