Microsoft is working with the US government in studying
one of the most pressing challenges in federal information security
- multilevel security workstations.
Microsoft chief security strategist Scott Charney said Microsoft
is working with the defence and intelligence communities to enable
analysts from different agencies and with varying security
clearances to access multiple networks through fewer
workstations.
"One possible solution is to provide increased functionality and
usability through multiple windows on a workstation that would
securely access multiple networks in a compartmentalised fashion,"
said Charney. "We are reviewing technical approaches."
The national security community has been trying to develop and
deploy a multilevel security workstation for years.
Such workstations would provide analysts who hold the
appropriate security clearance and have the ability to access
information across databases that may be compartmentalised or
"air-gapped" for security reasons.
It would also enable analysts who are not cleared for access to
the most sensitive information to still use the workstations.
The report by US Congress also highlighted intelligence failures
that contributed to the 11 September 2001 terrorist attacks.
Intelligence and law enforcement agents have been forced to use
multiple workstations to access information that is at different
classification levels or belongs to different agencies. It is a
process that not only slows information sharing but often prevents
it altogether.
The alternatives being studied by Microsoft, however,
include exploiting new capabilities of the Windows XP Pro operating
system and embedding security in the network rather than in the
end-user system.
Central to this effort is the use of virtual machines to access
multiple security domains - something the company calls Trusted
Multi-Net: Typhon XP.
The goal is to build on National Security Agency (NSA) research
using virtual machines to provide separation of security domains on
one desktop.
The effort uses VMware 3.02, which has already been evaluated by
the NSA. There are also plans to add support for Microsoft's
Virtual Machine Monitor.
Microsoft is also developing Typhon XP on Windows XPe
(embedded), which permits the removal of more operating system
features for added security.
Dan Verton wrties for Computerworld