Steve Marsh, director of the U.K. government's Central Sponsor for Information Assurance (CSIA), has announced that IBM, and its partners Tresys Technology and Belmin Group, are working with the U.K. Cabinet Office to demonstrate one of the first mainstream mandatory access control (MAC) environments. The design is based upon Security Enhanced Linux and IBM WebSphere.
The government set out its vision for efficient, customer-centric public services in November 2005 in the document, "Transformational Government: Enabled by Technology." Given that many of these services would need to be delivered through complex information-supply chains, spanning central government, the wider public sector and private and voluntary sector organisations, the challenge lies in how it can be done securely.
Therefore, the ability to be able to contain security breaches, using approaches such as MAC, can be a significant aid in developing systems that deliver the government's transformational agenda.
"We consider MAC to be a key enabling technology to aid government and businesses alike, in being confident they can deliver more services, more quickly, and with better function, without compromising security," said Marsh.
Gary Barnett, research director at Ovum, said the announcement shows the potential of public-private partnerships.
"This is an important announcement that shows how both government and business can take security to the next level", said Barnett.
"The traditional 'border control' approach to security will no longer be good enough as organizations, including government, are increasingly obliged to grant access to internal systems to a wider range of external parties. MAC addresses this issue by applying the 'need to know' security principle to operating systems, this means that rogue applications or malicious users are automatically contained and cannot cause damage beyond their immediate context. SELinux is the first commercially available operating system to implement this sophisticated level of security, and today's announcement shows how this can be combined with a commercial J2EE application server to form the basis of a complete solution," added Barnett.
Enterprises will also be able to take advantage of the technology, said Doc Shankar, worldwide Linux security lead for IBM.
"What we've demonstrated here with WebSphere and SELinux can be repeated with other software such as DB2 and business applications. In other words through the use of this technology, any organization will have the ability to contain hackers, provide the necessary confinement for its applications and minimize damage to the enterprise," said Shankar.
The proof of concept is planned to go live this month at County Durham & Darlington Acute Hospitals NHS Trust and will focus on providing secure system access for the hospital's new finance system.