Systems Integrity Management Platform (SIMP) has been released via the GitHub website for source code sharing. Offering access to the source code is a sensible move by the NSA as there will be many who are suspicious of any tool coming from the agency given its role in global surveillance.
What does SIMP do?
On the SIMP GitHub page it is describes SIMP as “a framework that aims to provide a reasonable combination of security compliance and operational flexibility.” It goes on to say: “The ultimate goal of the project is to provide a complete management environment focused on compliance with the various profiles in the SCAP Security Guide Project and industry best practice.”
For SIMP to get a wider audience it has to be relatively simple to use and that is the challenge here. On one hand the NSA, in its press release, seems to imply that people will be able to download versions of SIMP that are compliance with different standards and then just apply it to their IT infrastructure. Meanwhile the GitHub page implies that SIMP is to be moulded to individual organisations environments which means much more work.
NSA taking advantage of open source
SIMP is part of a new approach by the NSA to ostensibly help companies do better with security. This is all part of an NSA project called the Technology Transfer Program (TTP). The TTP is designed to transfer software designed inside US federal labs to the commercial marketplace using open source software.
According to Linda Burger, Director of the NSA Technology Transfer Program: “The open-source community can leverage the work that NSA has produced, and the government can benefit from that community’s expertise and perspective. It’s a win for everyone – and for the nation itself.”
NSA has chosen to initially release SIMP to run on just two different distributions of Linux – Red Hat Enterprise Linux (RHEL) 6.6 and 7.1 as well as CentOS 6.6 and 7.1. It takes advantage of the Puppet framework which is an open source configuration management system (CMS) that can be highly automated.
This use of an automated CMS means that changes can be applied quickly across an entire IT infrastructure. It reduces the risk of operator error and of misconfiguration by enabling systems to be rolled back. More importantly it provides an audit trail of changes that can be used to identify any out of band alterations to software.
IT organisations are already struggling with an explosion of rule based tools designed to simplify adherence to compliance. Few of these tools are integrated and that means every change has to be understood, codified and then applied consistently to multiple tools. The result is that most companies struggle to get a clean compliance approval for their IT systems.
For SIMP to be a success, it needs the NSA or some other third-party to do the initial heavy lift and create different versions that encapsulate security standards. Of course, the ultimate goal would be to take the best of each standard but the conflicts and confusion between security standards means we are a long way away from that happening.
But can the NSA overcome the general suspicion of it inside many companies? This is a start but it would only take one developer to discover a vulnerability in the code to have people screaming that it is all a massive conspiracy and an attempt to spy by the backdoor.