Government Agencies Lock Down DesktopsGovernment Agencies Lock Down Desktops

Despite the considerable amount of money and effort already spent on protecting sensitive U.S. government data, it's still at risk. But several government agencies are working hard to tighten up IT security.

The U.S. Department of Defense is leveraging PC blades to address a longtime concern that electromagnetic waves and stray currents or voltages containing key characteristics of classified data could be intercepted by enemies of the United States and used to reconstruct that classified data and compromise national security. The Energy Department has been shoring up security since it learned that as many as several hundred of its computers were stolen, lost, or improperly inventoried at Los Alamos National Laboratory between 1999 and 2002. For these two departments, security starts at the desktop, where new configurations are being deployed to keep data safely stored away on back-end servers.

At Eglin Air Force Base in northwest Florida, the Defense Department is rolling out PC blades to engineers who design and test software for the F-15 fighter jet. Using PC blades from ClearCube Technology Inc., Eglin has created a "pristine environment for people to work in," says Roger Chilcott, a retired Air Force captain and senior engineer for engineering services provider Sentel Corp., a wholly owned subsidiary of defense contractor Dimensions International Inc. Sentel provides IT support and management services for Eglin. "The F-15 is basically a big flying computer," Chilcott says. "We do both developmental and operational testing of upgrades to the aircraft and its computers."

Since October, 15 of Chilcott's test engineers have been using PC blades and another 15 are scheduled to migrate from PCs to PC blades within the next year. For these engineers, the ability to consolidate their workspace and work securely means they can focus more of their attention on improving the F-15. "The F-15 is one of the Air Force's dominant platforms, with its air-to-air and air-to-ground combat capabilities," Chilcott says. "Until the F-22 comes into full production [next year], you still need the F-15."

Instead of five PCs in their work area, Chilcott's engineers now have five ClearCube C/Port devices, each the size of a videocassette, stacked on their desktops. Each one is connected via fiber optic cable to a separate back-end blade housed in racks in a separate room. The PC-blade configuration saves space, but more importantly it helps Eglin meet the Defense Department's security requirements regarding electromagnetic emissions. These so-called "Tempest" guidelines, also known as Emission Security, are designed to prevent the compromising emanations generated by microprocessors, PCs, monitors, printers, and even electric typewriters from being propagated via telephone lines, power lines, water pipes, grounding wires, and other media. Emission Security stipulates, for example, that a computer storing or accessing classified data must be at least 1 meter away from any conductive media and windows, which can dictate the parameters of users' workspaces.

ClearCube's PC blades exchange an analog signal with the C/Port desktop device that radiates no emissions, as opposed to the signal emitted by IP packets in a more conventional thin-client desktop setup, says Ken Knotts, ClearCube's director of marketing. ClearCube has also sold PC blades to Nellis Air Force Base in Las Vegas; the Homeland Security Department; and North American Aerospace Defense Command, or Norad.

Eglin's PC-blade implementation isn't cheap. The base is spending about $2,200 per network, meaning that an engineer requiring access to five networks runs up a bill of $11,000 for desktop equipment alone, Chilcott says. A comparable PC configuration costs about $7,500, he adds.

To move from network to network on their desktops, Eglin engineers use a Defense Department-approved KVM switch that enables a keyboard, video monitor, and mouse to control more than one computer at a time. By mid-December, ClearCube will introduce a virtual KVM switch embedded within its ClearCube Management Suite software to simplify movement from one network to another within its PC-blade system and alleviate the need for multiple C/Port desktop devices. This software-based switch will be loaded onto the back-end PC blades and controlled from a single C/Port on the user's desktop.

The security gained by PC blades and their potential to make the F-15 an even more potent fighting machine far outweigh the costs, Chilcott says. "We have a limited amount of space but an increasing number of users," he says. "Using ClearCube, in the same space I had 10 people, I can now put 14."

The Energy Department has likewise adopted greater desktop security measures to help turn around its recent history of data security problems. Energy's Oak Ridge, Tenn., Y-12 National Security Complex is deploying VenturCom Inc.'s BXP software to create a centrally managed IT environment and cut local desktop storage. That eliminates the need for hard drives, flash memory, bootable CDs, or any other form of data storage. BXP-enabled systems address their persistent storage requirements through network connectivity and what amounts to a virtual disk drive on a back-end server. The Oak Ridge facility is the key provider of "secondary" components to the United States' nuclear arsenal.

BXP keeps the central PC image on a server and streams the operating system and applications out to desktops. Oak Ridge is in the process of certifying these BXP-based workstations for design and manufacturing and by year's end will begin testing several BXP-based workstations. If successful, Oak Ridge will deploy an additional 40 workstations by May, with a goal of as many as 350 workstations in its office and manufacturing areas.

The Energy Department is still considering its options for expanding the diskless model to other facilities, such as Los Alamos. "We're all interested in diskless computing at this point," says Curt Holmes, Oak Ridge's technical computing manager. "This will help us integrate information across our facility, implement sensors on the machines that can signal for preventative maintenance, and create a continuous operation state."

The benefits should expand beyond security. "Once you've got the data back on your server, you have the ability to do things that weren't possible before because you had stovepipes," Holmes says. "We're going to come out of this with a very modern approach to data capture and decision support across our complex."