GCN Tech Blog

By GCN Staff

Blog archive

Multilevel security pricing, take two

These few working days before New Year's Eve are always a slow stretch for the GCN Tech Blog. It's a good time to catch up on old business.

One item we needed to follow up on was an entry last month about the costs of implementing multilevel security systems, or computers that could access networks of differing levels of security.

At the Red Hat Users and Developers Conference held a few months back, Trusted Computer Solutions (TCS) chief operating officer Ed Hammersla made the case that it was less expensive to implement a SELinux-Based MLS system than one based on Solaris Trusted Extensions offered by Sun Microsystems.

Specifically, Hammersla noted that the Sun implementation would cost, per client $3,024, while the SELinux TCS package would cost about $609.

Bill Vass, head of Sun Federal, has since disputed those numbers, in a subsequent interview with GCN.

Vass noted on an equivalent implementation, "our solution is half the price of theirs," or about $317 per user.

He said the price difference came about because TCS compared a price of a Sun implementation done for the Defense Intelligence Agency, one that connected to 21 networks, to its own implementation, priced for connecting to 2 networks.

The price difference came about purely because, according to Vass, DIA needed to run a high-end server capable of holding 21 network cards. The additional cost per user came strictly from the purchase of such premium hardware, which would be necessary with the TCS implementation as well.

He did agree with the underlying premise of Hammersla's point though, that multi-level security is becoming more of a commodity market, with prices dropping as the components become more standardized. It's good news for the intelligence agencies.

"You can run on our solutions on anyone's hardware," Vass said.

Posted by Joab Jackson on Dec 28, 2007 at 9:39 AM


inside gcn

  • cloud environment

    Microsoft brings Azure Stack to Government Cloud

Reader Comments

Tue, Mar 4, 2008 Charles Robinson

Seems like the community could benefit from a standard MLS thin client benchmark. All are familiar with SPEC and other bench mark standards for many different categories of systems. This would make it easier for independent organizations to compare apples to apples. Maybe it's time to create a standard benchmark and metrics for the MLS thin client space?Charles Robinson

Tue, Mar 4, 2008 Charles Robinson

Seems like the community could benefit from a standard MLS thin client benchmark. All are familiar with SPEC and other bench mark standards for many different categories of systems. This would make it easier for independent organizations to compare apples to apples. Maybe it's time to create a standard benchmark and metrics for the MLS thin client space?Charles Robinson

Thu, Jan 17, 2008 Michael Pflueger VA

Interesting group of folks responding to this issue. For those of you who don't know John Totah is a world class expert on trusted operating systems, Bob Gourley is the former CTO at DIA and a respected technologist, Ed H who is a bit new in the trusted world but is well versed on the subject and Bill V a former Senior Executive Service member, CIO ... and all friends. My pedigree - retired CIO DIA - sort of created this whole DTW thing in DOD (but the true credit goes to a young Navy Commander now retired in Texas but continuing the multi-level battles with TCS). Bottom line - there is no magic - the Linux solution has a higher ROI quite simply because the desktop is a tad thicker so the back-end requires less cycles hence reduced server costs.rMike Pflueger

Mon, Jan 14, 2008 Bob Gourley VA

Seems like the community might be in need of cost comparisons done in a way that compares relevant factors. Maybe that is a service that GCN or other news organizations could provide for us. GCN could provide a matrix that gives readers true costs of an enterprise thin client roll out. Maybe the left hand column of the matrix could be size of deployment (including seats and number of networks supported) and the top row could be costs such as server hardware cost, desktop hardware cost, software support costs, estimated power costs, and other key cost factors. The result would probably be a widely read and widely referenced report. In the absence of a report like that, I'd suggest government users who need ground truth try to establish contact with the government PMO for the largest thin client deployment in the IC (at DoDIIS) and solicit their thoughts/advice. v/r, Bob Gourley

Sat, Jan 12, 2008 John Totah CA

The cost comparison clarification should help to explain the multilevel security architectural differences and related trade-offs in an educational way. However, it is meaningless to provide economic analysis with the sketchy technical information in the comparison of an identical implementation using a $2M server with a $10K server. An obvious challenge is to show how an identical implementation using a $10K server can simply replace a $2M server.The actual exercise may be a futile effort because of the possible network topology differences and the types of processing the $2M server can perform that the $10K server can't. Speaking of network topology, there has been good research published over the years that may be relevant to the discussions today. One of the papers that includes useful trade-off analysis for information assurance security goals was presented by Steven R. Balmer (not to be confused with Steven A. Ballmer) and Cynthia E. Irvine:http://www.nps.navy.mil/cs/facultypages/faculty/irvine/Publications/Publications2000/NISSC00-TerminalServer.pdfIt is also interesting to note that the high assurance computing examination includes yet another important operating system that must be acknowledged in this discussion. In some respects this 'take two' event seems like we're talking about 'Back to the Future' and 'Groundhog Day'.The shift of focus from the "server" to the thin client device is a natural evolution that has its own set of technical details that also shouldn't be glossed over with distorted technical information. There are some obvious advantages to providing more computing components at the client end point and it is expected that some conclusions will be immediately made - or at least enticing. As more applications are developed and deployed with true multilevel secure features, it will be interesting to see how the multilevel secure desktops on thin clients will also evolve. As far as pricing goes, it's clear that the most significant factors that need to be better understood are the non-recurring capital expenditure for all server costs in the high(er) assurance (trusted multilevel secure network) infrastructure and the total annual recurring costs. A significant advantage that growing consumer base for multilevel secure thin client systems should benefit by are driven by the economies of scale principle and the positive trend toward open systems, open standards, and open source development. --John

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

resources

HTML - No Current Item Deck
  • Transforming Constituent Services with Business Process Management
  • Improving Performance in Hybrid Clouds
  • Data Center Consolidation & Energy Efficiency in Federal Facilities