Upload
kevin-eaton
View
217
Download
2
Tags:
Embed Size (px)
Citation preview
04/19/23January 15, 2008 Emerging Technology & Desktop Standards Group Page 1
Meeting NASA’s Data-At-Rest Encryption Requirements
NASA Encryption Requirements TeamExecutive Briefing With Recommendations
January 15, 2008
04/19/23January 15, 2008 Emerging Technology & Desktop Standards Group Page 2
Meeting NASA’s DAR RequirementsBackground
– June 2006: OMB M-06-16, “Protection of Sensitive Agency Information”• Requires Encryption For Sensitive Data (unless data is determined to be non-sensitive)• Mandate not uniformly addressed resulting in misunderstood requirements and questionable
guidance
– May 2007: JSC Issues RFI to Leading Encryption Vendors• Based on requirements gathered from across the Johnson Space Center
– June 2007: DoD/GSA Announce DAR SmartBuy Vendors
– July 2007: NASA OCIO Chartered the Encryption Requirements Team• Gather and establish NASA requirements for encryption solutions that meet OMB direction• Use requirements to select and establish an Agency solution for encrypting NASA devices
and information and to purchase approved products from the Federal SmartBuy vehicle.• Evaluate technology solutions and recommend an approach that meets NASA requirements• Establish a standard and fold it in to NASA-STD-2804/5
04/19/23January 15, 2008 Emerging Technology & Desktop Standards Group Page 3
Meeting NASA’s DAR RequirementsBackground
– Approach
• Use inter-agency team to – Collect NASA Requirements– Validate DoD Requirements– Establish NASA DAR Encryption Requirements
• Request Independent Analysis and Recommendation from LMIT– Identify DAR Requirements– Down Select Vendors for Evaluation– Conduct Testing and Deliver Recommendation
• Leverage JSC Evaluation as Appropriate– Conduct Gap Analysis between JSC and NASA Requirements– Utilize Knowledge and Expertise developed at JSC in support of their evaluation
• Develop Agency Recommendation– Merge Independent LMIT and JSC test results– Evaluate Findings and Recommendations– Select Vendor and Conduct Pilot Test– Engage Selected Vendor in Implementation Strategy– Negotiate Pricing and Draft Acquisition Strategy
04/19/23January 15, 2008 Emerging Technology & Desktop Standards Group Page 4
Meeting NASA’s DAR RequirementsRequirements
– DoD Requirements• 104 Requirements identified as either Critical, Important, or Desirable• 34 Critical Requirements, including
– FIPS 140-2 Validated– Full Disk Encryption (FDE) and Filesystem-Level Encryption (FSE)– Minimal User Intervention– PKI and Smartcard Compatibility– FDE Pre-boot Authentication– Central Management Console
• High concentration of Critical Tech Support, Licensing, and Training requirements (18 - 50%)
– JSC Requirements• Vendors Asked to Respond to 227 Unranked Requirements• 34 Requirements Internally Identified as either Required, Desired, or Optional• 22 Required, including
– FIPS 140-2 Validated– 508 Compliant– Ability to Encrypt Removable Devices– Key Escrow– Central Management– Minimal User Intervention– Not dependent upon network connectivity– PIV II Smartcard Compatibility– Full Disk Encryption– Support for Single Sign-on
04/19/23January 15, 2008 Emerging Technology & Desktop Standards Group Page 5
Meeting NASA’s DAR RequirementsRequirements
– LMIT Requirements• 11 Requirements Necessary for Consideration
– FIPS 140-2 Validated– Full Disk Encryption– Minimal User Intervention– Interoperability with NASA Active Directory– Support for multiple users (DoD “I”)– Central Management Console– Key Escrow (DoD “I”)– PIV II Smartcard Compatibility– Ability to Remotely Wipe the Device– Log Failed Login Attempts– Maintain Data Integrity
– NASA Requirements• NASA unique requirements used to adjust DoD requirements• Gap analysis performed against JSC RFI and Internal Requirements
Rankings• Resulting decision was to adopt JSC Requirements• LMIT Requirements mapped entirely into NASA Requirements
04/19/23January 15, 2008 Emerging Technology & Desktop Standards Group Page 6
Meeting NASA’s DAR RequirementsSelection
– Gartners Magic Quadrant Summary of Leading DAR Encryption Vendors:
Vendors under consideration all listed in the upper right quadrant
– JSC Selected 5 Vendors for evaluation based on RFI results
• Only 4 vendors were able to participate in proof-of-concept testing
– LMIT Selected 3 Vendors for evaluation based on DAR requirements mapping
04/19/23January 15, 2008 Emerging Technology & Desktop Standards Group Page 7
Meeting NASA’s DAR RequirementsSelection
– JSC Evaluation• Conducted in-house proof-of-concept
• Evaluated 7 weighted criterion as either Low, Medium, or High– Business/Background– Experience– Financial– Professional Services– Solution Architecture– Ability to Meet Specific Requirements– Price
– LMIT Evaluation• Conducted in-house functional testing to validate vendor claims
• Evaluated 3 additional criterion critical to NASA interoperability– Availability of Mac OS X Client– Deployment Options Into Current NASA Active Directory Environment– Ease of Migration from Current AD Environment to NCAD AD Environment
• Also Evaluated Infrastructure and Deployment Complexity– Number of required servers– Firewall requirements– Centralized Management and Reporting
04/19/23January 15, 2008 Emerging Technology & Desktop Standards Group Page 8
Meeting NASA’s DAR RequirementsSelection
– JSC Selection: Safeboot• One of only two products committed to cross-platform support• Support for PIV II Smartcards and ActivIdentity Middleware• Flexible and Complete Licensing• Gartner Magic Quadrant• Lowest Price• Impressive List of Government and Industry Customers
– LMIT Selection: Safeboot• Provides Full Disk Encryption• Supports PIV II Smartcards• Supports Treo and other PalmOS devices• Supports Windows Mobile devices• Mac OS X Client Available FY08• Integrates Cleanly and Efficiently with Active Directory
– No anticipated issues supporting NCAD migrations• Single Management Console can support entire Agency• Elegant and Flexible Technical Architecture• Lowest Price (Significantly)
– NASA Encryption Requirements Team Recommends Safeboot• Supported by Rigorous Independent Evaluations• Best Technical Solution and Best Price• Extraordinary Vendor (VAR and OEM) Support
04/19/23January 15, 2008 Emerging Technology & Desktop Standards Group Page 9
SafeBoot - A worldwide operating IT security company
● Quick Stats
More than 3 million active licenses
Over 3000 customers in 74 countries
>98.6% client retention
>150 Fortune 500 customers
Worldwide support with 24 x 7 x 365
Less than 2% employee attrition
20 consecutive quarters of growth
Strong financials and debt free
Dun & Bradstreet 3A1 rating
Most certifications and accreditations i.e. only vendor worldwide with Common Criteria Level 4 of 2006
Meeting NASA’s DAR RequirementsSafeboot Executive Overview
04/19/23January 15, 2008 Emerging Technology & Desktop Standards Group Page 10
SafeBoot – The leading enterprise class security company
35% Europe
Revenue Distribution
31% USA
30% AsiaPac4%
Revenues 2001-2006E
2001 2002 2003 2004 2005 2006
$ 35 m
$ 10 m
$ 15 m
$ 20 m
$ 25 m
$ 30 m
Operating Profit 2001-2006E
2001 2002 2003 2004 2005 2006
$ 2 m
$ 4 m$ 6 m$ 8 m
$ 10 m$ 12 m
● SafeBoot Certifications 2006 Common Criteria Level 4 (EAL4) FIPS 140-1 and FIPS 140-2 BITS certified CSIA certified NIST AES 256 DSA/DSS (#53 & #112) SHA-1 (#71 & #254) DES (#145)
● SafeBoot Distinctions Recognized leader in Gartners Magic Quadrant Software 500 ranked #378 SC Magazine’s 2006 Readers Trust Award for “Best Authentication Solution” and “Best Identity Management Solution” SC Magazine’s Global Award 2004 for “Best Encryption Solution Member – Microsoft Secure IT Alliance Member – Secured Partner Program Member – Trusted Computing Group
Meeting NASA’s DAR RequirementsSafeboot Executive Overview
04/19/23January 15, 2008 Emerging Technology & Desktop Standards Group Page 11
SafeBoot – The most secure data protection solution
● Device Encryption - Encrypts mobile devices using military strength certified algorithms
● Content Encryption - Encrypts selected files, file types, folders or work groups
● Port Control - Allows enterprises to monitor the use of and set policies for ports
● Secure USB Memory - Encryption of USB memory sticks using military certified algorithms
● SafeBoot is a suite of enterprise-class IT security products for the protection of data on mobile devices.
● SafeBoot is built around a unique central management center to control corporate security policies
● Highly scalable enterprise class solution● Policy driven remote “stealth” installation of all SafeBoot products● Remote security policy management with rich feature set● Produces audit trail of all mobile devices in an enterprise environment to meet compliance requirements
SafeBootData
Encryption
Meeting NASA’s DAR RequirementsSafeboot Executive Overview
04/19/23January 15, 2008 Emerging Technology & Desktop Standards Group Page 12
Device Encryption – Protection of Entire Device
● The entire device is encrypted
• FIPS 140-2 certified• Common Criteria Level 4 certified• BITS certified• CSIA certified
SafeBootData
Encryption● Secure user authentication
• 2-factor • 48 different tokens incl. fingerprint are available• Mix and match tokens / smartcards / passwords• Integrated central administration console for all devices
● Audit capability
• Full audit trail for device protection• Fulfills all audit and compliance requirements
Meeting NASA’s DAR RequirementsSafeboot Executive Overview
04/19/23January 15, 2008 Emerging Technology & Desktop Standards Group Page 13
Content Encryption – Selective File and Folder Protection
● Selective encryption of files and folders
• Encrypts classes of data (i.e. Word, Excel)• Encrypts file and folders• Encrypts groups of users (i.e. HR division)• Encrypts email attachments• Removable media encryption (i.e. CD-ROM’s)SafeBoot
Data Encryption
● Central management of users
• All users are centrally managed• Fully integrated with device encryption• Mix and match capability
Meeting NASA’s DAR RequirementsSafeboot Executive Overview
04/19/23January 15, 2008 Emerging Technology & Desktop Standards Group Page 14
Port Control – Management of “Ports”
● Controls “ports” of laptops and PC’s
• Selective control of all ports• Activates and de-active• Selective use of devices (i.e. only encrypted USB memory)• Prohibits use of unauthorized devices (i.e.iPods, MP3 players)• Security policies can be set (i.e CD’s can only be burned in encrypted mode)
● Central management of users
• All users are centrally managed• Fully integrated with device and content encryption• Mix and match capability
PCMCIA
CD/DVD WiFi
Parallel Serial
BluetoothIR
Firewire
USB
Meeting NASA’s DAR RequirementsSafeboot Executive Overview
04/19/23January 15, 2008 Emerging Technology & Desktop Standards Group Page 15
4th Generation Security – State of the art software
● Key differentiators
• Auditing and compliance reporting are unmatched
• Integration of device and content encryption and port control
• Integrates seamlessly with existing infrastructure (AD-connectors, Novel NDS, Microsoft and Entrust PKI and so on)
• Non-intrusive to end-user and corporate network (extremely thin client <3MB)
• Most certifications and accredidations
• User synchronization (i.e. passwords, de-activations)
Meeting NASA’s DAR RequirementsSafeboot Executive Overview
04/19/23January 15, 2008 Emerging Technology & Desktop Standards Group Page 16
Customers – The most prominent companies in the world
● Typical customer profile
Fortune 5000 company
1000+ laptops or desktops
Global footprint
Mobile or distributed workforce
Subject to data protection privacy laws
All industry verticals
● Fortune 500 Customers
Over 150 are SafeBoot customers
GE, KPMG, SAP, Fujitsu, BT, HSBC, ABN Amro, Sun Life, Northwestern Mutual, and many more have made SafeBoot a mandatory security standard
Meeting NASA’s DAR RequirementsSafeboot Executive Overview
04/19/23January 15, 2008 Emerging Technology & Desktop Standards Group Page 17
Meeting NASA’s DAR RequirementsAcquisition Strategy
– Safeboot Incentives for Agencywide Licensing Are Impressive• JSC Cost Estimate for Entire Center (12,000 Licenses): $750,000 • LMIT Cost Estimate for ODIN Systems: $1,00,000• Cost Estimate for all of NASA (74,000 Licenses + 3 years maintenance): $1,198,00
– Q. What’s Included? – A. Pretty Much Everything
• Full Disk (Device) Encryption (DE)• Content (File/Folder) Encryption (CE)• Port Control (PC)• Management Console• All Connectors Necessary for Active Directory Integration and Mobile Device Support• Help Desk Web Interface• Three Years of Maintenance• Single License covers up to 5 devices (per-user licensing)• Home Use of all licenses• 74,000 licenses with 10% growth allowance (7,400 licenses)• Access to named Safeboot Engineer for remote support• Lots of onsite design, engineering, and deployment support• $11.56 per license • $2.31 per license maintenance after first year• NASA Contractors qualified to purchase at these same prices
Cost If Purchased off the GSA SmartBuy: $3,000,000+
04/19/23January 15, 2008 Emerging Technology & Desktop Standards Group Page 18
Meeting NASA’s DAR RequirementsAcquisition Strategy
– Most Appropriate Acquisition Strategy is an ODIN Infrastructure Upgrade Proposal
• ODIN Desktops will all be affected• NASA’s Partnership with LMIT should be leveraged• MFR 137• NASA will own the licenses, LMIT will manage their acquisition and
distribution
– Components of an IUP• Software Licensing• Hardware and Infrastructure• Engineering• Software Deployment• Project Management• User Awareness and Training
04/19/23January 15, 2008 Emerging Technology & Desktop Standards Group Page 19
Meeting NASA’s DAR RequirementsAcquisition Strategy
ROM IUP Pricing
Quantity Price
Safeboot Licenses 74,000 $856,000
Year 2 Software Maintenance 74,000 $171,000
Year 3 Software Maintenance 74,000 $171,000
Dedicated (named) remote Safeboot Engineer 1 FTE Included
Onsight engineering for installation, configuration, and training 9 Days Included
LMIT Costs (Hardware and Infrastructure, Engineering, Software Deployment, Project Management, User Awareness and Training
$500,000
Total $1,698,000
LMIT Costs Are Estimated
For Planning Purposes Only
04/19/23January 15, 2008 Emerging Technology & Desktop Standards Group Page 20
Meeting NASA’s DAR RequirementsImplementation Strategy
– Assumptions• Center Deployments Begin After Domain Consolidation
– Must Use Agency User IDs (AUID)• Safeboot administration will be managed centrally• ODIN seats will receive Safeboot client software via standard distribution channels• Non-ODIN seat deployment will be handled by workgroup administrators• NAD users will be provided access to client software and must install it themselves• NASA will approve operating policies and establish process for their maintenance
– Observations• Numerous low-cost options exist for redundancy and high availability• After initial client encryption, communication with Safeboot Server is not required for
client functionality– Client will sync with the server when connectivity is restored– Severs can become temporarily unavailable without affecting normal operations
• User data can be restored even in the absence of network connectivity
04/19/23January 15, 2008 Emerging Technology & Desktop Standards Group Page 22
Meeting NASA’s DAR RequirementsImplementation Strategy
Notional Architecture
04/19/23January 15, 2008 Emerging Technology & Desktop Standards Group Page 27
Meeting NASA’s DAR RequirementsUse Cases
– Laptop User• Device Encryption will be used to encrypt the entire device• Content Encryption will be used to ensure removable media is also encrypted
– Desktop User• Device Encryption will be used to encrypt the entire device• Content Encryption will be used to ensure removable media is also encrypted
– Desktop User needs to take work home and use his personal computer to continue editing his documents• DE and CE on the work desktop enable the use of any thumb drive• Contents of thumb drive are encrypted• CE must be installed on the home computer to enable thumb drive decryption and/or securely
store the documents• Thumb drive remains encrypted at all times• DE not recommended for home computers
– Laptop/Desktop User needs to store documents unencrypted on thumb drives (or CD’s) to distribute at a trade show• CE would normally prevent this• User must call the Help Desk and request this capability• Encryption will be disabled on some or all of the removable media devices• A control process will need to be implemented
04/19/23January 15, 2008 Emerging Technology & Desktop Standards Group Page 28
Meeting NASA’s DAR RequirementsEncryption Requirement Team
NASA TeamDarryl Barnes, ARCEduardo Bertot, KSCDonald Calkins, JPLRon Colvin, GSFC Elton Comer, JSCDavid Epperson, NSSCWalter Franklin, MSFCNorbert Gillem, ARCCraig Grube, GSFCChristopher Jorgensen, GSFCSheryl Locke, JSC David Meza, JSC Evaluation Team LeadStephan Naus, GSFC Christine Reynolds, SSCJames Rouse, LARCWill Spencer, DFRCKanitra Tyler, GSFCBryan Walls, GSFCSherman Nicholas Wilson, MSFCThomas Wolfe, JPL
OCIO Guidance and SupportRob BinkleyDiana KniffinMarion MeissnerDana Mellerio
ETADS SupportGary Gapinski, Lead Engineer Richard HaasPete Wheeler
LMITJoe Sigmon, LMIT Lead