Lack of virtualization regs is a challenge with classified systems
In the old days, certifying software to run on classified systems was a (relatively) easy task: Follow the configuration instructions from appropriate security technical guide and you were good to go. But what if you wanted to run that same software in a virtual container? Doing could require a lot of unnecessary set-up time in many agencies, warned Adam Rossi, president of IT consulting firm Platinum Solutions, which does work for intelligence agencies.
"The regulations haven't really caught up with virtualization," he said.
We encountered this issue while writing our article on building a private cloud. During our interview, Rossi had mentioned the certification and accreditation (C&A) process as a potential roadblock for widely and quickly deploying software in virtual environments. At least some Defense Department officials are mulling the potential appeal of using virtualization as a security tool. Platinum is working with government customers who want to reduce the size and power consumption of their data centers, and virtualization is a natural route to go.
However, the software security regulations and policies could be updated to better use virtualization software, Rossi said.
Systems that run in classified environments must follow the Defense Department Security Technical Implementation Guides (STIGs), he explained. STIGs specifies a list of secure settings, such as what services can be run, what ports are open, and so on. There are STIGs for operating systems, application servers, database and all sorts of other software. A list of STIGs can be found here.
In order to check to see if software is configured correctly, the Defense Information Systems Agency (DISA) offers a set of scripts, called the Security Readiness Review (SRR) guides that can test a system. Once software is configured to meet STIG requirements, it can then be copied onto as a master disk (or "a gold disk") and copied across different servers, with the implied assurance that each copy of that program is running securely.
Except if that program is running in a virtualized environment.
Here is the problem: At least in some agencies, every time a piece of software is spun up in a virtualized container, it must be tested again against SRR again. And this is a time-sink. "If you C&A it once and you deploy it and don't alter it, it should be C&A'ed again," Rossi said. "You see a lot of extra labor to go in to rescan the image."
At least part of the issue is that the military is still writing STIGs for virtualization software. When more software is certified, the more virtualization can be used in a speedy fashion, without retesting each app in a virtual environment. Last year, DISA released a STIG for VMWare ESX Server version 1, the publication of which Rossi called "a big step forward."
This is only one of a wide range of virtualization products that could be used, however. Moreover, many agencies still have to catch up with the guidelines that are in place. "Each agency generally has a set of information security guidelines, and although they generally incorporate the STIGs, it takes time for them to catch updates, and for their security professionals to become comfortable with new technologies," Rossi explained.
Posted by Joab Jackson on Jul 16, 2009 at 7:05 PM