103 Bonaventura Drive | San Jose, CA 95134 USA +1-408-392-9131 | FAX +1-392-0319

https://www.SPYRUS.com

Confidential https://www.SPYRUS.com +1-408-392-9131 | FAX +1-392-0319

Texas A&M University Secure Research Enclave Authentication & Access Control

Use Case

SPYRUS Solutions, Inc. is pleased to provide this solution brief illustrating how our security solutions are employed by Texas A&M University (TAMU) for strong Authentication and Access Control necessary to protect Controlled Unclassified Information (CUI) Intellectual Property (IP) developed under Granted Research funded by the U.S. Government (USG).

The USG funds Higher Education more than $60 billion in research grants annually. The top 50 Research Universities (such as TAMU), each with tens of thousands network users, receive $100s of millions where the resultant CUI research must be protected with strong data protection, identity & access controls. For over a decade, foreign actors have been quietly collecting and exfiltrating research and data for both military, strategic and monetary advantages. As an example, a study by the Australian Strategic Policy Institute China’s People’s Liberation Army (PLA) is expanding its research collaboration with universities outside of China. The PLA sponsors more than 2,500 military scientists and engineers to study abroad and developed relationships with researchers and institutions. At TAMU, Principal Investigators (PI) are transparent and collaborative with their research. However, at any given time there are close to ten thousand visiting professors and graduate students, many from nations hostile to the USG. Traditionally access to the TAMU network, its servers and research data has not been segregated and mostly binary. Meaning anyone with a campus access username and password had the same access to most everything on the network. The USG has addressed this by creating a standard that governs CUI in Non-Federal Information Systems and Organizations. ... Doing so helps the federal government “successfully carry out its designated missions and business operations.” The USG is enforcing this standard by applying acquisition regulations that require compliance with this standard to all existing and future contracts and grants.

Maintaining security and ensuring that core, fundamental information assurance requirements are met, while respecting the research needs of staff, students, researchers, and independent contractors is essential to protecting research CUI. To that end, the TAMU Research Security Officer funded the development of a Secure Enclave and turned to SPYRUS to provide a easy to use, single sign-on Authentication and Access Control Solution that provides data protection at rest (at the servers and at the user device) and data in motion (between the servers and user devices).

At the heart of the TAMU solution is our enterprise management platform. The SEMS Platform manages devices protected by the SPYRUS Cryptographic Operating System (SPYCOS®) to provide a true end-to-end security approach to user access and the protection of data at rest; in transit in accordance with industry and USG compliance regulations. With the SEMS Platform user/ device management, enterprise administrators can centrally

register, block/ unblock, revoke, set policies, integrate 3rd party applications for secured access, audit, and “kill” SPYCOS protected devices, remotely. The SEMS Platform provides a high security and productivity solution for organizations deploying the strongest authentication encrypted access/ data protection when used by today’s mobile workforce; as well as, remote assets that includes audit and policy enforcement of high capacity, small form factor devices.

Common Management Platform Across the Entire Enterprise.

The SEMS Platform manages all enterprise endpoints via SPYCOS that can be integrated into any computing device. SPYCOS provides precise protection and management of all key material and algorithms necessary to achieve the highest levels of encryption and strong authentication.

Provision: an enterprise can manage their data assets wherever they are used via a central, web-based, easy to use management interface to control and monitor SPYCOS protected endpoints.

Secure: Robust role management for administrators, permits separation of responsibilities and enforcement of enterprise security policies. Recovery is easily facilitated to protect against data loss and employee downtime.

Manage: Maintains audit records of management activities performed at the Management Console, as well as endpoint activity on SPYCOS protected endpoints.

Terminate: keys protected with SPYCOS can be temporarily disabled or destroyed, on demand. When things go wrong, the ultimate assurance that your assets don’t fall into the wrong hands is provided. When things go really wrong, a remote device kill operation renders the data protected by SPYCOS unusable.

Our Cyber Security Systems Engineering team’s rich experience in data protection initiatives worked closely with TAMU to assist with architecting and implementing “data protection by design and by default” that eliminated data breach exposure of more than $500 million of Granted Research.

The TAMU implementation offers its users a simple single sign-on experience with the highest levels of protection: 1. The SPYRUS Toughboot is used to decrypt the devices Solid State

Drive and open PKI Store (with one or more activation codes as dictated by the enterprise).

Western Region/Asia/ Pacific Region Central Region Eastern Region/EMEA Tom Dickens Steve Tonkovich Rich Skibo tdickens@spyrus.com stonkovich@spyruswtg.com rskibo@spyrus.com

©Copyright 2013-2019, all rights reserved. For patent & Trademark restrictions visit https://www.spyrus.com/patent-markings

2. Microsoft PKI (“smartcard”) logon is invoked to achieve Controlled Domain Access. Note: the SPYCOS certificate store can be set up to require authentication (by time or per instance).

3. SPYCOS synchronizes with the SEMS Platform: policies are updated as required and audit data is synchronized.

4. PKI logon to Secure Enclave VPN is invoked via the same SPYCOS protected digital certificate / activation process.

5. PKI logon to each secure resource is invoked via the same SPYCOS digital certificate / activation process. Note: the same digital certificate can be used or SPYCOS can store multiple certificates to segregate each application server within the Secure Enclave.

Secure Enclave Implementation.

TAMU chose USB 3.0 Bootable Encrypted Storage Solid State Drives built with Common Criteria EAL 5+ components running SPYCOS, providing a fully Certified, FIPS 140-2 Level 3 user devices as a cost-effective means to provide secure authentication and data protection. This allows all users to use with any Personal Computer (PC) to serve as a hardware root of trust for unparalleled identity and/ or encryption key protection necessary to ensure protected information sharing and collaboration between only trusted entities. SPYCOS provides the highest level of protection for the authentication and encryption keys.

Once the device is activated with a user private activation code and personalized to the user, access to the encrypted data on the device and access to the Secure Enclave is available to that user with the SPYCOS protected keys. When the user device is connected SPYCOS communicates with the platform to receive updates and securely store any enterprise invoked policies set by the Secure Enclave administrator. That may include time to change the user’s private activation code, number of times the device can be used offline (if any), and other enterprise dictated policies. Additionally, each time the user is connected to the SEMS Platform, audit functionality is synchronized.

The audit functionality allows the enterprise to monitor user actions as well as to control access to the use of the devices in the ecosystem. By capturing log-on and log-off activities, device disable, enable and activation code recovery actions, the instructor can monitor users and devices to determine patterns of use and to detect suspect operational behavior and take corrective action, including destroying a device in the hands of the user.

The SEMS Platform audits user activities including security, configuration events such as, adding administrators, assigning or removing administrators’ group permissions, and changing administrators’ activation codes.

Sample Device Event Audit Console.

The SPYRUS philosophy of doing it right, meeting all specifications and exceeding customer expectations without compromise, is the cornerstone of our success for over 25 years:

• First edge hardware cyptographic protection to the market in 1993 used by the US DoD to deploy the first PKI for secure messaging.

• Collaboration on Secure Electronic Infrastructure for the United Nations and the protection system for the Cal ISO electric grid.

• Brought to market the Signal Identity Manager (registration authority) for the first Microsoft CA Server 2000.

• Introduced cost effective LYNKS Series II Secure Backup System for on premise RSA and Elliptic Curve PKIs.

• Granted license to provision Windows Embedded on encrypting USB devices in 2009, adopted by Microsoft as Windows To Go in 2012.

• Introduced the first FIPS 140-2 Level 3 Validated Rosetta™ Hardware Secure Key Backup and Recovery System leveraging our patented K of N authentication technology implemented in SPYCOS.

• NcryptNshareTM Platfrom deployed in U.S. DoD, Department of State Diplomatic Security and the Canadian Government to protect sensitive data to the secret level.

• Partnered with Sectigo to service IoT market providing high assurance, remote unmanned key provisioning and management.

This legacy provides for the highest levels of trust with the following key features of SPYCOS protected devices:

• Tamper-protected Zeroization • Secure Key Backup & Recovery • AES -128/192/256 (ECB, CBC, CTR); 3DES • SHA-1/SHA-224/256/384/512 (HMAC support) • ECDSA P-256/384/521/ Legacy RSA • ECDH • High-entropy RNG (SP800-90 & FIPS 186-2) • HashDRBG • OATH (Time based OTP) • Extensive Security Fault alarms • Cryptographic Data Firewall • Anti-cloning • Split Knowledge Algorithm • Signal Radiation Masking