Layer by Layer
Classified message incidents. The loss of PCs, notebook computers, hard drives, CDs or USB drives containing sensitive data or personally identifiable information. Time spent patching, troubleshooting and deploying systems.
Wouldn’t it be nice if there was an overarching approach agencies could take to make their networks more secure and reliable and that would work on most networks and simplify current environments? One way to tackle the challenge is through the implementation of thin clients and multilevel security (MLS).
How We Got Here
Twenty years ago, mainframe systems housed the bulk of the government’s applications and delivered them to dumb terminals on green screens. Users saved all of their data to mainframe storage and rarely if ever had access to data on removable media outside of the data center.
Then the PC boom happened, and agencies slowly pulled applications off of mainframes and built client-server networks. Distributed data could be easily saved to removable media and stowed wherever there was a desk drawer or cabinet. Now, the pendulum is swinging back, and many organizations are moving to a network scheme comparable to the mainframe environment, primarily by maintaining data in secure locations and giving users access to it via thin clients and blade PCs.
The new thin-client devices typically support video, audio and USB connections. These clients can be simple (embedded Internet Explorer) or full blown (powered by Microsoft Windows XP or Vista, or by Linux). Many run full-streaming video and audio and can support up to four monitors sporting 1,600-by-1,200 pixel resolution. These clients often include embedded or externally attached smart-card readers. But, perhaps most important, the devices give systems administrators the ability to lock out mass-storage devices, such as USB flash drives, through Active Directory or Lightweight Access Directory Protocol policies — both by individual and by group.
The DOD Approach
Together, Trusted Computer Solutions and General Dynamics have been developing an MLS approach to data management for the Defense Department that includes a combination of secure workstations and thin clients.
The project began in 2005 under a contract awarded by the Air Force Research Laboratory to TCS. The Air Force then hired General Dynamics to develop enhancements for the systems and provide support. For the workstation component, General Dynamics created the Defense Intelligence Information System Trusted Workstation, or DTW.
A lingo is born: The term “green screen” became synonymous with “dumb terminal” for many during the late 1960s and early 1970s, when IBM and other big-iron makers created terminal systems — with green- and amber-shaded monitors — to communicate programming information to mainframes.
At the workstation’s core is the TCS SecureOffice Trusted Workstation. DTW allows access to information across multiple domains from a single location — regardless of the network on which the data resides.
For a thin-client kernel, TCS is providing its SecureOffice Trusted Thin Client NetTop2, a trusted Linux technology for the desktop. With NetTop2, which uses technology licensed to TCS from the National Security Agency, users can access multiple independent networks and run Windows and Unix sessions with different data security classification levels or domains from one thin-client appliance.
The TCS NetTop2 kernel does not require proprietary hardware or any single operating system. Any manufacturer of thin clients can create appliances that run TCS NetTop2. Vendors that have led development of systems with the kernel include ClearCube with PC blade systems, Hewlett-Packard with its Consolidated Client Infrastructure PC blades, and Wyse Technology and VXL Instruments with typical thin-client devices.
On the OS and application delivery side, Citrix, Microsoft, Red Hat and Sun Microsystems offer products for MLS implementations.
The Slow Roll
If MLS solutions offer more security and controls for sensitive data, why aren’t more agencies implementing them?
A chief reason is the fear that thin clients are little more than dumb terminals in disguise, despite the end-user processing power available in new blade and thin appliances.
Another reason is that the up-front investment can seem overwhelming. To implement a typical solution, an agency can expect to spend in the ballpark of $500,000 for 1,500 users. But the refresh expense is lower: The $500 to $600 replacement cost per PC drops to between $199 and $299 per thin-client device. And although a typical refresh cycle on PCs is three years, thin clients generally last much longer.
A final barrier is the learning curve. In most agencies, the dominant client-server environment is made up of Windows servers and PCs. More systems administrators would need to be able to support Linux and Unix servers as well. The upside is that in a thin-client or blade environment, there are typically fewer servers and they are centralized hubs.
