Architecting, Implementing, and Supporting Multi-Level Security Eco-System in HPC, ISR, Big Data Analysis and Other Environments

A presentation at Supercomputing 2015 // SC15 in November 2015 in Austin, TX, USA by Shawn Wells

Slide 1

Slide 1

Applied Cross Domain: Red Hat Foundations Shawn Wells Office of the Chief Technologist, Red Hat Public Sector shawn@redhat.com || 443-534-0130

Slide 2

Slide 2

100,000+ PROJECTS PARTICIPATE INTEGRATE STABILIZE CSCF participates in communitypowered upstream projects, such as SELinux, OpenSCAP and the SCAP Security Guide CSCF collaborates with Red Hat to integrate upstream projects into Enterprise Linux, fostering open community platforms. We commercialize these platforms together with a rich ecosystem of services and certifications, such as ICD 503 and CNSSI 12-53 accreditations.

Slide 3

Slide 3

Slide 4

Slide 4

SELinux ● Type Separation: How users, processes, and data are isolated ● Role Based Access Control (RBAC) ● MLS Policy

Slide 5

Slide 5

SELinux ● Type Separation: How users, processes, and data are isolated ● Role Based Access Control (RBAC) ● MLS Policy Security Automation ● Configuration Monitoring ● Compliance Reports ● Secure Provisioning ● Remediation

Slide 6

Slide 6

SELinux Refresher ● Type Separation: How users, processes, and data are isolated ● Role Based Access Control (RBAC) ● MLS Policy Certifications & Standards Security Automation Common Criteria & NIAP ● Configuration Monitoring ● Intelligence Community Directive 503 (ICD 503) ● Compliance Reports ● US Government Configuration Baseline (USGCB) ● Secure Provisioning ● Remediation ●

Slide 7

Slide 7

SELinux Refresher

Slide 8

Slide 8

Multi-Level Security (MLS) Policy •Focuses on confidentiality (i.e. separation of multiple classifications of data)

Slide 9

Slide 9

Multi-Level Security (MLS) Policy •Focuses on confidentiality (i.e. separation of multiple classifications of data) •Ability to manage {processes, users} with varying levels of access. (i.e. “the need to know”)

Slide 10

Slide 10

Multi-Level Security (MLS) Policy •Focuses on confidentiality (i.e. separation of multiple classifications of data) •Ability to manage {processes, users} with varying levels of access. (i.e. “the need to know”) •Uses category & sensitivity levels

Slide 11

Slide 11

Sensitivity Labels

Slide 12

Slide 12

Category Labels

Slide 13

Slide 13

Polyinstantiation # id –Z staff_u:WebServer_Admin_r:WebServer_Admin_t:s0:c0 # ls -l /data secret-file-1 secret-file 2 # id –Z staff_u:WebServer_Admin_r:WebServer_Admin_t:s1:c0 # ls -l /data secret-file-1 secret-file 2 top-secret-file-1

Slide 14

Slide 14

Certifications & Standards

Slide 15

Slide 15

NSA C63 (aka NIAP) & Red Hat: Where we’ve been… and next stop RHEL 3 CAPP / EAL3+ RHEL 4 CAPP / EAL3+ RHEL 5 LSPP / EAL4+ RHEL 6 OSPP / EAL4+ RHEL 7 OSPP v3.9 / EAL4+

Slide 16

Slide 16

Slide 17

Slide 17

FIPS 140-2 Certs

Slide 18

Slide 18

docs.redhat.com - Security Guide - Admin. Guide - Priv User Guide

Slide 19

Slide 19

Red Hat corporate development & responsibilities

Slide 20

Slide 20

We use Atsec http://red.ht/1kWN8ZZ

Slide 21

Slide 21

Common Criteria != Compliance Policy

Slide 22

Slide 22

ICD 503, STIG, FISMA

Compliance Policy

Slide 23

Slide 23

Slide 24

Slide 24

SCAP Security Guide http://open-scap.org, http://github.com/OpenSCAP

Slide 25

Slide 25

Slide 26

Slide 26

Slide 27

Slide 27

Slide 28

Slide 28

Slide 29

Slide 29

Slide 30

Slide 30

Slide 31

Slide 31

Shawn Wells Director, Innovation Programs Office of the Chief Technologist, Red Hat Public Sector shawn@redhat.com || 443-534-0130