ClearPath MCP Encryption Steve Koss, Distinguished Engineer and Chief Architect The What and Why of Encryption • Terminology – – – – Symmetric Key Encryption Public Key Encryption (PKE) Certificates SSL/TLS - Combines all three • Why Encrypt – Reduces the chance of data exposure – Makes Auditors Happy © 2012 Unisys Corporation. All rights reserved. 2 Data Privacy Capabilities Overview • Encryption of data across networks – – – – File transfer via FTP/SFTP/NFT/DMV Terminal emulator sessions Transport Layer Security/Secure Sockets IPsec – packet layer encryption • Encryption of data at rest – Tape encryption – Disk encryption • Security Center – Key Management • Stealth © 2012 Unisys Corporation. All rights reserved. 3 Network Security File Transfer Protocols/Products • Many different methods to transfer and protect files between MCP and other systems. – – – – FTP/FTPS SFTP (SSH) – introduced in MCP 14.0 Secure File Transfer (NFT) SAN DataMover • File transfer capabilities on remote systems determine most suitable product. • Security is configurable on all but SFTP (no unsecure version). • To use any of these on ClearPath MCP, MCP cryptography must be available. © 2012 Unisys Corporation. All rights reserved. 4 Network Security File Transfer Protocol (FTP) • File Transfer Protocol (RFC 959) supported by most systems • Transfers can be secured via SSL/TLS – IMPLICIT model – two sets of ports (one secure, one insecure) – EXPLICIT model – one set of ports (usually 21/20) and there are commands to turn SSL/TLS on/off • AUTHMODE controls where SSL/TLS is used – IMPLICIT, EXPLICIT, EXPLICITLOGON, EXPLICITCOMMAND • New features introduced in MCP 13.1 – Client Certificates – ability to specify an X.509 certificate for additional validation – Can allow acceptance of self-signed server certificates – Can secure data port when control port is not secured. © 2012 Unisys Corporation. All rights reserved. 5 Network Security Secure File Transfer Protocol (SFTP) • Secure File Transfer Protocol (SFTP) is part of the SSH protocol suite – Defined by <draft-ietf-secsh-filexfer-02.txt> • MCP implementation supports version 3 (but does NOT support all of the commands yet) • Interoperable with implementations which use openssh() toolkit (most flavors of Linux) and psftp (part of PuTTY). • Full list at: – http://www.support.unisys.com/common/matrices/ViewMatrix.aspx?pla=MCP&n av=MCP&PageID=649 © 2012 Unisys Corporation. All rights reserved. 6 SFTP Configuration • Support for SFTP has been integrated into the FTPSUPPORT product and can be accessed from: – Batch FTP Client (COPY) – Interactive FTP Client (U FTP) • SFTP configuration is through FTPSUPPORT configuration file (*SYSTEM/FTP/SUPPORT/CONFIGURATION) • Keys and trust are configured through SecurityCenter – Server public keys (management and trust) – Usercode public keys (management) © 2012 Unisys Corporation. All rights reserved. 7 SFTP Copy – Example #1 Batch Client • COPY FILENAME (FTPTYPE=IMAGE) TO DISK(PACK, IPADDRESS=“xxx.xxx.xxx.xxx”, AUTHMODE=SSH, USERCODE=“GUEST”/”GUEST”) Interactive Client 1. U FTP 2. AUTHMODE SSH 3. OPEN xxx.xxx.xxx.xxx (with GUEST/GUEST credentials) 4. TYPE IMAGE 5. PUT FILENAME © 2012 Unisys Corporation. All rights reserved. 8 SFTP Copy – Example #2 Batch Client Remote username defaults to calling usercode, but can be overridden • COPY [SFTP] FILENAME (FTPSITE=“SSH_CLIENT_SERVICENAME=‘SSH_USER’”) TO DISK(IPADDRESS=“xxx.xxx.xxx.xxx”) Interactive Client 1. U FTP FTP will prompt for the remote Username during the OPEN 2. AUTHMODE SSH 3. SSH_CLIENT_SERVICENAME “SSH_USER” 4. OPEN xxx.xxx.xxx.xxx 5. PUT FILENAME © 2012 Unisys Corporation. All rights reserved. 9 SFTP Server configuration • To configure the MCP software as an SSH Server: – Create a public key for server’s identity (default name is SSH_SSHKEY) – Modify *SYSTEM/FTP/SUPPORT/CONFIGURATION [LIBRARY SECTION] INITIATE_SSH_SERVER = SSHSUPPORT • Detailed information can be found in FAQ 5847 on the Product Support Website and in standard MCP 14.0 documentation. – FAQ 5847 also contains the list of software (Interim Corrections) which must be downloaded. © 2012 Unisys Corporation. All rights reserved. 10 SFTP Enhancements in MCP 15.0 • Server support for Windows SFTP clients. The ClearPath SFTP Server transfers files with the following Windows SFTP clients. • WinSCP • Attachmate Reflection FTP Client • FileZilla FTP Client - We’ll update the compatibility matrix on the support website. • Server support to append to ClearPath files. SFTP clients can append data to the end of existing ClearPath files. Example using WinSCP put -append TransactionHistory © 2012 Unisys Corporation. All rights reserved. 11 Network Security Secure File Transfer (NFT) • Secure File Transfer for ClearPath MCP allows data transfer between two MCP hosts • New Feature introduced in MCP 13.1 – Does NOT require BNA network connectivity – MCP file attributes of source file are retained across the transfer – Can also be secured with SSL/TLS (cryptography support required) – Hazardous files controlled with the RESTRICTUNWRAP system security option – Transfers initiated with COPY [FTP] command or FTP Interactive and Batch clients © 2012 Unisys Corporation. All rights reserved. 12 Secure File Transfer (NFT) Securing Hazardous Files Hazardous files (codefiles for example) are marked restricted unless: – The RESTRICTUNWRAP system security option at the destination host is reset – or – − The Library RESTRICTED option is reset by the FTP Administrator at the destination host - and The RESTRICTED option is reset in the COPY command and the usercode at the destination host is a security administrator © 2012 Unisys Corporation. All rights reserved. 13 Secure File Transfer (NFT) New MCPDATA transfer type • Transfers use data transfer type “MCPDATA” − COPY [FTP] TEST/CASE_1/= (FTPTYPE = MCPDATA) FROM DISK (PACK, IPADDRESS = “124.39.225.14”, USERCODE = SYSTEST/105639) • Copies all files under the TEST/CASE_1 directory on the remote MCP host to the local host • All attributes, including FILEKIND, are retained at the destination host. • No BNA network is required. © 2012 Unisys Corporation. All rights reserved. 14 Secure File Transfer (NFT) Copying of codefiles COPY [FTP] (SYSTEST)OBJECT/TESTFILE (FTPTYPE=MCPDATA, FTPSITE=“OPT - RESTRICTED”) FROM TESTPACK(PACK) TO USERPACK (PACK, HOSTNAME=MCPEAST,USERCODE=ABC/ABC) • The codefile (SYSTEST)OBJECT/TESTFILE on TESTPACK is copied to USERPACK at the remote MCP host, MCPEAST • Resetting the RESTRICTED option prevents the codefile from being marked restricted, but only if user ABC is a security administrator at MCPEAST © 2012 Unisys Corporation. All rights reserved. 15 Secure File Transfer (NFT) Network Security • Data transmission can be secured by Secure Sockets Layer (SSL/TLS) • Specify the level of security required for the file transfer (using the SSLMODE attribute) – EXPLICIT – IMPLICIT Command and data path are secured, different control ports are used. – EXPLICITLOGON – EXPLICITCOMMAND After logon command path can be optionally unsecured Data path security is independently selected COPY [FTP] DATADB (FTPTYPE = MCPDATA) FROM DISK (PACK, IPADDRESS = “124.39.225.14”, SSLMODE = IMPLICIT, USERCODE = SYSTEST/105639) © 2012 Unisys Corporation. All rights reserved. 16 Secure File Transfer (NFT) Other Issues – MCPDATA transfers are incompatible with older levels of FTPSUPPORT – Non encrypted transfer speeds are similar with NFT – Encrypted transfers are slower than non-encrypted transfers – Non-MCP hosts running FTP can be used as store and forward hosts for MCPDATA transfers – Documented in the TCP/IP Distributed System Services Operations Guide © 2012 Unisys Corporation. All rights reserved. 17 Network Security SAN DataMover (DMV) • SAN DataMover provides an efficient way to move large amounts of disk data (local Windows environment required). – Between MCP and local Windows environment, – Between MCP and remote Windows, Linux or UNIX environment (by way of a local Windows environment) • Offloads data transfer to Windows environment (freeing ClearPath MCP MIPS) • Security Features (introduced in MCP 13.0) – SSL Support – Secure Communication between Windows and MCP SAN DataMover Components (requires MCP Cryptographic Services) – FTPS & SFTP Support – Secure Remote File Transfer – Both require MCP Cryptographic Services and configuration to enable and configure secure transfers. © 2012 Unisys Corporation. All rights reserved. 18 Network Security Securing Terminal Emulator Sessions • Protect data terminal emulator sessions to MCP servers • Many options available: – WebEnabler for ClearPath MCP – supports a 2-tier model – direct SSL connections from WebEnabler to ClearPath MCP – Secure TELNET – MCP Telnet can offer secure and/or unsecure sessions. Controlled via system security option (SECURECOMM) – Attachmate INFOConnect and MCP Telnet can also use a custom encryption protocol • SSH terminals are not supported at this time. © 2012 Unisys Corporation. All rights reserved. 19 Network Security Securing Print Data • Secure data between MCP and Print Server • Use the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols to protect data • MCPPRT Server (introduced in MCP 13.1) – Just Specify SSL in IOHandler Parameter – See PrintS Guide (8600 1039–514) • EOM (Depcon) Server (introduced in MCP 13.1) – Specify SSL in PC and MCP Configuration Files – See EOM Documentation © 2012 Unisys Corporation. All rights reserved. 20 IP Security (IPsec) Security for the IPv6 network • Can authenticate and/or encrypt each IP packet in a data stream • Uses policies to define security at the MCP-to-network boundary. IP packets can be: – Forbidden from being transmitted unencrypted (DISCARD) – Allowed to be transmitted unencrypted (BYPASS) – Authenticated or encrypted prior to transmission (PROTECT) • Subject to US Government export control – Packaged in the operating environment encryption option • Supports 3DES and AES algorithms for packet encryption • IPv6 ONLY (no IPv4 support) © 2012 Unisys Corporation. All rights reserved. 21 Tape / DVD Encryption Enhancements Tape / DVD Encryption Enhancements • Provides Enhanced Security for Encrypted Tapes/CDs/ DVDs – AESGCM encryption, the standard algorithm for tape encryption as specified by the IEEE – ESSIV scheme is used with CBC-mode to ensure each tape and each file on a tape are encrypted using a “random” Initialization Vector (IV) – Additional data integrity checking added to encrypted data • Enhancements are known as Version 2 Media Encryption – Format of Version 2 encrypted media is different from the original, Version 1, tape encryption format © 2012 Unisys Corporation. All rights reserved. 23 Tape / DVD Encryption Enhancements • Examples – COPY F/= TO BACKUPTAPE(SERIALNO=“110812”, ENCRYPT=AESGCM) • Specifying ENCRYPT=AESGCM by definition creates a Version 2 Encrypted Tape – COPY F/= TO BACKUPCD(CD, ENCRYPT=AES256, ENCRYPTVERSION=V2) • Specifying ENCRYPTVERSION=V2 forces the use of ESSIV when doing AES with CBC-mode encryption © 2012 Unisys Corporation. All rights reserved. 24 Tape / DVD Encryption Enhancements • Migration and Compatibility – Version 1 is used by default but Version 2 is recommended – A tape/CD/DVD created using Version 2 Media Encryption cannot be read on a system that only supports Version 1 tape encryption – Systems that support Version 2 Media Encryption can read and write both Version 1 and Version 2 tapes/CDs/DVDs – Library Maintenance will not support encryption using Version 1 in software released after October 2015 but decryption of media created using Version 1 will continue to be supported – Only Library Maintenance supports the new Media Encryption Version 2 enhancements – TapeStack and DMUTILITY do not © 2012 Unisys Corporation. All rights reserved. 25 Tape / DVD Encryption Enhancements • Operator Controls – The existing LMENCRYPT SYSOP can now be set to AESGCM • Thus all tape/CD/DVD copies would be encrypted using AESGCM unless over-ridden in the COPY statement itself and would be in Media Encryption Version 2 format – A new LMDEFENCRYPT SYSOP can be set to “V1” or “V2” • LMDEFENCRYPT defaults to “V1” • LMDEFENCRYPT set to “V2” and LMENCRYPT set to “AES256” causes ESSIV to be used along with AES256 in CBC-mode and creates the encrypted media in Version 2 format • LMDEFENCRYPT set to “V1” and LMENCRYPT set to “AES256” uses AES256 in CBC-mode and creates the media in Version 1 format © 2012 Unisys Corporation. All rights reserved. 26 Disk Encryption Options • Encryption Capable SANs – EMC VMAX: newer versions – EMC VNX: newer versions – Must be done at setup time. Can’t change a disk to be encrypted • BitLocker – FS1760 Internal Disk – Can be turned on and off • DMSII field level “obfuscation” – Not true encryption – Can’t search, sort, index, or replicate data with Databridge • What disk encryption is really for: – Data protection at time of disk dispose or theft © 2012 Unisys Corporation. All rights reserved. 27 Management & Configuration Security Administration SecurityCenter • Security Center – Preferred security administration tool – PC-based GUI and wizards – Enables security administrators to define, manage, and test/assess MCP security. – Replaces command line/batch tools such as MAKEUSER and SYSTEM/GUARDFILE. • Microsoft Management Console “snap-ins” – – – – – – – – Security Policy Management File Access Management Cryptographic Services Management Kerberos Configuration Management User Account Management Locum SafeSurvey Locum SecureAudit Locum RealTime Config © 2012 Unisys Corporation. All rights reserved. 29 SecurityCenter Cryptographic Services Manager • Used by security administrators to perform key management (create / import / export / renew) – SSL keys and certificates (used by WebTS, FTP, Sockets programs, User Programs) – Tape encryption keys (introduced in MCP 13.1) – IPsec keys (symmetric) – SSH Keys (introduced in MCP 14.0) • Also used for Certificate Management (SSL clients) – Certificate Stores – JAVA Certificate Stores © 2012 Unisys Corporation. All rights reserved. 30 SecurityCenter Tape Encryption - Compromised Key Sets • MCP-based software tape encryption can now mark a set of tape encryption keys as invalid for writing, and generate a replacement keyset • This may be done because: – A key of the set is thought to be compromised – The keyset’s lifetime (according to corporate policy) has been reached • Compromised keysets can still be used for decryption (retained indefinitely) • Only one active keyset per system / MCP mark release. © 2012 Unisys Corporation. All rights reserved. 31 SecurityCenter Tape Encryption - Managing Key Sets To manage sets: Under MCP Cryptographic Services, Trusted Keys, select node: Tape Encryption Keys Sets uniquely identified by • Host name • Release level • Set number © 2012 Unisys Corporation. All rights reserved. 32 SecurityCenter Tape Encryption - Managing Key Sets Icon shows state of set: • Green=Active • Red=Inactive/Compromised Only the Active set for the local host is used to encrypt All sets are used for decryption. If a tape was encrypted with a key of that set, it will be automatically decrypted © 2012 Unisys Corporation. All rights reserved. 33 SecurityCenter Tape Encryption - Managing Key Sets Create a set: Mark set compromised: • Right-click Tape Encryption Keys node, select “Create New Keyset” • Right-click local host’s Active set, click “Mark as Compromised” • Current (Highest-numbered) set is disabled, new set is created • Selected set is disabled, new set is created © 2012 Unisys Corporation. All rights reserved. 34 SecurityCenter Tape Encryption - Best Practices • When a new keyset is generated, you must back up the keyset (via Export) and transport it to any systems that will need to decrypt tapes created on this host • Ensure that keys are stored securely • Ensure that keys are transported between systems securely © 2012 Unisys Corporation. All rights reserved. 35 Stealth Solution Suite You Can’t Hack What You Can’t See Changing the Security Paradigm Imagine a World… Where your sensitive data is invisible to hackers And is only visible… to users you select © 2012 Unisys Corporation. All rights reserved. 37 Unisys Stealth Solution Suite An NSA certified enterprise wide security innovation, incrementally and non-disruptively implemented, that makes data communication end points invisible on a network and therefore be removed as a target for hackers. LAN/ Internet Stealth can reduce costs through consolidation and virtualization of a network and adds unprecedented protection to enterprise information. © 2012 Unisys Corporation. All rights reserved. 38 Stealth Solution Key Elements Stealth consists of four important elements: 1 Cryptographic Service Module 2 Information Dispersal Algorithm & Data Reconstitution Provides FIPS 140-2 certified AES-256 encryption. Stealth formatted messages can only be reassembled by Stealth. 7. Application 3 4 6. Presentation Virtual Communities of Interest (COI) 5. Session Hides users, data and servers from non-COI members. 4. Transport Stealth Driver Executes Very Low in the Protocol Stack Protects device from attack. No changes required to Applications. 3. Network 2. Link 1. Physical NIC © 2012 Unisys Corporation. All rights reserved. 39 Unisys Stealth Solution Suite Enterprise wide – Consistent Security Approach Stealth Secure Remote Access Stealth Regional Isolation Stealth secures information exchanged over public or private networks from many geographic locations. LAN/WAN/ Wireless Cloud Data Center Corporate Site External Network Stealth protects data communication for teleworkers across the Internet superior to traditional VPN, Solution using the Stealth Stealth driver loaded to a laptop or SSVT. for Cloud A Virtual Web Server B Virtual Web Server A Virtual App Server Internet Stealth Data Center Segmentation A Virtual DB Server Internet Stealth cloaks the servers running sensitive applications or storing private information; these servers are not visible to anyone without the required Stealth crypto keys. Regional Site Email Server (unprotected) Protected App Server B Virtual App Server B Virtual DB Server In a cloud, Stealth hides virtual workloads from unauthorized access in single or multi-tenant environments. Protected Database Server © 2012 Unisys Corporation. All rights reserved. 40 Data Center Segmentation Enterprise Network • “Compartmentalize” data center using Communities of Interest (COI) instead of physical infrastructure • Mitigate Threats – – – • Email Server (unprotected) Benefits – – Protected Server (Phys or VM) Protected App Server – – – Protected Database Server • Fosters Availability while ensuring Confidentiality and Data Integrity Enhances application security by enforcing “Least Privilege” Uses existing infrastructure Security is not Port based Facilitates regulatory compliance Cost Savings potential 20%-50% – Value: Protect high impact systems from intrusions on intranet Theft or Misuse of IP Compliance Penalties Minimizes scope of attacks – – Reduce data center complexity; reduce VLANs and physical segmentation Re-segment the data center using Active Directory Simplified management © 2012 Unisys Corporation. All rights reserved. 41 Regional Isolation • Regional Isolation prevents unauthorized access to information in the local region and on the corporate intranet • Mitigate Threats Enterprise Network – – – A trusted country Enterprise MPLS Stealth GW • Benefits – – Stealth Cloaked Geographic Region Data communication eavesdropping by regional telecommunication providers and governments Intrusions to corporate intranet Intrusions to local site from within the region itself – – Assures only authorized access to corporate intranet Protect regional assets from rogue endpoints Segregate regional assets based on “need to know” Segregate corporate assets based on “need to know” Value: Protect corporate data assets in a global topology © 2012 Unisys Corporation. All rights reserved. 42 Stealth in the Cloud • Stealth in the Public or Private Cloud secures and isolates communication between virtual resources in a multi-tenant environment • Mitigates Threats Stealth Solution for Cloud Cloud Data Center – A Virtual Web Server B Virtual Web Server A Virtual App Server Internet B Virtual App Server A Virtual DB Server – • Theft or Misuse of IP within a tenant and between tenants Workload is vulnerability to unauthorized access from inside or outside the cloud Benefits – – B Virtual DB Server – – Protection follows the workload, regardless of where it is physically executing Provides secure resource sharing within Communities of Interest Isolates workloads between different COI Integrated with Unisys Secure Private Cloud Solution for seamless deployment Value: Bring Stealth security to the Cloud © 2012 Unisys Corporation. All rights reserved. 43 Stealth Solution for Secure Virtual Terminal (SSVT) • SSVT secures and controls transmission over the Internet “from anywhere,” locking the communications channel to targeted endpoints. • SSVT is deployed via a locked down Secure USB-based device running Stealth network security software. This virus-free, trusted environment is verified at each boot. • SSVT requires no change to your web enabled applications • SSVT enables workers to securely access – Their own desktop located in the enterprise, via an RDP session – Microsoft Remote Desktop Services or other VDI – Web enabled applications © 2012 Unisys Corporation. All rights reserved. 44 Stealth Organizational Value Security Business Benefits & Priorities Clients that want to increase security for their “crown jewel” applications and servers. Cost Reduction Clients that need to protect corporate assets from regional facilities that may reside in hostile territories. Cost Savings Clients that want the simplicity of deployment and cost structure of public or flat networks but cannot sacrifice security…equally ideal for clients with multitier networks that need to contain costs while increasing security. Agility Commercial Organizations Security Public Sector / Federal Agility Clients that want to simplify data / resource access management © 2012 Unisys Corporation. All rights reserved. 45 Stealth Extreme Security Stealth Crypto-Module DIACAP MAC-1 DIACAP MAC-1 Certification Certification Network Risk Assessment CWID 05 JFCOM AF Comm Agency JFCOM JIL IV&V National Center for Counter-terrorism and Cybercrime SOCOM 2005 2006 CWID 05 Combined Endeavour USAF CWID 10 Export License FIPS 140-2 Certification Dept of Commerce NIST 2007 Testbed IO Range SOCOM R&D Prototype 2008 2009 2010 CWID 08 CWID 09 CWID 10 DISA DISA SOCOM EUCOM DIACAP: DoD Information Assurance Certification and Accreditation Process MAC: Mission Assurance Category (Level 1 is Highest) DISA: Defence Systems Information Agency EUCOM : European Command SOCOM: Special Operations Command JFCOM: JOINT Forces Command JIL: Joint Intelligence Laboratory NSA EAL4+ Certification NIAP 2011 “Large Integrator” Tests and fails to break Stealth JUICE 09 GTRI Private Lab CECOM DJC2 PMO SPAWAR SSVT Validation: Failed to compromise 2012 Emerald Warrior ‘12 SIPRNet IATT CWID: Coalition Warrior Interoperability Demonstration JUICE: Joint User Interoperability Communications Exercise CECOM: Communications Electronics Command (US Army) GTRI: Georgia Tech Research Institute DJC2: Deployable Joint Command and Control NIST: National Institute of Standards and Technology NIAP: National Information Assurance Partnership © 2012 Unisys Corporation. All rights reserved. 46 Stealth – Hot Product at InterOp 2012 © 2012 Unisys Corporation. All rights reserved. 47 Where is Stealth Deployed? Hertz, NZ uses Stealth to facilitate PCI DSS compliance The US Coast Guard uses SSVT for secure telecommuting We do use our own product! Unisys uses Stealth to secure and protect our high value application and database servers, and for secure remote telecommuting A large Midwestern Healthcare Agency is piloting Stealth to protect servers with sensitive data An Australian Military agency uses Stealth in a secure VDI Solution Many Commercial and Government pilots in progress © 2012 Unisys Corporation. All rights reserved. 48 Stealth at Unisys Unisys not only sells Stealth to clients, we use it internally too. Data Center Segmentation: Secure Remote Access: • At Unisys, Stealth has been deployed to secure some of our critical multi-tier applications. • • With the web server, application logic and database on separate COIs, users cannot ping or even discover the existence of the application and database servers, ensuring that these cannot be tampered or hacked in any way. Users can only access the web server. Regional Isolation: • Currently in test! • More than 200 Unisys employees use Stealth on their laptops (with dual factor authentication) in order to securely access the corporate network when working from home or when travelling. Unisys is deploying Stealth incrementally with our existing commercial VPN solution. Stealth in the Cloud: • Unisys executes Stealth in our outsourcing Cloud environment to service our cloud clients. © 2012 Unisys Corporation. All rights reserved. 49 Value-based Pricing Model Client pays relative to the differentiated value they receive from Stealth Example: Regional Isolation Example: Data Center Segmentation Single Datacenter Example: Secure Remote Access Multi Datacenter Remote Access, “VPN” © 2012 Unisys Corporation. All rights reserved. 50 Unisys Stealth Solution Value Unprecedented Security and Value • Protection of private corporate data • Facilitates regulatory compliance • Significant cost reduction • Easy, quick deployment • Incremental implementation • Identity-based management • No application changes • Highest security performance © 2012 Unisys Corporation. All rights reserved. 51 Why Unisys Security? Positive: Gartner’s MarketScope on Data Center Outsourcing rated Unisys as “Positive”, 2010. World’s largest RFID network (U.S. Army) More than 8.1 million service events managed per year Our security solutions can be found worldwide in 600+ airports, 1,500 government agencies, and in use by 200+ airlines We have a 6,000-person strong global field force (> 1,700 cleared) Strong Performer: The Forrester Wave™ – Managed Security Services, 2010 100 million people use Unisys secure ID’s To know more, visit us at www.unisys.com/stealth and view: YouTube: Stealth Solution YouTube: Overview of How Stealth Works © 2012 Unisys Corporation. All rights reserved. 52 Thank You © 2012 Unisys Corporation. All rights reserved. 53