Microsoft studies multilevel security desktops

Microsoft is working with the government in studying one of the most pressing challenges in federal information security -...

Microsoft is working with the US government in studying one of the most pressing challenges in federal information security - multilevel security workstations.

Microsoft chief security strategist Scott Charney said Microsoft is working with the defence and intelligence communities to enable analysts from different agencies and with varying security clearances to access multiple networks through fewer workstations. 

"One possible solution is to provide increased functionality and usability through multiple windows on a workstation that would securely access multiple networks in a compartmentalised fashion," said Charney. "We are reviewing technical approaches." 

The national security community has been trying to develop and deploy a multilevel security workstation for years.

Such workstations would provide analysts who hold the appropriate security clearance and have the ability to access information across databases that may be compartmentalised or "air-gapped" for security reasons.

It would also enable analysts who are not cleared for access to the most sensitive information to still use the workstations. 

The report by US Congress also highlighted intelligence failures that contributed to the 11 September 2001 terrorist attacks. Intelligence and law enforcement agents have been forced to use multiple workstations to access information that is at different classification levels or belongs to different agencies. It is a process that not only slows information sharing but often prevents it altogether. 

The alternatives being studied by Microsoft, however, include exploiting new capabilities of the Windows XP Pro operating system and embedding security in the network rather than in the end-user system.

Central to this effort is the use of virtual machines to access multiple security domains - something the company calls Trusted Multi-Net: Typhon XP. 

The goal is to build on National Security Agency (NSA) research using virtual machines to provide separation of security domains on one desktop.

The effort uses VMware 3.02, which has already been evaluated by the NSA. There are also plans to add support for Microsoft's Virtual Machine Monitor. 

Microsoft is also developing Typhon XP on Windows XPe (embedded), which permits the removal of more operating system features for added security.

Dan Verton wrties for Computerworld

Read more on IT risk management