However, many public bodies in Austria have historically chosen Windows as their end-user environment, and due to path dependence, are highly constrained against moving away from this standard. As a result, it is required that the OpenSecurity project support deployment to Microsoft Windows clients (specifically, MS Windows 7 64-bit is our reference architecture).

It is clear that this is a suboptimal solution in terms of security; indeed, the shortcomings of Windows in this respect have already been analysed. However, given the prevalence of Windows, this solution will have a bigger potential impact on the public sector. And while the resulting implementation of security by isolation will not be perfectly secure, it will nonetheless offer greatly enhanced security that is also compatible with institutional IT rollout and management processes.

During the coming months, our services will be installed in a limited production environment of two public administration stakeholders. These users will be able to provide feedback directly through the OpenSecurity service, and will also participate in an evaluation workshop and online survey. This feedback will allow us to further refine the service in terms of stability and usability.

Image source: Wikipedia License: CC-BY-SA

One cannot imagine the daily office routine without a performant internet connection or communication via email. Avoiding unintentional transfer of classified information through these communication channels is a big concern.

The usage of external data storage and mobile devices (laptops, smartphones, etc.) implies the risk of bringing classified information into circulation in case of loss or theft of the devices. This risk can only be reduced by data loss prevention mechanisms (DLP), as well as by encoding the classified information. Next to DLP and in the context of using internet and email the implementation of efficient malware protection mechanisms is an essential component of safe IT systems and information.

The Command Support Center wants to contribute to the OpenSecurity project because DLP and protective measures against malware play an important role in the context of infrastructure. The security solutions developed in the project could be partially or wholly implemented in future IT systems.

The work so far has resulted in a set of isolated core components interacting together to orchestrate dedicated virtual machines. The OpenSecurity components created in this process share well-defined open interfaces: RESTful API, CIFS and SSH. These protocols cleanly separate the different components of the OpenSecurity solution space, thus allowing the upgrade or even the complete exchange of these components without disrupting the concept and benefit of the whole system.

The central component of the OpenSecurity design is the OpenSecurity Management daemon, which starts and stops disposable virtual machines. These machines are instantiated templates which are created from the dedicated OpenSecurity Linux distribution derived from Debian 7.2. Other components take care of user interaction, device driver overlays, and embedding access from and to the virtual machines with respect to the current user session.

The team presented a live proof-of-concept in December, which demonstrated independent Virtual Box machines handling USB mass storage device actions like virus scanning and/or encryption, as well as a tight integration of an Internet Browsing application run inside a virtual machine but shown natively on a Windows 7 user session.

The on-going implementation work is now directed towards making the system stable, performant and flexible. Though the software components written in this context are rather small and the interfaces are all widely known and understood, the complexity stems from the fact that messages often do cross operating system boundaries with impact at very low level system functionalities. This situation plus the special characteristics and divergences of partly closed-source operating systems behaviours - even if coined "standard" - makes this a demanding and sophisticated endeavour.

Finally installation challenges must also be addressed in order to support both simple single-user one-click download setup-files as well as a full blown rollout on to thousands machines directed by a central IT department. As the OpenSecurity integration also relies on a range of well-developed and open source third-party software, version management is yet another complex task of its own to be tackled next.

OpenSecurity should prevent the loss and (un)intentional misuse of sensitive, citizen-related data held by public bodies. The aim of our research is to achieve a higher level of data security and availability, while reducing effort in deployment management and maintenance. To this end, the feasibility and possible implementation of a centralized security layer will be examined based on the principles of security by isolation, virus detection, and encryption. This layer will control, verify, and encrypt any and all communication that takes place on client devices. OpenSecurity will be provided under a license that allows both public verification and customization within heterogeneous ICT-system landscapes.

OpenSecurity is a two-year project, running until October 2014, funded by the Austrian FFG KIRAS security program. The primary stakeholders in the project are the Austrian Ministry of Defence (BMLVS) and the IKT Linz. These stakeholders have provided use cases and requirements for the project and will test and validate the project results. The AIT Austrian Institute of Technology GmbH is the primary research partner, supporting the industrial partners X-NET Services GmbH and IKARUS Security Software GmbH. Under the technical coordination of X-NET, this team is carrying out the technical implementation of the OpenSecurity solutions. The Linz Institute for Qualitative Analysis (LIquA) rounds off the consortium by providing an analysis of the impact of OpenSecurity in the context of employee data protection and privacy.