Transcription
WHITE PAPERWhen Secure KVM Isn’t EnoughIncrease Security and Flexibility with AdvancedSimultaneous Multilevel AccessHow an improved thin client infrastructure, that uses the cloud andAdvanced Simultaneous Multilevel Access technology, can replace secureKVM while doing more with less expense.
www.Raytheon.com/cyberproducts2
WHITE PAPER - When Secure KVM Isn’t EnoughContents1. Introduction42. Secure KVM Yesterday and Today43. A New Option for the Desktop:Secure Thin Client with Advanced Simultaneous Multilevel Access44. Software-based Multilevel Access versus KVM: A Clear Choice55. Security: The Main Driver76. Conclusion8866.230.13073
WHITE PAPER - When Secure KVM Isn’t EnoughIntroductionGovernment agencies are grappling with an increased need forsecure systems on one end and tight budgets on the other. Thisis nothing new as agencies have continually been challenged todo more with less. But today, technology seems to be workingin their favor. New technologies are not only helping to securedata and prevent its theft or loss, but are also contributing tothe bottom line with lower overall cost of ownership and theflexibility to deliver value far into the future. In this paper, wewill take a look at widely used secure KVM switching technologyand how an improved thin client infrastructure, that uses thecloud and Advanced Simultaneous Multilevel Access technology,can replace secure KVM while doing more with less expense.Secure KVM Yesterday and TodayA secure KVM switch is a hardware device that provides accessto individual PCs at multiple sensitivity levels, one at a time,from a single keyboard, monitor and mouse (KVM). Theswitch allows personnel to manually choose which networklevel to connect to, and to change back and forth betweenthem, although it only allows the user to view one system ata time. Depending on the type of KVM product, the switchmay present native connectors on the device where standardkeyboard, monitor and mouse cables are attached. Anothermethod is a single connector that aggregates connections at theswitch with three independent keyboard, monitor and mousecables. This method has been recently phased out and replacedwith a newer KVM cable that combines the keyboard, videoand mouse cables in a single wrapped extension cable. Thistechnology advancement has reduced the number of cablesneeded between the secure KVM switch and the connectedcomputers. These cables are costly, however, and many organizations opt to continue with the tangle of wires at each desk.The method of switching from one computer to anotherdepends on the switch. The original switches developed in thelate 1980’s used a rotary switch, which then evolved into pushbutton switches developed circa 1990. In both cases the KVMaligns operations between different computers and the user’skeyboard, monitor and mouse (user console).KVM switches differ in the number of computers that can beconnected. Traditional switching configurations range from2 to 16 possible computers attached to a single KVM device,but the standard KVM switch has four ports and allows fourcomputers to connect from one user console consisting of akeyboard, monitor, and mouse.www.raytheoncyber.comA New Option for the Desktop: Secure Thin Client withAdvanced Simultaneous Multilevel AccessWith the advent of Virtual Desktop Infrastructure (VDI),the access point or endpoint device can be separated fromthe physical machine. The virtual desktops reside securely inthe data center or cloud and they are redisplayed to the userthrough his or her endpoint device. The information accessedis entirely stored in a secure data center. Because the virtualdesktops are separate instances attached to separate sensitivitylevels or networks, they are able to be displayed to the usersimultaneously. Each desktop instance is a separate entity andno actions can be performed between them, such as cut-andpaste. Because data is stored in the cloud, security and accesscontrol is easier to maintain and audit. Cost savings are achievedwith less hardware and operational support.The VDI computing model has opened the doors tonext generation infrastructure models such as AdvancedSimultaneous Multilevel Access, which allows a user to securelyview more than one desktop environment and more than onesensitivity level, at a time (with KVM, the user may only viewone environment at a time). This has significant impact forusers throughout governments, intelligence communities, lawenforcement and other organizations looking to ensure security,trusted collaboration, mission and enterprise agility, andscalability while reducing costs.Within an Advanced Simultaneous Multilevel Accesssolution environment client endpoints are built on a readonly trusted operating system that enables users to accessprivate, community and classified clouds securely from asingle device through their familiar user interface. Solutionssuch as Raytheon Websense’s Trusted Thin Client providesecure simultaneous access to all authorized networks from asingle endpoint with streamlined administration needs. Thesolution is comprised of two components: client software anda Distribution Console. The Distribution Console is the gobetween from the individual networks to the endpoint device,can accept an unlimited number of network connections, andacts as a centralized audit repository to track use and activity.Cost savings are achieved with lesshardware and operational support.4
WHITE PAPER - When Secure KVM Isn’t EnoughSoftware-based Multilevel Access versus KVM: A ClearChoiceThere are a number of key elements well worth consideringwhen evaluating a secure KVM system versus a multilevel accesssolution.Data MonitoringData accessed through KVMs essentially cannot be monitoredwhich in today’s active blackhat environment is a seriousdrawback. A secure KVM system is assumed to be used in asecure environment and the devices themselves are reliable.However, if a new method of attack is developed through a KVMthere is no way for the organization to know that they have beencompromised. If an authorized user was stealing or tamperingwith data in an environment with only a secure KVM switch,there would be no way to audit or discover this illegal activity.Software-based multilevel access solutions, such asRaytheon Websense’s Trusted Thin Client solution, offer dataand performance monitoring through a centralized server actingas an administration and monitoring hub. The DistributionConsole is used to establish and maintain users, is a centralaudit repository for user activity including session security levelsaccessed, and it monitors system performance. So when it comesto data monitoring, whether for security or system performance,a thin client solution is the safest and most secure option.Desktop Real EstateCompared to a thin client installation, secure KVMs requiresignificantly more real estate both on top of the desk andunderneath. The KVM must be connected to each computerand user console (keyboard, monitor, mouse) at each desktoplocation. All of this hardware and cabling must be managed andsupported by administrative personnel on site. For example, if auser accessed networks at six different classification levels, theywould require two 4-port KVM switches, six separate CPUsunder the desk, and all the corresponding wiring, heating andcooling.There are a few important scenarios where this has significantimpact. The first is during deployment. Especially for largedeployments, a lot of manpower is necessary: every system mustbe taken out of the box, connected to computers and networks,and hooked up to monitors and other peripherals. It is laborintensive and largely prone to error. Post deployment, theissue continues with cleaning crews and employees pulling outcables and plugging them back in incorrectly. Trouble shootingthese systems is a methodical and tedious process consumingresources, and impacting productivity.866.230.1307Another scenario is the compromise of a secure location.Dismantling and then securing sensitive data on a KVM systemtakes time and a serious frenzy of hard work. With a thin clientinfrastructure, communications and connections to sensitivedata can be cut within seconds because nothing actually resideson the hardware onsite. The data center is in a safe location andthere is one cord to unplug from the endpoint.The Trusted Thin Client is able to handle 300 users (clients)on average per one Distribution Console. So when it comesto saving time and money, a multilevel simultaneous accesssolution is helping the government do more with less. WithKVM there is a keyboard, monitor and mouse on the desk,connected by cables to multiple computers that reside near orunderneath the desk. With the Trusted Thin Client model, thereis simply one endpoint client, typically a thin client device ora virtual machine client resident in the host PC or laptop, onthe desk. A multilevel access solution is much more adaptableto any office or tactical setting. The small footprint becomesvery apparent in tactical environments with recognizable spaceconstraints, such as ships, airframes, Humvees, and submarines.Users in these environments can more securely and efficientlyaccess all the required networks to execute their mission whilealso reclaiming much needed space.ScalabilityTrusted Thin Client provides the ability to support access to alarge number of security levels (15 ) from a single endpoint.In addition to direct security level access, Trusted Thin Clientprovides seamless access to remote networks in other TrustedThin Client environments (based on specific permissiongranted). This remote network access capability providesa cost-effective means to access needed networks and datawithout requiring the addition of extra wiring and networks toadminister.Dynamic ResponseTrusted Thin Client provides the ability to quickly anddynamically add security levels and access permissions. Accesspermissions electronically limit access to levels based on useraccess and/or endpoint.CompatibilityWhen it comes to connecting a secure KVM system to analready existing environment of peripherals, there are oftencompatibility issues. Although they can connect through theports, their systems cannot always talk to each other which cancause additional costs to the user. Peripherals such as mice,keyboards, and monitors do not adhere to any sort of standards5
WHITE PAPER - When Secure KVM Isn’t Enoughso there is a wide variety on the market. KVM vendors have togeneralize for peripherals they support and this often leaves outmany types and/or brands.The compatibility issue complicates the purchasing processwhen having to consider the different flavors of KVM (PS2,USB, VGA, DVI, Display port, dual head, quad head, CAC)and its compatibility with an organization’s already existingset of peripherals. In one example, during a large KVMdeployment, thousands of keyboards had to be replaced acrossan organization because the KVM system purchased turned outnot to be compatible with the keyboards the company alreadyowned. This caused a major delay in the customer’s deployment.A thin client model, by virtue of its simple infrastructure,reduces the compatibility variables. It will work with moststandard peripherals. This impacts ease and cost of deploymentand allows individuals to use the peripherals of their choice.PortabilityImagine trying to relocate 100 secure KVM users with all thecabling, systems and hardware. Then the effort required tokeep it all organized and redeployed in a new location. Thisis a cumbersome process and we see the cycle start again withcomplications in an error prone set up process, time spenttrouble shooting, etc. Moving a KVM system also presents asecurity risk and if a system was compromised, there would beno way to know that it happened or by whom.With a thin client solution, the smaller footprint allows formore flexible and streamlined portability. Most endpointsecurity issues are addressed with the data resident in the cloudrather than on the endpoint. Because there is only one wirefor each endpoint location, moving a system simply requiresauthenticating clients, wherever they may be within theenvironment, to the Distribution Console.Power ConsumptionWith KVM, each desktop needs power to support theworkstation, monitors and other peripherals, plus the KVMswitch and local network. Each individual KVM switch pullsapproximately 2 kilowatts, which is not significant when you areconsidering just a switch or two. But in a large enterprise theremay be 20,000 switches and power consumption rapidly addsup. With the Trusted Thin Client system there is one thin clientand one wire from the desktop per user. This saves money ona day to day basis but is also particularly impactful in the caseof an attack or natural disaster such as an earthquake or stormthat knocks out the central power source. The thin client systemwould require significantly less back-up generated power versusthe traditional KVM setup with all the power required to runmultiple PCs.Asset Tracking/Age MonitoringUsing secure KVMs requires the organization to maintain andkeep track of more assets and take constant measures to keepthem secure. Each KVM battery lasts four years from the date ofits initial activation. After four years, the switch deactivates, sothe dates of each switch’s deactivation must be tracked. There isalso an anti-tamper mechanism on each KVM, but, if the unit isopened, it stops functioning. This adds a layer of managementand asset tracking that is not necessary with a thin client solutionoutside of the standard refresh cycle.Network InfrastructureThe network infrastructure required to support the TrustedThin Client environment is heavily streamlined versus a KVMenvironment. Trusted Thin Client deploys one network wireto each desktop, regardless of the number of sensitivity levels,versus multiple wires – one for each network – in a KVM setup.The Impact of Trusted Thin ClientIn addition to increased security Trusted Thin Client is proven to deliver additionalsavings throughout the enterprise. One Intelligence Community customerexperienced the following results:SAVINGS/NET BENEFITS10 Value of Trusted Thin Client savings and other net benefits amounted tomore than 7.7 million over three years, for overall 54% ROI.Millions8642 Computer requirements were streamlined from three machines per user tojust one. Infrastructure savings came from a reduction in network needs (usingone instead of four to six networking connections for each workspace).Including the elimination of some area networks and redundant networkaccess switches.03 years7.7 154% ROIFigure 1 - The Impact of Trusted Thin Clientwww.raytheoncyber.com6
WHITE PAPER - When Secure KVM Isn’t EnoughSecurity: The Main DriverWhen it comes to comparing KVM and thin client in termsof security, there are so many benefits to Trusted Thin Clientsecurity that it warrants its own section in this paper. Theadvantages of a thin client model versus a secure KVM switchare the main driving factors for solutions like the Trusted ThinClient. Simply put, providing secure simultaneous access to allrequired networks from a single endpoint achieves the highestlevels of security available today in a desktop system. There is nolonger a need to work around the security architecture, which, byvirtue of its simple thin client model, keeps data safe and worksfor the users making them more productive and efficient. Peripheral Authentication. On a KVM system, anyperipheral may be plugged in and operated (if it iscompatible), and there is no authentication system in placeor customization of peripherals. With a thin client solution,peripherals can be specified, white listed and black listed. Auser can specify which peripheral to use, down to the serialnumber, or only use peripherals that are shielded so data isprotected.There are a few important areas where it is clear that a thin clientsolution such as Raytheon Websense’s Trusted Thin Client offersa more secure environment than KVM. Points of failure. KVM increases the quality and quantityof points of failure. All connections to a KVM are potentialpoints of failure. These are only as secure as the connectionto them. Key strokes can be stolen and connectionscompromised at each connection. This is not the case with athin client that uses only one connection that is maintainedand monitored for high levels of security. Desktop Security. It is easier to keep a data center securewhere the thin client system lives (the Distribution Consolein Trusted Thin Client), than at each individuals’ desk wherea KVM lives. Desktop environments are notoriously insecureand so the less equipment present on or around the desktop,the better. The thin client model has only one thin clientand one connection per desktop which is a much easierconfiguration to manage and secure. Monitoring. There is no monitoring with a KVM system.If there is a breach there will be no alarms or indicationsor ways to track it. A thin client system is monitored atthe centralized server console and audits user activity andsecurity levels accessed. Network. Only authorized clients can communicate onthe Trusted Thin Client network and authenticate to theDistribution Consoles. With KVM a standard networkconnection is available to any system. Accreditation. Trusted Thin Client is accredited at manylocations for both Top Secret/SCI and Below Interoperability(TSABI) and Secret and Below Interoperability (SABI) –and is included in the US Unified Cross Domain ServicesManagement Office (UCDSMO) baseline list. The SELinuxoperating system on which Trusted Thin Client runs iscertified under National Information Assurance Partnership(NIAP) for Common Criteria requirements. SecureKVM is certified under the NIAP for Common Criteriarequirements.Trusted Thin Client Data StorageVirtual AccessImplementationServersNetwork ATrusted Thin Client Trusted Thin Client Distribution ConsoleData StorageTrusted Thin Client ServersNetwork BRemote AccessImplementationTrusted Access MobileMobile AccessImplementationData StorageServersNetwork CFigure 2 - Trusted Thin Client Architecture866.230.13077
WHITE PAPER - When Secure KVM Isn’t EnoughConclusionGovernment agencies need the ability to provide users theflexibility to securely access agency data—at any sensitivitylevel, on any device, from any location—and ensure that theagencies deliver the right information to the right people at theright time. They need to do this within a cost structure thatfits agency budgets and the highest degree of security. The thinclient model, exemplified by Raytheon Websense’s TrustedThin Client solution with its Advanced Simultaneous MultilevelAccess technology, satisfies these requirements along with highlevels of agility. Where KVMs require a separate investment andindividual management of an external piece of hardware pluscabling per user, Trusted Thin Client consists of software for athin client and a Distribution Console. The cost advantages liein its simplicity with less hardware to manage, less resources todeploy, and less power needed for use. The newer technologyspeaks for itself in this case with lower cost of ownership andsuperior security against both internal and external threats.These advantages make Raytheon Websense’s Trusted ThinClient the obvious choice when considering a multilevel desktopinfrastructure investment.For further information contact:Raytheon Websense12950 Worldgate Drive, Suite 600Herndon, Virginia20170 USA866.230.1307www.raytheoncyber.comTrademarks and registered trademarks are property of their respective owners.Cleared for Public Release. Internal Reference # IIS2015-380Copyright 2015 Raytheon Company. All rights reserved. 300142.0715
such as Raytheon Websense's Trusted Thin Client provide secure simultaneous access to all authorized networks from a single endpoint with streamlined administration needs. The solution is comprised of two components: client software and a Distribution Console. The Distribution Console is the go-
