Intel Security Through Innovation Summit - General Session

WELCOME REMARKSGoldy Kamali President & CEO FedScoop

OPENING REMARKS

Area Director, U.S. Federal, Intel

Jason Kimrey Ken KartsenVP of Federal, Intel Security

Michael DeCesarePresident, McAfee

OPENING KEYNOTE

Malcolm HarkinsVP & CSPO, Intel

PRACTICAL CONSIDERATIONS FOR BUSINESSSURVIVABILITY IN THE INFORMATION AGE

Intel & McAfee Confidential

Business Control Vs. Business VelocityPractical Considerations for Business Survivability in the Information AgeMalcolm Harkins

Vice President, Chief Security and Privacy Officer


Legal Notices

This presentation is for informational purposes only. INTEL MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

BunnyPeople, Celeron, Celeron Inside, Centrino, Centrino Inside, Core Inside, i960, Intel, the Intel logo, Intel AppUp, Intel Atom, Intel Atom Inside, Intel Core, Intel Inside, the Intel Inside logo, Intel NetBurst, Intel NetMerge, Intel NetStructure, Intel SingleDriver, Intel SpeedStep, Intel Sponsors of Tomorrow., the Intel Sponsors of Tomorrow. logo, Intel StrataFlash, Intel Viiv, Intel vPro, Intel XScale, InTru, the InTru logo, InTru soundmark, Itanium, Itanium Inside, MCS, MMX, Moblin, Pentium, Pentium Inside, skoool, the skoool logo, Sound Mark, The Journey Inside, vPro Inside, VTune, Xeon, and Xeon Inside are trademarks of Intel Corporation in the U.S. and other countries.

*Other names and brands may be claimed as the property of others.

Copyright © 2011, Intel Corporation. All rights reserved.

9


Late 1990’s…….

What’s Going On?

Steam and coal

Railways

Factories

Printing press – mass education

1.0Electrification, comms, oil, combustion engine

New materials

Highways, automobiles

Mass production

Internet, molecular biology, renewable energy sources

Super information highways

Smart “everything”

2.03.0

1860’s…….

* The Third Industrial Revolution: How Lateral Power is Transforming Energy, the Economy, and the World by Jeremy Rifkin, president of the Foundation on Economic Trends

*

We are still at the dawning of the third era… ...A new economic narrative is being written.

10

1760’s…….


1752Ben Franklin proved that static electricity and lightning were the same – this paved the way for the future

1800first electric

battery introduced

1821Faraday

invented the first electric

motor

1835First electric

relay invented

1844Morse invented the telegraph 1879

first light bulb – Thomas Edison

1882First DC power

station

1891First AC power station

1920<10% of British households wired connected

1750 1760 1770 1780 1790 1800 1810 1820 1830 1840 1850 1860 1870 1880 1890 1900 1910 1920 1930 1940

Rate of Change Will Approach Light Speed

1910Generation and distribution systems build out

Late 1920’sElectricity becoming pervasive

11


1951First Commercial Computer (Ferranti Mark 1)

1959Integrated Circuit is patented (Noyce/Kilby)

1969ARPANET (internet

forerunner)

1971First microprocessor (Intel 4004)

1997Google.com registered

1983First IBM PC compatible

laptops

2003Intel Centrino.

WiFi Hot spots. Broadband

2004Facebook launched

1991Tim Berners Lee publishes World

Wide Web

2007iPhone launched

2010iPad launched, other Android tablets follow

1950 1955 1960 1965 1970 1975 1980 1985 1990 1995 2000 2005 2010 2015

“if the Internet were a movie we’d still be in the opening credits”

Rate of Change Will Approach Light Speed

2012Embedded Intelligence in WTC

12


Unprecedented Change … Increased Opportunities & Risk

In this dynamic & complex environment, how do we: Reinforce & protect a culture of

integrity

Continuously create the culture to accelerate

Lead through our words & actions

Culture of Integrity

Lead

Protect

Create

13

New World of Digital Footprints and Attack Surfaces

The Internetof things

Copyright © Beecham Research 2011


14

15Intel & McAfee Confidential

Catastrophic Landscape FrameworkWhy? What? How?

Motivation

Attack

Target

Impact

Consequence


Catastrophic Landscape

Motivation

Attack

Target

Impact

Consequence

Numerous Possibilities

Which are Most Likely…


Security

Privacy

Compliance

Velocity

Cost

Protect - - - - - - - - - - Don’t Impede - - - - - - - - Enable

The Challenge and The Opportunity

17


Tuned to Target

Market Objectives Customer Needs

Enterprises

Cost andMaintenance

Productivity and User Experience

Risk and Compliance

18

What about a Formula One race car? 19

Designed for speed and safety 20

And discipline, control, communication, collaborationbetween the driver and the pit crew 21


End users are not like professional drivers…

22


That’s a lot of unnecessary risk

Silicon Valley CEO confesses that she doesn't use a

passcode to protect her smartphone


·INTEL CONFIDENTIAL

·When it comes to End users…

We’re in the Behavior Modification Business…

24


When it comes to their driving……we need to shape the path

25


How Do You Manage the Risk and Adapt?

Predict

Prevent

Detect

Respond

•Proactive Threat Investigations•Risk Based Privileges

•Data Enclaves•Endpoint Protection

•Central Logging Service•Browser Security

•Data Correlation / Alerting•Training and Awareness

Security Business

Intelligence

Data Protection

Identity & Access Mgmt.

Infrastructure Protection


Intel Security and Privacy Governance

Internal Audit

Corp Ethics Committee

BC/DR program

Self Audits

Threat Landscape

Briefs

Financial Plans

Drills & Table Top Exercises

Threat Management

Legal

Operational

Oversight Monitoring

External

Engagements

Peer Information

Sharing

Emerging Threat

Analysis

Emergency Management

Security & Privacy Office

Global Tax & Trade

Industry workgroups

Biz Unit MRC’s

•Annual Risk assessments

•Compliance Effectiveness Reviews

•Risk Governance through management committee’s

•Decentralized risk management processes & systems

•Operational with function level accountability

Sense Interpret Act

FormalBenchmarkin

g

Strategic Planning & discussions

27


·* Glynis Breakwell – The Psychology of Risk

Risk surrounds and envelops us.

Without understanding it,

we risk everything,

without capitalizing on it,

we gain nothing.*

28


Call to Action…Insuring TrustSecurity Built-In

Privacy by Design

Connected Security

Consequence and Impact

To the Users and Society

Evaluate and demand trustworthiness of the products and services you purchase/use

29


Smart

Trusted

Strong

Ubiquitous

Innovation to deliver more capable solutions to keep pace with threats

Solutions backed by Intel’s commitment, reputation, and expertise

Hardened, embedded, and faster technology, resistant to compromise

Security benefitting all users and devices across the compute landscape

Intel to Deliver the Next Generations of Security

30

FIRESIDE CHAT

CIO, DOD

Teri Takai

Nigel BallardDirector of Federal Marketing, Intel

THE FUTURE OF

INTEL SECURITYMichael FeyEVP, GM Corporate Products & Global CTO, Intel Security

IT LEADERSHIP

PANELDr. Kevin CharestCISO, HHS

Greg MaierCISO, TSA

Chuck McGannCorporate Information Security Officer, USPS

Moderator: Scott MontgomeryPublic Sector CTO &

VP, Intel Security

BREAKOUT SESSION

I10:35 a.m. – 11:20 a.m.Track 1: Continuous Diagnostics & Mitigation - Salon III A

Track 2: Advanced Threat Detection - Salon III B

Track 3: Empowering & Mobilizing Your Workforce - Plaza Ballroom I

Track 4: Agency IT Transformation/Cloud, Operational Efficiency - Plaza Ballroom II

BREAKOUT SESSION

II11:25 a.m.– 12:10 p.m.Track I: Inadequate Visibility, Collaboration, and Automation: Closing Gaps, Increasing Response, Preempting Unplanned Costs - Salon III A

Track 2: Virtualization for Future Agencies - Salon III B

Track 3: Maximizing the Value of Big Data Analytics - Plaza Ballroom I

Track 4: Eliminating Cyber Theft & Reducing Risk - Plaza Ballroom II

KEYNOTE ADDRESSRoberta StempfleyActing Assistant Secretary of Cybersecurity & Communications, DHS

SECURITY THROUGH

HARDWARE VIRTUALIZATIONDr. Ryan DuranteChief, Cross Domain Solutions & Innovation at Air Force Research Laboratory

Click to Edit Master Title Style

Click to Edit Master Subtitle Style

Dr. Ryan J. Durante, DR-IV, DAFCAir Force Research LaboratoryAFRL/[email protected]

Hardware Based SecurityA Practitioner's PerspectiveUpdated 31 March 2014

SAF PA Case Number: 88ABW-2013-4408 The material was assigned a clearance of CLEARED on 17 OCT 2013

mailto:[email protected]



Overview

• Use Case Background• Architecture• Features• Hardware Support• Programmatics• Summary• POCs

UNCLASSIFIED

UNCLASSIFIED48



ODNI Use Case Background

• ODNI CIO requested AFRL develop a secure & robust collaboration architecture for the Intelligence Community and DoD

• Levied extraordinary security requirements– Must handle highly-secure/sensitive data and information– Zero tolerance for data exfiltration

• Minimal impact to host agency• Support high-performance applications• Rapid provisioning (4 hours)• Required rapid delivery (<10 months)

UNCLASSIFIED

49



SecureView™ – What is it?

• SecureView™ is a low-cost MILS (Multiple Independent Levels of Security) workstation based on COTS technology.– Runs on any Intel vPro personal computer – Based on a “Type 1” or bare metal client hypervisor

(Citrix XenClient XT)• Allows a single computer to host multiple guest virtual

machines (VMs) running at different classification levels.• Flexible solution to address a wide variety of use cases

– Supports Windows, Linux and Solaris guests– Supports both rich and thin client computing models– Single or multiple wires to desktop

UNCLASSIFIED

50

vPro: Intel CPU technologies that enable management features such as monitoring, maintenance, and management independent of the state of the operating system.Type 1 hypervisor: A native, bare metal hypervisor which runs directly on the host's hardware to control the hardware and to manage the operating systems which run on a level above the hypervisor.



Why SecureView™ is needed?

Before SecureView™

• Separate PC required for each security domain

After SecureView™

• Access applications and data from multiple security domains on a single desktop

• Reduces footprint, power, and admin cost• Increases security



SecureView™ User Interface

52



Security Foundation

• Establish Secure Isolation in the hardware– Intel Virtualization Technology Extensions (VT-x) : Hardware based X86 CPU

virtualization – Intel Virtualization Technology for Directed I/O (VT-d): Hardware based Input &

Output Memory Management Unit (IOMMU) that utilizes DMA mapping and direct PCI assignment

• Utilize VM isolation to minimize attack surface and constrain exploits– Assume attackers will compromise guest VMs, limit their mobility

• Constrain Allowable Operations– Use NSA Security Enhanced Linux (SELinux) to limit how Service VMs can use

resources– NSA Xen Security Modules (XSM) to limit how hypervisor can use resources– Limit mobility of malware with policy constraints on capabilities (i.e. USB)

• Verify Integrity through Trusted Boot– Measure and store initial system state in the Trusted Platform Module (TPM)– When booted, current core system re-measured and results verified

• Protect Data at Rest and in Transit using encryption– Trusted Boot mechanism locks core system components until verified – Encrypt all sensitive components including configuration, service VMs, and

optionally guest VM images to protect from offline tampering – Encrypt network comms. within IPSEC VPN tunnels to protect data in transit

Intel vPro Hardware

XenClient XT (Hypervisor / VMM)

VPN

VM

(VPN

Isol

ation

)

ND

VM(N

etw

ork

Isol

ation

)

Xen Security Modules (XSM)SE SE

Guest VM

WindowsOS

Guest VM

LinuxOS

Service VMs

VT-dVT-x

TXTTPM

Hypervisor = Virtual Machine Manager (VMM)

53



Trusted Boot with Intel TXT

Install known good image

Core System Measured Measurements stored in TPM

Core system re-measured by Intel TXT on every boot

Measurement used to unlock encryption keys and

configuration

Only then can you boot ‘guest’ (Windows) VMs

54



SecureView™ 2.0 Architecture

55

Optional Service VMs

XenClient XT

Control Domain

Hardware

Standard Service VMs

User

Inte

rface

(UIV

M)

SELinux

Xen Security Modules

VT-d TXTVT-x AES-NI

UserVM 1

UserVM n

Policy Granularit

y

UserVM 2

Policy Granularit

y

Policy Granularit

y

Mu

ltiV

iew

Th

inV

Ms

Encrypted VM Storage

Encrypted Security Platform

nVidia/ATI GPUs

IntelIntegrated

GPU

Netw

ork

(N

DV

M)

Man

ag

em

en

t C

lien

t (s

yn

cvm

)Encrypted VM Configuration

BIOS OROMs

VP

N I

sola

tion

VP

N I

sola

tion

VP

N I

sola

tion

Netw

ork

(N

DV

M)

TPM



Typical Network Architecture

Network 1

Network 2

Single wire to workstation

Standard COTS VPN Concentrator(s)

SecureView™Workstation

56

Network 3



Features

• Management Server – Enterprise Scalability

• Secure Seamless Windowing – MultiView– Consolidated view of multiple security domains

• ConnectView/Linux ThinVM– Seamless support for virtualized environments

• Multi-Layer Suite B VPN Communications– Connectivity to classified environments w/o expensive TACLANES

• NSA Certified Full Disk Encryption– Addresses Data at Rest requirements

57



• Enterprise Scalability– Deploy new VMs– Delete managed VMs– Reconfigure existing VMs– Configure platform– Upgrade platform– Status monitor

58

Management Server



• Secure Seamless Windowing – MultiView– Allows Windows applications from different security domains to be seen simultaneously on the same screen

Seamless Windowing - MultiView

59



• Secure Seamless Windowing – MultiView– Allows Windows applications from different security domains to be seen simultaneously on the same screen

Seamless Windowing - MultiView

60



ConnectView/Linux ThinVM

• Linux ThinVM– Virtual desktop access

• Citrix ICA• Microsoft RDP• VMWare View

– Isolated web browser– Seamless desktop– No data persistence– Read-only and measured– Shared image (saves storage)

61

• ConnectView–Dynamically create ThinVM and paired

VPNVM –Allows AD/Hoc connections to other

networks (if allowed)



Thin Client Support

• SecureView™ can be configured as a “Thin” Client

– No local data– No local apps– Only locally installed app is a VDI

client in a thin RO encrypted VM.

• Variety of small and ultra small factor desktop appliances are supported

• Supports “Zero Touch” – small footprint updated remotely if/when required

62



Mobility Support

• SecureView™ support Intel vPro based tablets

– Panasonic Toughpad– Samsung Slate– Dell Venue 11 Pro (testing)

• Two (soon to be three) major IC Agencies are using SV tablets for their senior leadership w/wireless

63



Multi-Layer Suite-B VPN

• VPN Options– Single Low-over-High VPN

• Example: Tunnel SIPR over JWICS– Double-nested Suite B VPN (NSA CSfC)

• Example: Tunnel JWICS over SIPR or Internet– Supported Vendors

• Cisco• Aruba

64



NSA Certified Full Disk Encryption

• Certified Full Disk Encryption– Hardware encryption of disks– Use TCG standard methods– Use COTS OPAL-compliant self-

encrypting drives– Working with NSA to establish

CSfC capability package by Sep 14– Establishes Data at Rest (DaR)

protection65



GlowView

– Colored keyboards to identify security level of current mouse focus/action

– Security level color is associated with each Guest VM

• Color changes based on where keyboard focus is given

– Logitech G510• Colored keys and LCD screen• LCD shows security label (text) and VM

name– Luxeed U7 Crossover

• Colored keys only

66



Example Cost

• Performance desktop computer $795 (AF QEB 2013A) + options– i.e. Dell Optiplex 7010/9010, HP Compaq Elite 8300, NCS Stratus, other

desktops and laptops• XenClient XT

– AFRL ELA : $249 for any quantity includes year 1 software maintenance– Citrix has enterprise agreements with many agencies

• Product may get bundled with other Citrix products

• AFRL Support– Installation – funding determined by level of support required– Sustainment – as low as $25 per seat at quantity

67



• SecureView™ savings are significant compared to alternative architectures– SecureView™ is estimated to reduce TCO by up to 67% over single-domain architectures and 45% savings over a thin-client, multi-

domain architecture.

• Analysis included: – Cost to deploy and support 10,000 users– Necessary build-out costs for client, server, network and other hardware over entire upgrade cycle– Impact of lost productivity when analysts using a server-hosted virtualization solution must wait for slow systems or heavily-loaded networks– Power costs, costs of pre-deployment preparation, deployment, and ongoing management costs over upgrade cycle

Total Cost of OwnershipSummary by Intel

Environment 4

UNCLASSIFIED

Domain A

Domain C

Single Encrypted “Grey Wire”to workstation

Standard COTS VPN Concentrator(s)

SecureViewvPro Workstation

5

Domain B

Network Storage with Network Services



68



CERTIFIED &ACCREDITED

Current Certification and ATOs

• SecureView™ was favorably evaluated against the NIST 800-53 Security Controls Catalog for – Confidentiality: HIGH, Integrity: HIGH , Availability: MEDIUM– Original v1.0 Authority To Operate (ATO) issued 10 August 2011

• Listed on UCDMO Baseline as CDS Access Solution - 4 April 2013• SV Certification & Accreditation Status

– AF DAA – DIACAP ATO: 4 June 2013– DIA Top Secret SCI And Below Interoperability (TSABI) ATO: 5 November 2013– AFISRA TSABI Certificate to Field (CTF): 18 November 2013– Secret and Below Interoperability (SABI): completed testing on 31 January 2014;

tentatively scheduled to meet CDTAB - April 2014

69



No Extensive Training Required

• Easy to setup, configure, and maintain– Qualified CSAs should have the skills– Even system admins cannot inadvertently create a cross-domain security breach

• Easy to use– Users adapt quickly to multi-domain features– Switching domains is like using a KVM switch

• Full documentation available (NIST/RMF)– System Security Plan (SSP)– Security Test Plan & Procedures (STP)– Master Security Requirements Matrix (MSRTM)– Installation & Configuration Guide (ICG)– Administrator Guide (AG)– User’s Guide (UG)– Integrated Support Plan (ISP)

UNCLASSIFIED

70



Summary

• SecureView™ provides multi-level client virtualization w/high security• Robust security via Intel’s hardware-based security features

– VT-d, VT-x, TPM, TXT, EPT, AES-NI• Low-cost commodity PC desktop hardware (or laptops)• True type 1 hypervisor for robust isolation and very high performance• COTS, w/100% open-source pedigree• More affordable and capable – TCO reduced by up to 67%• Avoids integrator/hardware vendor “Lock-in”• NIST 800-53 certified in compliance with latest Accreditation requirements• Hardware-based security options are available NOW.

– What are you waiting for?

UNCLASSIFIED

71



QuestionsUNCLASSIFIED

72



Points of Contact

Dr. Ryan Durante, AFRL/[email protected]

Section ChiefProgram Manager

Chief Engineer

Deputy Program Manager/Site Lead

Stephen Scheiderich, [email protected]

Kevin Pearson, AFRL/[email protected]

Capt Scott Hall, AFRL/[email protected]

John Woodruff, AFRL/[email protected]

Technical Lead

NIPR Email: [email protected] Website: https://extranet.if.afrl.af.mil/svSIPR Website: http://rie.afmc.af.smil.mil/svJWICS Website: http://www.rome.ic.gov/svTwitter: @SecureView_AFRL

UNCLASSIFIED

73

John Connelly, [email protected]

Program Manager - Developer

IT INNOVATION AT INTELEd GoldmanIT CTO, Information Technology, Intel

Intel Information Technology

IT Innovation at IntelEd Goldman

Enterprise Segment - CTO



Legal Notices

This presentation is for informational purposes only. INTEL MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.

* Other names and brands may be claimed as the property of others.


2



“Don't be encumbered by

history. Go off and do

something wonderful”Robert Noyce



2013 Intel IT Vital Statistics

6,500 IT employees59 global IT sites

>95,000 Intel employees164 Intel sites in 63 Countries

68 Data Centers91 Data Centers in 2010

75% of servers virtualized1

(42% in 2010, goal was 75%)

>147,000+ Devices85% of laptops encrypted>38,500 handheld devices

41 mobile applications developed

Source: Information provided by Intel IT as of Jan 20131 Percentage of applications virtualized in our Office and Enterprise environment

3



82

Intel IT’s Vision & Mission

Vision

Mission

IT will Accelerate Intel‘s Quest to Connect and Enrich the World

Grow Intel’s Business through Information Technology



4


• Incremental

• Systemic/Adjacent

• Transformational

Innovation must lead to value

6


7


Commitment Culture Clarity

8


Com

mit

men

t

9


“I have not failed. I've just found 10,000 ways that won't work.”

Thomas A. Edison

Cu

ltu

re

10


Cla

rity

11


IT Labs - Commitment

20 IT employees6 global IT sites

<.1% of IT budget

3

~50 projects/year(<.5% of projects)

3 Rotations

Involvement from 15+ groups


Proof of Technology

40-60% 60-80% 95%

Research

Proof of Concepts and Pilots

Implementation

Intel IT Labs - Culture

12


IT – Gaining Clarity

20 IT employees6 global IT sites

<.1% of IT budget

3

iCamps

IT Labs and Business Engagement

• IT led corporate strategic discussions

• Development Opportunities and Rotations

• Field Trips

• Partnership of Excellence Process & Voice of User Surveys

• Kiazen & other LSS

• Portfolio and Service innovation

• Direct customer request

• Walking in the shoes of the customers

Incremental Transformational

SwarmTeams


13


14



15


17

DISRUPTIVE

TECHNOLOGIES PANEL

Moderator: Candace WorleySVP & GM, Endpoint

Security, Intel Security

Chief Innovation Officer, Dept. of Labor

Xavier HughesGreg Clifton Director, DOD & Intelligence, Intel

David Bottom

Director, IT Services Directorate, NGA

Wolf TombeCTO, CBP, DHS

FIRESIDE CHAT

CIO, Executive Office of the President

Steven VanRoekel Goldy KamaliPresident & CEO

FedScoop

CLOSING REMARKS

Area Director, U.S. Federal, Intel

Jason Kimrey Ken KartsenVP of Federal, Intel Security

Intel Security Through Innovation Summit - General Session

Technology

Transcript of Intel Security Through Innovation Summit - General Session