IARPA releases BAA for virtual user environment
- By Amanda Ziadeh
- Oct 25, 2016
The Intelligence Advanced Research Projects Activity is calling on all creative thinkers to help it roll out Phase 1 of its Virtuous User Environment, or VirtUE.
IARPA is looking for a more secure solution for cloud-based user computing environments (UCE), where workloads usually run in a virtual desktop infrastructure. However, VDIs aren’t capable of supporting the security analytics that are required to protect sensitive government users or workloads, IARPA Program Manager Kerry Long told GCN.
VirtUE is envisioned as a virtualized construct that runs nearly independently on an Amazon Web Services hypervisor and incorporates all the functionality and protections required to secure a user.
Long said he chose to focus on the desktop-as-a-service space because it is more complex and difficult to secure than the server side of cloud. “It’s the hardest of the problems, so let’s go ahead and tackle it,” he said.
When Long outlined VirtUE in August, he was preparing a research and development broad agency announcement, which was officially published on Oct. 18. The BAA seeks solutions for Phase 1 of VirtUE, which aims to deliver a sensor-enabled UCE that is more secure than current cloud environments. In Phase 2, the technologies developed in Phase 1 will be used to create “novel external analytics and security controls that leverage them.”
According to the BAA, the current government UCE is a Windows desktop OS that runs multiple applications hosted on either a dedicated physical computer or a virtualized desktop infrastructure. However, the document notes that UCEs in the cloud “offer no better resistance to external and internal attacks than legacy physical workstations that historically have been very prone to compromise.” They are likely to be highly targeted, share memory with security logging processes and are susceptible to credential stealing techniques.
Additionally, VDI environments do not effectively detect threats or collect sufficient security-related information. They lack dynamic log collection, and they cannot alter their security processes based on threats.
Phase 1 of VirtUE intends to address these shortfalls and the security around big data analytics by delivering a UCE that reduces the exploitation of legacy and cloud-based vulnerabilities and provides multiple logging and protection options so it can quickly detect and adjust to emerging threats.
According to Long, the need for the Phase 1 CUE came after realizing the need for better monitoring of virtual workstation threats. “Before I can tackle Phase 2, I need a better workstation, I need a better sensor,” he said. By creating a virtual workspace capable of capturing numerous types and amounts of user environment data, Phase 2 respondents will have access to dynamic security analytics to detect and counter specific risks.
A VirtUE must reside on a cloud provider’s virtualized infrastructure, but it is not “conceptually restricted” to the construct of a VDI instance. Each VirtUE will run in its own virtual environment with an assigned risk profile in order to sense and respond to threats in its specific enterprise role or workload.
To do so, VirtUE will have three layers: resource, protection and logging. The resource layer addresses the role-based functions, like applications, services and network connections. The protection layer defends against specific risks targeting its resources and the logging layer collects security-relevant data according to the risk profile.
Along with having to run on Amazon Web Services Elastic Compute Cloud, the Phase 1 BAA lists multiple requirements. For example, VirtUEs must be role-based, simpler and more modular than current VDI solutions so they present a smaller attack surface. They must include tailored protection options to adjust their sensors to threats. They must interact with legacy and Windows applications, communicate with other VirtUEs and incorporate an interface so users can access multiple authorized VirtUEs at once.
Perhaps most importantly, Long said he wants responses to be very creative. “I would love a few different performers to bid on this -- to come up with ideas that are very different from each other,” he said. Respondents should “unshackle” themselves from their current notions of a workstation, in the same way virtualization is free from the constraints of hardware.
Meanwhile, a test-and-evaluation team is creating a simulated analytics and control layer within AWS to assess the solutions’ security, functionality and performance against the requirements. The testing facility will be in the Johns Hopkins University’s Applied Physics Lab outside Baltimore, Md.
At the end of Phase 1, developers will provide the technologies, code and documentation to the testing team so that the solution can be tested. IARPA will also publish all technologies and documentation on GitHub.
“We’re hoping that by providing it to the open source community and providing a lot of results, that commercial companies will pick it up and bring it the rest of the way,” Long said. Though Phase 3 is intended to result in a fully functioning VirtUE prototype using the technologies from Phase 2, developers could leverage the solutions from each phase separately.
IARPA anticipates the BAA resulting in multiple awards in the form of procurement contracts, grants, cooperative agreements or other transactions.
Responses are due by Dec. 12.
Amanda Ziadeh is a former reporter/producer for GCN.