Virtualization: Security Issues and Savings

January 18, 2012
By Rita Cooper, SIGNAL Online Exclusive

With the military's current mandates to increase efficiencies, virtualization offers multiple benefits to the armed forces. Projects underway at the National Security Agency are advancing its use, but the government needs to reconcile security requirements with available capabilities before warfighters enjoy the full benefit of the technology.

The High Assurance Platform (HAP) program is one NSA project in which virtualization is a central technology. The program was established to provide a reference implementation of the technologies and policies required to provide warfighters with a single device with access to all the information necessary to complete a mission. Officials at the NSA say that because operations require access to networks with different classifications, HAP must support the secure separation of those networks on the platform. From the beginning of the program, personnel decided to leverage commercial hardware and software vendors as much as possible. The NSA's earlier NetTop effort demonstrated that commercial products could offer the necessary separations among information classifications.

HAP built on previous work by using features developed by Intel in its next-generation processors that provided hardware-layer support for concepts promoted by the Trusted Computing Group. Layering virtualization on the HAP system's ability to automatically notify the network and repair corrupted platforms after a change to the core software helps to ensure that the information in the various security domains remains separate and secure, according to the NSA.

HAP was scheduled in three releases with each one adding capability and better security. However, personnel decided not to proceed with the third release, which would have allowed users to access unclassified, Secret and Top Secret information simultaneously. NSA officials explain that after considerable review, the security requirements for such a solution were not mature enough to assemble an effective reference implementation. Now, the project focuses on commercial efforts of the reference implementations and the sharing of information so others can develop secure solutions. Commercial solutions that make the most of HAP's innovations are now available in the marketplace—a development that NSA's leaders emphasized last fall at the agency's second annual Trusted Computing Conference and Exposition. The NSA also is using the knowledge to inform additional internal virtualization efforts.

NSA officials believe use of virtualization will increase within and outside the military as a way to improve efficiency. On the battlefield, the benefits also enable troops to access more information while carrying fewer devices. A major thrust for the military is finding a way to reduce the size, weight and power draw of equipment warfighters need during operations.

With virtualization, units would not have to install hardware, which requires time and space, to access new capabilities. Instead, they would simply need to download the software. "It's easier to deliver new capabilities," Gunnar Hellekson, the chief technology strategist for Red Hat's U.S. Public Sector Group, explains. He continues that in the future, virtualization could enable upgrades to vehicles on demand without scheduling maintenance, and vehicles would also have greater range because the technologies on board would require less power. Unmanned aerial vehicles could keep a portfolio of capabilities allowing them to perform different types of missions through signals from operators. However, the challenge remains as to how to keep the information secure.

Hellekson believes that virtualization technology is outpacing security rules and accreditation. He says virtualization technologies are ready for use in demanding operational environments, but the trick is determining how to meet security requirements. Current rules generally demand that devices connecting into networks with different classifications must be separated, but new technology will make it easier to connect to different networks through the same boxes.

Virtualization also could open new competition, which results in lower prices, because virtualized information does not depend on hardware. Hellekson says that virtualization can increase the density of hardware so users can employ the hardware better. This reduces costs in data centers as does a need for less air conditioning and fuel. He states that for the military to take advantage of these offerings, changes must be made to procuring and accrediting the systems. This will require an adjustment for program officers who implement regulations, Hellekson adds.

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.