Architecting, Implementing, and Supporting Multi-Level Security Eco-System in HPC, ISR, Big Data Analysis and Other Environments
A presentation at Supercomputing 2015 // SC15 in in Austin, TX, USA by Shawn Wells
Applied Cross Domain: Red Hat Foundations Shawn Wells Office of the Chief Technologist, Red Hat Public Sector shawn@redhat.com || 443-534-0130
100,000+ PROJECTS PARTICIPATE INTEGRATE STABILIZE CSCF participates in communitypowered upstream projects, such as SELinux, OpenSCAP and the SCAP Security Guide CSCF collaborates with Red Hat to integrate upstream projects into Enterprise Linux, fostering open community platforms. We commercialize these platforms together with a rich ecosystem of services and certifications, such as ICD 503 and CNSSI 12-53 accreditations.
SELinux ● Type Separation: How users, processes, and data are isolated ● Role Based Access Control (RBAC) ● MLS Policy
SELinux ● Type Separation: How users, processes, and data are isolated ● Role Based Access Control (RBAC) ● MLS Policy Security Automation ● Configuration Monitoring ● Compliance Reports ● Secure Provisioning ● Remediation
SELinux Refresher ● Type Separation: How users, processes, and data are isolated ● Role Based Access Control (RBAC) ● MLS Policy Certifications & Standards Security Automation Common Criteria & NIAP ● Configuration Monitoring ● Intelligence Community Directive 503 (ICD 503) ● Compliance Reports ● US Government Configuration Baseline (USGCB) ● Secure Provisioning ● Remediation ●
SELinux Refresher
Multi-Level Security (MLS) Policy •Focuses on confidentiality (i.e. separation of multiple classifications of data)
Multi-Level Security (MLS) Policy •Focuses on confidentiality (i.e. separation of multiple classifications of data) •Ability to manage {processes, users} with varying levels of access. (i.e. “the need to know”)
Multi-Level Security (MLS) Policy •Focuses on confidentiality (i.e. separation of multiple classifications of data) •Ability to manage {processes, users} with varying levels of access. (i.e. “the need to know”) •Uses category & sensitivity levels
Sensitivity Labels
Category Labels
Polyinstantiation # id –Z staff_u:WebServer_Admin_r:WebServer_Admin_t:s0:c0 # ls -l /data secret-file-1 secret-file 2 # id –Z staff_u:WebServer_Admin_r:WebServer_Admin_t:s1:c0 # ls -l /data secret-file-1 secret-file 2 top-secret-file-1
Certifications & Standards
NSA C63 (aka NIAP) & Red Hat: Where we’ve been… and next stop RHEL 3 CAPP / EAL3+ RHEL 4 CAPP / EAL3+ RHEL 5 LSPP / EAL4+ RHEL 6 OSPP / EAL4+ RHEL 7 OSPP v3.9 / EAL4+
FIPS 140-2 Certs
docs.redhat.com - Security Guide - Admin. Guide - Priv User Guide
Red Hat corporate development & responsibilities
We use Atsec http://red.ht/1kWN8ZZ
Common Criteria != Compliance Policy
ICD 503, STIG, FISMA
Compliance Policy
SCAP Security Guide http://open-scap.org, http://github.com/OpenSCAP
Shawn Wells Director, Innovation Programs Office of the Chief Technologist, Red Hat Public Sector shawn@redhat.com || 443-534-0130
Presenters: Joe Swartz, Joshua Koontz, Sarah Storms (Lockheed Martin Corporation); Nathan Rutman (Seagate Technology LLC), Shawn Wells (Red Hat, Inc.), Chuck White (Semper Fortis Solutions, LLC), Carl Smith (Altair Engineering, Inc.), Enoch Long (Splunk Inc.)
Historically cyber security in HPC has been limited to detecting intrusions rather than designing security from the beginning in a holistic, layered approach to protect the system. SELinux has provided the needed framework to address cyber security issues for a decade, but the lack of an HPC and data analysis eco-system based on SELinux and the perception that the resulting configuration is “hard” to use has prevented SELinux configurations from being widely accepted. This tutorial discusses the eco-system that has been developed and certified, debunk the “hard” perception, and illustrate approaches for both government and commercial applications.
The tutorial includes discussions on: • SELinux architecture and features • Scale-out Lustre Storage • Applications Performance on SELinux (Vectorization and Parallelization) • Big Data Analysis (Accumulo and Hadoop) • Relational Databases • Batch Queuing • Security Functions (Auditing and other Security Administration actions).
The tutorial is based on currently existing, certified and operational SELinux HPC eco-systems and the Department of Energy (DoE) Los Alamos National Labs (LANL) and DoD High Performance Computing Modernization Office (HPCMO) are working through evaluations with the intention of implementing in their systems.
for free. You
can too.
