Skip Links

NSA product accreditations lag behind IT security advances

Getting products certified through National Security Agency channels requires lengthy process

By , Network World
September 15, 2010 03:08 PM ET

Network World - ORLANDO -- The National Security Agency wants to use commercially-built security products and the latest virtualization software. But the slow pace of getting products certified through NSA channels and the lightening fast pace of change in the IT industry is causing national-security heartburn.

12 White Hat hackers you should know

The high-tech spy agency, which also guides Defense Department information security, has become an enthusiastic proponent of open standards-based technologies such as Trusted Network Connect (TNC) and Trusted Platform Module (TPM) put forward by the organization Trusted Computing Group (which announced it expects to propose an end-to-end security framework for cloud computing around year-end).

This week the secretive NSA held its first conference related to its views on trusted computing. The NSA Trusted Computing Conference and Exposition in Orlando drew about 500 attendees and 39 exhibiting companies.

Michael Lamont, NSA chief of the network solutions office, noted in his keynote that since May of this year the national-security strategy has been "COTS [commercial off the shelf] first, not GOTS [government]."

Lamont said the NSA wants to influence how commercial technologies are developed, and hopes "richer collaboration could further harden national-security systems" and give commercial systems some "government-like security."

Trusted computing "will be a key enabling technology or set of technologies," said Neal Ziring, technical director, information assurance directorate, NSA, in his conference keynote address.

How I got thrown out of an NSA party

Ziring said the NSA, under its High Assurance Platform (HAP) program, is turning to a "deliberate reliance on commercial products for protecting even national-security information," and said "my customers are demanding mobility." In the future, NSA expects "COTS will be used to protect even the most sensitive classified information."

Products developed to adhere to the specifications of the Trusted Computing Group (TCG) are a big part of the vision.

Certification processes stall adoption

The NSA's customers are the vast U.S. military and intelligence communities that require accredited software and hardware for use in sharing information from Top Secret through Secret and down to Classified and Unclassified. Products used for "Cross Domain Solutions" for instance, which provide the ability to access or transfer information between two or more security domains, have to be examined and certified to be accepted for use. But the NSA and military-supported certification processes, such as one called Common Criteria, are slow as molasses compared to the IT industry's lightening-fast innovations.

As if to underscore that point, Ian Pratt, vice president for advanced products at Citrix Systems, gave a keynote packed with heady technical detail on new virtualization software from Citrix, including the Xen-based client hypervisor and multiple ways to run virtual machines while setting policy controls through so-called "service VMs." He explained how TCG-related technologies such as TPM would work, and added that in the future Citrix may come out with a "virtual TPM" that would run as a dedicated virtual machine.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News