The Los Alamos Super Vault Type Room May, 2008 Alex Kent Advanced - - PowerPoint PPT Presentation

the los alamos super vault type room
SMART_READER_LITE
LIVE PREVIEW

The Los Alamos Super Vault Type Room May, 2008 Alex Kent Advanced - - PowerPoint PPT Presentation

Oct 27, 2023 302 likes •496 views

The Los Alamos Super Vault Type Room May, 2008 Alex Kent Advanced Computing Solutions Program/Cyber Futures Laboratory Los Alamos National Laboratory U N C L A S S I F I E D Towards A Strategic Solution Space A decade of events

slide-1
SLIDE 1

U N C L A S S I F I E D

The Los Alamos Super Vault Type Room

Alex Kent

Advanced Computing Solutions Program/Cyber Futures Laboratory Los Alamos National Laboratory

May, 2008

slide-2
SLIDE 2

UNCLASSIFIED

Operated by Los Alamos National Security, LLC for DOE/NNSA

Towards A Strategic Solution Space

A decade of events…

  • Lost data/9-Points/Media incompatibility
  • Lost hard disks/Accountable Classified Removable Media
  • Lost barcodes/Increased ACREM accountability
  • Lost data/Thumb drives/Port blocking

Commonality

  • Trusted insiders (cleared) doing inadvertent or purposeful

actions resulting in loss

Solution

  • More ubiquitous control and security of classified information

both at rest and while in use

– Yet still allow a productive work environment?

slide-3
SLIDE 3

UNCLASSIFIED

Operated by Los Alamos National Security, LLC for DOE/NNSA

Think classified co-location facility managed like safety deposit boxes at a bank

Compartmentalized, segregated control Professionally managed environment Full-service computer center

  • Cooling, power backup, etc

System/data owners maintain final physical control

slide-4
SLIDE 4

UNCLASSIFIED

Operated by Los Alamos National Security, LLC for DOE/NNSA

The Paradigm: An Information/Data Glove Box

With data processing and storage residing within the well protected Super VTR environment:

Users can…

  • Create, manipulate, and management classified information

and data

Users cannot…

  • Electronically extract or remove classified information and data

Residual vulnerability reduced to the single threat of capturing low-bandwidth screen/keyboard/mouse data only

slide-5
SLIDE 5

UNCLASSIFIED

Operated by Los Alamos National Security, LLC for DOE/NNSA

Synergistic Integration

  • f Physical and Cyber Security Layers

SuperVTR

Q-Cleared, Human Reliability Program Complete Visual Control Vault Protections 2-person Controls, Formal Conduct of Ops. Air-gapped classified computing network Minimal Desktop Footprint Two-factor user authentication Intrusion, anomaly detection

Physical Security Cyber Security

slide-6
SLIDE 6

UNCLASSIFIED

Operated by Los Alamos National Security, LLC for DOE/NNSA

Integrated Safety and Security Management Human Performance Improvement

Layered security

  • Separate and well defined user and processing environments

Engineered controls

  • Centralized (server-side) control of user data ports
  • Constrained network environment
  • Simplified system management

Reduced opportunity for error

  • Focus expertise and responsibility
  • KISS

Increased user productivity

slide-7
SLIDE 7

UNCLASSIFIED

Operated by Los Alamos National Security, LLC for DOE/NNSA

Cost Saving and Simplification

  • Reduced information and physical security complexity
  • Reduced physical footprint
  • Reduced security services
  • Reduced risk of costly security incidents
  • Close down existing vaults and related staffing
  • Avoid vault sensor and alarm upgrade costs
  • Reduced security costs for desktops and related protections
  • Reduced VTR/Cyber security related work required by

programmatic staff

… while substantially increasing security and programmatic productivity

slide-8
SLIDE 8

UNCLASSIFIED

Operated by Los Alamos National Security, LLC for DOE/NNSA

Reduced Physical Vulnerability

slide-9
SLIDE 9

UNCLASSIFIED

Operated by Los Alamos National Security, LLC for DOE/NNSA

Comprehensive Classified Computing Capability

Super VTR “Data at Rest” Expanded S/RD Red Network Medialess Desktop Computing

Shifted Risk Enabling Foundation R e d u c e d C

  • m

p l e x i t y

“Data in Motion” “Data in Use”

slide-10
SLIDE 10

UNCLASSIFIED

Operated by Los Alamos National Security, LLC for DOE/NNSA

Moving the vulnerability/threat space from the

  • ffice environment to the Super VTR
  • Medialess office computing, minimal electronics
  • Finite selection of strongly vetted medialess desktop options
  • All data storage and control exists only within the Super VTR
  • Systems approach with complete end-to-end security
  • Specialized, restricted IP network outside of SVTR that only allows

medialess computing protocols to transit

  • Increased anomaly detection designed specific to the risks, threats, and

vulnerabilities of a classified, air-gapped network

  • Agility to respond to future threats and requirements
slide-11
SLIDE 11

UNCLASSIFIED

Operated by Los Alamos National Security, LLC for DOE/NNSA

Medialess IP-Terminal

Ubiquitous end-to-end security with robust usability

SuperVTR

LANL Red Network

User Authenticated, Encrypted Tunnel

  • Network booted, medialess
  • Minimal operating system
  • Hardware accelerated video
  • Tamper resistant
  • Network tightly restricted to

video/screen output and keyboard/mouse input

  • Distance flexibility
  • Encrypted, authenticated
  • All data, computation, and

servers contained within multi-layered physical and cyber protections

  • Professional management

See Ahmad Douglas’ NLIT08 talk on Medialess Computing for a comprehensive overview

slide-12
SLIDE 12

UNCLASSIFIED

Operated by Los Alamos National Security, LLC for DOE/NNSA

The Network: Tying it together

slide-13
SLIDE 13

UNCLASSIFIED

Operated by Los Alamos National Security, LLC for DOE/NNSA

The Super VTR Prototype

  • Planning began in Spring 2007, went operational in Summer 2007
  • Remodeled room within an existing computing facility
  • Focused on demonstrated both the physical and cyber concepts

and integration

  • Understanding that it was insufficient to meet the entire

Laboratory’s needs

  • Currently in full operation
  • Contains and services approximately 75% of LANL’s classified

ACREM

  • Provides classified medialess computing service to approximately

~150 users

  • Currently under expansion for supporting SIPRnet and other

classified computing with estimates to serve an additional 200 users

  • Other information services available
slide-14
SLIDE 14

UNCLASSIFIED

Operated by Los Alamos National Security, LLC for DOE/NNSA

Super VTR Prototype Cutout View

Customer Window Two-Person Controlled Entrance Professional Staff Computing ACREM and Document Storage

slide-15
SLIDE 15

UNCLASSIFIED

Operated by Los Alamos National Security, LLC for DOE/NNSA

Operational Super VTR Prototype

slide-16
SLIDE 16

UNCLASSIFIED

Operated by Los Alamos National Security, LLC for DOE/NNSA

From Prototype to Full Scale

Funding provided in LANL FY08 budget Planning underway Central standalone facility within main (TA-3) site Backup facility to follow

Metropolis NSSB SM-43 (D&D) NISC Proposed Site

North

slide-17
SLIDE 17

UNCLASSIFIED

Operated by Los Alamos National Security, LLC for DOE/NNSA

Enabled Future Technologies

Physical Security

  • Video monitoring and surveillance of the SVTR
  • Programmatic key control
  • RF control
  • RFID tagging
  • Biometrics

Cyber Security

  • Printed document water marks
  • Fully realized PL-3 cyber environment
  • STE bridge and audio capability on desktops (VoIP)
  • Authenticated print/copy/scan system
  • Security anomaly detection on cyber+physical
slide-18
SLIDE 18

UNCLASSIFIED

Operated by Los Alamos National Security, LLC for DOE/NNSA

Questions?

Contact Information: Alex Kent (alex@lanl.gov) Scott Miller (samiller@lanl.gov)