Ed Hammersla | Secure sharing of sensitive data
GCN Interview: Ed Hammersla, chief operating officer of Trusted Computer Solutions, talks about advances in the process of securing sensitive information across domains
- By Rutrell Yasin
- Dec 15, 2008
Ed Hammersla, chief operating officer at Trusted Computer
Solutions (TCS), has talked about the need to share information
across multiple security domains long before the issue gained
widespread public attention. At TCS, he has been instrumental in
providing security technology to government agencies, such as the
Defense Intelligence Agency and the Coast Guard. He also played a key role in developing a trusted version of Linux, known as Red Hat Enterprise Linux 5.
Hammersla recently spoke to GCN about the state of crossdomain
security.
GCN: Define cross-domain security.
ED HAMMERSLA: It’s helpful to point out that it is
information sharing, but it is really focused on sharing sensitive
or classified information. Sometimes the [phrase]
“information sharing” gets thrown around to mean things
like industry sharing with government what their vulnerabilities
are. That’s a very broad term.
When we say cross-domain [at TCS], we’re talking about a
security or network domain, meaning that one is top secret, one is
sensitive or classified. The word “domain” can mean
many different things to many people. When we [talk about] secure
information sharing, we mean [securing] information that is of a
classified or sensitive nature but not necessarily just top
secret.
GCN: Many civilian agencies have been slow to adopt
multilevel security because they don’t think they need the
same level of security as the Defense Department. Are there other
factors that are blocking widespread adoption of cross-domain
security?
HAMMERSLA: The adoption of the technology is much greater
than it has ever been in the past, but still, against the barometer
of what we should be doing, it is very slow. A lot of the reasons
are awareness and education. There are still a surprising number of
folks who aren’t aware it can be done. For years, the
pervasive thinking was you can’t connect two different
networks of different classification levels to the same box because
that’s the way it was for so long.
Then there’s the manageable but difficult challenge of
getting these systems accredited and approved for use. I say
manageable because clearly it can be done or there wouldn’t
be any cross-domain solutions out there in operation today. But
knowing how to do that correctly and in a timely [way] has been a
real challenge for the vendor community and the government itself,
[although] it’s improving.
Depending on whose numbers you feel comfortable using, estimates
go between 100,000 to 200,000 people in the intelligence community
who would want to use this technology. The best estimates now are
15,000 to 20,000 installed, and that’s probably a high
number. Any way you look at it, we are maybe at 10 percent adoption
in the intelligence community and probably less than 5 percent in
the broader [DOD] warfighter community. We still have a long way to
go. The most important thing for people to do is to become aware of
this technology.
GCN: What role does the Unified Cross Domain Management
Office play in creating greater awareness?
HAMMERSLA: The Unified Cross Domain Management Office out
of the Office of the Director of National Intelligence [and DOD] is
an important organization. They have done a lot of work to
consolidate and identify the cross-domain solutions and mechanisms
that are approved for use. As a result, they play a very important
role in saving taxpayers’ money and [saving] government
countless hours and dollars.
GCN: Does the office play a crucial part in certification and
accreditation?
HAMMERSLA: They have jurisdiction over the process;
that’s the word in the Intelligence Reform and Terrorism
Prevention Act of 2004. But they don’t control it from the
actual resource and execution point of view. The Unified Cross
Domain Management Office has been excellent at reducing the number
of cross-domain mechanisms in the community and saving government
people a lot of time and money by [not] wasting their time pursuing
things that are not on that list.
However, there is a real need to standardize on an objective and
consistent set of requirements to meet certifications because when
you get a couple dozen security guys in a room, you can imagine the
varying degrees of opinion you get on what’s secure and what
isn’t.
So in absence of a transparent and objective standard, if
subjective opinions are applied to that process, then obviously it
takes a lot longer and there are less predictable results. So a
consistent, objective standard is an important piece to improve the
[certification and accreditation] process.
GCN: TCS recently acquired a company called Counter- Storm.
What does it add?
HAMMERSLA: The CounterStorm acquisition brings a
technology to us that discovers threats, such as zero-day attacks,
the first time you see something. We know how virus scans work:
Once we understand how a virus works, we know its signature. We put
it in our virus-scanning tool, and the tool scans and kicks [the
virus] out.
But the first time something happens, we don’t know what
its signature is. So the first time it happens, how do we find
that? Also, how do we deploy technologies in our organizations that
can find unusual behavior from trusted insiders? CounterStorm does
that through an interesting set of technologies. Essentially, it is
a machine learning technology. Counter- Storm will sit on an
internal network, and within a two- or four-week time frame, it
will learn what that network is all about. What kind of traffic
goes on? Who talks to whom? How do they talk? How often do they
talk? What kinds of IP addresses are being accessed outside the
network? It does this with multiple intelligent engines that do
everything from deep packet inspection to anomaly detection to
behavior analysis to network analysis.
If someone who is an insider and has a password starts doing
things they haven’t been doing for the past few years,
Counter- Storm is smart enough to catch it very fast and alert the
appropriate people.
Separate from CounterStorm, we’ve built a product that we
now call Security Blanket. That’s a tool to allow
organizations to add greater levels of security to operating
systems. That’s important because operating systems are what
sit on the inside of the network and guard the data. They’re
sort of the last line of defense [for] the internal data.
What we found out through our own knowledge of the market and
from analysts [such as] Gartner and Forrester [Research] is that a
huge number of these servers are not locked down or secured at all.
The ones that are secured and locked are done manually with very
little documentation.
The thought behind the Security Blanket technology was to offer
a tool to people [that allowed them to] take a server and bring it
up to Defense Information Systems Agency security standards and
feel more secure that anybody trying to attack that server would
have a more difficult time doing so.
GCN: Would you say one of the security trends we’ll see
next year is integration of deep packet inspection with crossdomain
technology?
HAMMERSLA: The cross-domain side is trying to accelerate
the adoption of this technology. Every place [cross-domain]
technology has been deployed, it cuts costs, and it makes people
more productive and enhances organizations’ ability to share
information. On the cross-domain side, the objective in the year
ahead is to continue streamlining and make the process of using
this technology easier and quicker while enhancing its
capabilities.
The priority on the insider threat [side] is to develop better
capabilities to detect all manner of different kinds of threats out
there.