The Benefits of the Government Assurance Pack (GAP) for secure network environments
Throughout Government and the Military, there is a requirement to secure computer systems and control access to files and applications; today this requirement is not met in a consistent way. This lack of consistency leads to:
- Difficulties from an accreditation perspective in assessing the security status of a system.
- Increased development and deployment costs.
- Duplicated and redundant effort as the “same solution” is re-developed many times for each separate government department or organisation.
- Lack of staff portability; both IT and End User staff have to significantly re-train as they move between departments or organisations as the varying security models affect both how the systems can be managed, but also how applications are used and developed.
- Increased costs for both out-sourced and in-sourced support for the IT environments deployed within government departments.
To help address this, CESG and Microsoft UK have worked together on a collaborative project to produce a Government Assurance Pack (codenamed Flapjack), with a shared vision of “consistently secure configuration and earlier deployment of XP SP2 and Server 2003 SP1 across Government”. Flapjack aims to produce a best practice framework for configuring Windows for use in high security environments.1
The problems with the Government Assurance Pack
The approach taken by GAP is to start by preventing the user from accessing any applications and system functions, and then adding back only the functions and applications that are required to meet specific business or management needs.
In this way it tries to mimic the “default deny” approach of a firewall administrator: only allowing functionality known to be safe.
Although this default deny approach makes for a safer system, it does also mean that many applications (particularly bespoke applications) almost certainly will not function correctly with an “out of the box” installation of GAP.
GAP relies heavily of Group Policies which have been found to have major problems if operating in a slow network of WAN environment.
Overcoming the problems with the Government Assurance Pack
Octavia Information Systems have implemented GAP in a number of highly secure Military environments and have the benefit of vast experience both with GAP itself and the underlying Group Policy architecture.
This experience includes:
- Customisation of GAP to allow different user functionality on the desktop
- Analysis and testing of COTS software to allow them to operate correctly in the GAP lockdown environment
- Analysis and testing of anti-virus and other security software to allow them to operate correctly in the GAP lockdown environment
- Analysis and testing of bespoke software solutions to allow them to operate correctly in the GAP lockdown environment
- Support to software developers when designing & deploying software for a GAP environment
- Customisation of GAP to allow it to operate correctly in a WAN or slow network environment
- Troubleshooting problems caused by the GAP lockdowns
- Deploying GAP in combination with other hardening methodologies
1. Reference: “Using Windows XP in High Security Environments”, Microsoft Services , 25 Jan 2006
