News

NSA Extends Access Control to Network Storage

The National Security Agency is leading an effort to extend its access control work into the arena of network file storage. The effort involves integrating NSA's Flask mandatory access control (MAC) architecture -- now the basis of Security-Enhanced Linux (SELinux) -- into the Network File System (NFS) protocol widely used for network-attached storage devices.

David Quigley of NSA's National Information Assurance Research Laboratory presented the latest work on the project, called Labeled NFS, at the 71st meeting of the Internet Engineering Task Force this week in Philadelphia. IETF currently oversees the NFS protocol.

NSA initiated and led the effort to develop SELinux, an implementation of NSA's Flask MAC architecture for Linux. With MAC, programs and users are assigned attributes such as security levels. Whenever a program spawns a process thread or calls a file, the attributes are checked against the organization's authorization rules.

By deploying MAC, organizations can ensure that machine intruders don't hijack programs to execute malicious tasks, and they can prevent employees from accessing documents they don't have permission to view.

Labeled NFS extends those features across the network. By having NFS handle MAC labels, someone using a trusted computer can read and write files and execute programs that reside on NFS-based network storage. Today, the Flask architecture requires that all programs and files be stored locally.

Labeled NFS can work in smart mode, which allows the file server to make access control decisions, or dumb mode, which means it takes instructions from the client machine.

James Morris, principal software engineer at Red Hat, published the first recommendation for this approach, originally called Security Enhanced NFS, last summer. The company incorporates SELinux into its Red Hat Enterprise Linux operating system.

In addition to SELinux, Labeled NFS could also support Solaris Trusted Extensions, TrustedBSD and Security Enhanced Darwin, a MAC-enhanced version of the Apple operating system.

About the Author

Joab Jackson is the chief technology editor of Government Computing News (GCN.com).

Featured

  • RAMBleed Side-Channel Attack Method Disclosed by Researchers

    Academic researchers this week published information about another side-channel attack method, called "RAMBleed," that can expose information from memory chips, including encryption key information.

  • Penguin

    Windows 10 Preview Build 18917 Shows Off New Linux Integration

    Microsoft's latest Windows 10 "fast-ring" preview release is showcasing a coming Delivery Optimization enhancement, along with the ability to try the newly emerged Windows Subsystem for Linux version 2.

  • Customizing Microsoft Office 365

    While the overall look and feel of Office 365 is pretty standard across organizations, there are several ways to personalize it and make it fit better with your company's specific needs.

  • Microsoft 365 Business Tenants Getting Conditional Access and Trouble-Ticket Features

    Microsoft added its conditional access security service to Microsoft 365 Business subscriptions, according to a Wednesday announcement, and it also added new trouble-ticket features for Microsoft 365 administrators.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.