Addressing the challenge of data for all, but securely
Emerging threats and new devices combine to create a complex and rapidly changing landscape for storage security.
With new security threats appearing at a rapidly increasing pace, the Defense Department is working hard to lock down data storage, even as it faces the challenge of making information readily accessible via a growing number of devices.
The DOD certainly has a set of unique challenges, said Greg Gardner, former deputy CIO of the U.S. intelligence community. "The military must not only protect and secure data and fend off cyberattacks, but it is also challenged by the flexibility required to deal with data [extending] from the infrastructure core to the tactical edge, given that data flows across the battlefield through mobile devices, across land, sea and air domains and in the cyberspace of data center and headquarters’ offices."
The DOD faces the same data storage security challenges as private industry, only on a much wider scale and with a need for stronger user-access controls. "Data must be secured, not only across levels of security and access, but also at rest and in motion ... wirelessly, on devices or otherwise," noted Gardner, who is currently chief architect for government and defense solutions at NetApp, a storage and data management company headquartered in Sunnyvale, Calif. This requirement makes secure multi-tenancy—an architecture in which a single instance of a software application serves multiple organizations—highly attractive to DOD, since the approach enables military organizations to cost effectively virtualize storage in a highly secure manner.
The Defense Industrial Base (DIB) has used strict data-classification standards, access controls, “Need To Know” restrictions, policy and accreditation for many years, noted Peter Tran, senior director of advanced cyber defense practice at RSA, a security consulting firm and EMC Corp. division based in Bedford, Mass. "As IT infrastructures transform, the challenge is to maintain the same level of standards, policy and compliance while adapting data to cloud and mobile infrastructures within classified and unclassified environments," he observed.
To make stored data both secure, yet still accessible to users holding different levels of security clearances, DOD uses several approaches. "There are high-assurance platforms (HAPs) that have multiple operating systems running inside of virtual machines on a single desktop computer, each with access to a different level of data," explained Ty Lindteigen, chief technology officer of Cummings Engineering, a mobile encryption technology provider located in Chandler, Ariz. Another approach is to use servers deployed inside a protected infrastructure featuring strong data-separation mechanisms, such as virtual machine technology and trusted guard functions between access levels, Lindteigen added.
Securely transporting multiple levels of data to the mobile edge can be accomplished via a virtual desktop technology that sends an interactive video stream of the desktop over a secure and authenticated connection to the mobile device user. "The mobile device can engage separate virtual desktops for each level, or some infrastructures are capable of presenting the combined levels in a single remote desktop, Lindteigen said.
To make data both more secure and shareable between services, industry partners and other government agencies, the military is transitioning to the Joint Information Enterprise (JIE), an integrated structure that combines multiple existing networks. Upon its completion, JIE will enable every user to get onto an approved device, anywhere -- at home, at work or on the move -- and get the information they need in a secure, reliable fashion.
As it builds the JIE, DOD is addressing data security in three separate ways, Gardner noted.
"First, it is clustering storage devices so that data is available 100 percent of the time and systems never have to be shut down for technology upgrades or refreshes," he said.
Meanwhile, storage operating systems are rapidly being virtualized. "This means they can be run on a variety of different types of hardware, often with very small form factors," Gardner said. "This enables data to be brought under control at the tactical edge—on ground or aerial vehicles, for example—and shared quickly and securely across many levels of command."
The third way DOD aims to protect JIE data is with cybersecurity measures. "In particular, the military is capturing data on all networks at rates of up to 10 gigabits per second, storing and carefully analyzing it both to find and deter external threats and to identify and counter threats and user errors from inside the organization," Gardner said.
To address the growing challenge of protecting data on commercial off-the-shelf (COTS) devices, the National Security Agency (NSA) has created the Commercial Solutions for Classified (CSFC) program.
"This process is intended to accelerate the certification timeline and create integration options of multiple vendors' offerings into a single solution that is secure enough to protect classified data," Lindteigen said. "This enables a new range of solutions to protect sensitive information, but it also raises the bar on commercial technology to meet the higher standard."
As DOD grows increasingly reliant on COTS technology in the years to come, it will expect vendors to shoulder more of the data security burden by supplying strong protection technologies along with their devices. "The Defense Department will continue to insist that data security is built in to every solution it acquires from this time forward," Gardner said.
Tran agreed. "The DIB is requiring data security to be addressed as part of system architecture and design, and as a main evaluation standard when determining acquisition within its partner and supplier ecosystem," he said. "This has resulted in an increasingly competitive environment for those seeking to do business with the DIB."
Just as forts, bases and vessels have required strong, evolving security measures since the beginning of recorded history, data security in various forms will remain a DOD priority for a very long time, perhaps for as long as the agency exists. "Security responds to platform definition and capability, such as the emergence of mobile devices, and it responds to threats as they continually evolve and adapt," Lindteigen said.
Additional Online Resources
More information on the Joint Information Enterprise is available in a DOD press release http://www.defense.gov/news/newsarticle.aspx?id=118092
Further details on the National Security Agency's Commercial Solutions for Classified process can be found on the NSA’s Central Security Service web page http://www.nsa.gov/ia/programs/csfc_program/index.shtml