With roots in securing operating platforms in the most secure environments in the world, Tresys understands both the absolutes and the subtleties associated with making an enterprise secure.
Meeting the certification and accreditation (C&A) requirements for government agencies can be a challenging prospect, but it is vital to providing the foundation for strong security.
Tresys supports the following requirement sets on behalf of vendors and government customers to ensure that platforms meet C&A requirements.
Specific requirements sets we support include:
- Director of Central Intelligence Directive (DCID) 6/3
- The Security Control Catalog for National Security Systems (CNSSI) 1253
- Department of Defense (DOD) 8500.2
- National Institute of Science and Technology (NIST) Special Publication (SP) 800-53
- Defense Information Services Administration (DISA) Information Assurance Support Environment (IASE) Security Technical Implementation Guides (STIG)
- DOD Instruction 8510.01 - Defense Information Assurance Certification and Accreditation Process (DIACAP) supersedes DoD Information Technology Security Certification and Accreditation Process (DITSCAP).
- Committee on National Security Systems Instruction (CNSSI) 1253A
- Unified Cross Domain Management Office (UCDMO)
Services may include the following:
- Platform Compliance Assessment & Planning
- Platform Compliance Engineering & Development
- Platform Compliance Training & Support
Related Technologies:
Related Solutions:
At the core of today's desktop and data center initiatives around green IT, consolidation, and cost savings, virtualization offers many benefits, but it is not in itself a security tool.
While virtualization offers many benefits, it also requires careful engineering to maintain security between virtual environments. By maintaining the integrity of the virtualization layer, Tresys believes that virtualization can be used to enhance overall security. Our services and technologies reflect that approach. Specific focus areas for this service include:
- Harden the virtualization layer - focusing on the security configuration of the Xen hypervisor
- Architect a secure virtualization strategy including guest OS co-location and migration, to increase application workload separation and maintain appropriate levels of physical separation
- Develop multi-OS virtualization plan - such as separating Windows environments and/or applications in different virtual environments to ensure data integrity and overall system operational reliability
- Secure the virtual network layer including inserting security monitoring and intrusion detection into guest-to-guest communications on a single system
- Protect administrative privileges to the key virtualization layer
- Leverage virtualization to improve disaster recovery and response
Services may include the following:
- Secure Virtualization Planning
- Secure Virtualization Engineering & Custom Development
- Virtualization Security Deployments & Implementations
- Secure Virtualization Training & Support
Related Technologies:
Related Solutions:
Secure solutions begin with the creation of secure Linux system configurations that serve as a secure, regulatory compliant platform for application hosting.
Building on the secure foundations of strong Linux security, Tresys works with customers to designed and configure server and desktop environments to meet evolving security requirements. Areas of focus include:
- netfilter/iptables
- Discretionary access controls
- Centralized system management integration
- System integrity monitoring (e.g., AIDE)
- Security event monitoring (syslog and Linux audit)
- Administrative privilege controls (e.g., sudo)
- User authentication
- Remote access via secure protocols
- Network filesystem security
- SELinux
All phases of the system lifecycle are addressed, from repeatable configuration using kickstart to system decommissioning. Compatibility and integration with existing security infrastructure, such as Microsoft Active Directory, is emphasized.
Services may include the following:
- Platform Security Assessment
- Server & Desktop Hardening (Existing Systems and/or New Images)
- Platform Security Deployments, Implementations & Migrations
- Platform Security Training & Support
Related Technologies:
Related Solutions:
With adoption of SELinux on the rise, it is increasingly important that customers maintain a level of internal expertise around this technology.
The default SELinux policy included with Red Hat Enterprise Linux is widely acknowledged as effective at hardening the system and containing many zero-day exploits. However, where custom applications prevail or where specific system-level security requirements must be integrated, that policy requires additional customization. Tresys is the recognized leader in developing SELinux policies for applications or complete systems that ensure security, compliance, and compatibility.
Areas of focus include:
- Analyze security risk factors and regulatory compliance needs.
- Define mapping to organization's security requirements or standards and define strategy to meet requirements through localized policy.
- Assess the security configuration of existing and planned Linux systems, including the base operating system, security critical tools, and hosted applications.
- Review and optimize base SELinux policy.
- Review of related security infrastructure, including network controls, identity management, administrative privilege controls, change management systems, and security event auditing.
- Examine security procedures and policies with an emphasis on change management around security controls, system updating and patching, security monitoring, and security incident response.
- Develop SELinux policies unique to application, network, and regulatory requirements.
- Integrate and test the resulting application environment.
- Develop auditing and administrative guidelines and recommendations.
Services may include the following:
- SELinux Assessment & Roadmap
- SELinux Policy Engineering & Development
- Policy Deployments & Implementations
- See SELinux Training for more details
Tresys provides training for analyzing, testing, configuring, and developing policies for SELinux. Several different levels of training are available from basic SELinux architecture or policy primers, to advanced application policy development leveraging the latest SELinux management techniques. Each course is highly interactive and knowledgeable instructors can tailor the course to the class's interest. Tresys recommends that students be familiar with Linux and have a basic understanding of computer, network, or cyber security. Training scope includes the following:
The overall goals of the basic one-day course include understanding:
- The differences between Linux and SELinux and
- Type enforcement concepts.
The advanced policy development training, an intensive three-day course, extends the goals listed above to include:
- Understand and identify SELinux policy language,
- Build and install SELinux security policies,
- Analyze type enforcement security policies,
- Understand the multi-level security supported by SELinux, and
- Modify, test, and debug SELinux policies.
Related Technologies:
Related Solutions:
The benefits of open source are well understood and are driving both server and desktop migrations to Linux platforms, including migrations from proprietary environments.
Tresys Linux platform and deployment services help to deploy the latest Linux servers and desktops across the enterprise-quickly and cost-effectively. With Tresys migration and deployment services, customers benefit from our years of experience, integration expertise, and our "zero touch" tools and methodologies. This combination of expertise minimizes business disruption and reduces desktop total cost of ownership (TCO) by creating a simpler, more manageable/standardized Linux environment. Our intimate knowledge of the open source marketplace, Linux, and our unique relationships with major distributions enables Tresys to help organizations adopt Linux in a pragmatic manner - all while improving the overall operational reliability and security posture of the client.
Areas of focus include:
- Define mapping to organization's security requirements or standards and define strategy to meet requirements.
- Review of Linux migration path, including but not limited to servers, endpoints (e.g., desktops, mobile services, etc.), network services, storage, applications, database infrastructure, network topology, virtual private networks, secure channels, cloud computing, and additional services
- Design server or desktop architectures capable of meeting the organization's functional requirements.
- Develop of security policies and/or recommendations unique to application, network, and regulatory requirements.
- For migration efforts:
- Port existing applications or functional requirements from legacy trusted environment - both network and platform.
- Deploy new server or desktop environment
- Trusted Solaris or Solaris X to Red Hat Enterprise Linux migrations
- Novell SUSE to Red Hat Enterprise Linux migrations
- Microsoft Windows to Red Hat Enterprise Linux or Ubuntu desktop
- Novell SUSE, Red Hat Enterprise Linux, and / or Ubuntu deployments
- For Sun Trusted Solaris (TSOL) to Red Hat Enterprise Linux (RHEL) migrations, migrate existing policies to full-system, strict SELinux policies
- Create and execute operational, functional and security testing.
- Deploy and integrate developed applications per client needs.
- Develop auditing and administrative guidelines and recommendations
Services may include the following:
- Linux Platform Assessment & Roadmap
- Linux Server & Desktop Migrations
- Migration Training & Support
Related Technologies:
Related Solutions:
From the cloud to private networks, it is critical to secure the underlying infrastructure of a business and to ensure that business applications leverage that security.
Tresys enterprise security engineering services help customers in high risk environments to integrate business applications across diverse networks, while ensuring that critical assets remain isolated and protected.
Specific areas of focus include the following:
- Review of overall network topology and design, including virtual private networking (VPN) and wireless networks
- Integrate systems management and identity access solutions including red Hat Satellite, Red Hat IPA, Red Hat Certificate Server, and Red Hat Directory Server
- Perform baseline penetration and vulnerability assessment.
- Design, implement and integrate a network topology design where firewall, network access control, and intrusion detection placement to complement system and application security configuration.
- Review and integrate security requirements for platform and application requirements focusing on middleware solutions, including JBoss infrastructure and IBM WebSphere.
Services may include the following:
- Enterprise Network Assessment & Roadmap
- Enterprise Engineering
- Infrastructure Technology Deployments
- Training & Support