Architecting a Secure Enterprise Data Sharing

Environment to the Edge Bassam S. Farroha Deborah L. Farroha

U.S. Department of Defense Ft Meade, MD

Farroha@ieee.org, bassam.s.farroha@ugov.gov, Deborah.l.farroha@ugov.gov

1.0 ABSTRACT

This paper analyzes secure data sharing outside the security domain. There is a high demand for accessing multiple levels of sensitive data at the edge; however the threat at that location is higher compared to the core enterprise environment. This paper investigates the requirements, technologies and risk mitigation techniques for securely sharing information with the tactical user while protecting the data and the information systems from intruders and malware. The new Enterprise Architecture needs to eliminate the stovepipe architectures and open the doors to share information across traditional and non-traditional domain boundaries. Key Words: Sharing to the Edge; Enterprise Architecture; Core to the Edge, Information Security, Enterprise Security, Enterprise Security Capabilities, Cross Domain Services, Information Assurance, Assured Information Sharing.

2.0 INTRODUCTION Based on historical data and application analysis, it had been indicated that within the Department of Defense and the Intelligence Community and many commercial entities, there is no consistent way to discover, access, or share data, without a priori knowledge of where systems are, authorization, how to access them, and how to query them. This situation was created by a management and funding approaches where each department, agency, organization, and mission are assigned their individual funding vehicle and asked to efficiently manage those funds to develop needed capabilities. Developing a comprehensive and effective Data Services Architecture will provide a flexible mechanism to access an array of data sources utilizing common approaches. The development of such an approach addresses the need to enable enterprise-wide data discovery and aggregation across any number of service implementations while providing the end users with relevant information. We are facing an explosive growth in type and volume of data, along with an exponential increase in the speed and power of processing capabilities.

Enabling horizontal discovery, access, and consumption of data of relevance, regardless of physical location, data type, and/or technical implementation is essential to efficiently deal with these resources. There are different expectations of bandwidth, reliability, security, and latency of data depending on the location of system, environment and the available infrastructure. Since IT has grown in capabilities and many organizations have grown more dependent on this resource to converge many of the traditionally independent communication capabilities into this resource (ex. GIG for DoD) threats to those networks and the integrity of those information systems have mushroomed. Users from the coalition, allied and partner domains increasingly expect to discover access, analyze, and disseminate usable information in real time. In the new Information sharing environment, we have the responsibility to share information, while protecting sources and methods and respecting the privacy and rights of all citizens.

3.0 USER AT THE TACTICAL EDGE When developing this analysis, we needed a common definition of the edge of the service. The boundary of the Tactical Edge is assumed to be everything forward of a deployed tactical network’s main servers. So when viewing the total network from the core enterprise services perspective, the tactical edge is anything beyond that point. When working with a large enterprise that has multiple servers and missions, the breaking point between the enterprise and tactical services is somewhat unclear. As technology changes and new products get fielded, that edge gets adjusted in terms of capacities and services. Traditionally the Tactical Edge was a point where the users operate in a limited wireless spectrum, which results in significantly lower throughput and where the tactical systems are subject to hostile or unintentional electromagnetic radiation. Limited size, weight, and power (SWAP) restrictions on Tactical systems have traditionally impacted communications ranges and data rates, which limits information throughput potential[1]. Additionally, these systems require the ability to react quickly to changing events

978-1-4244-9493-4/11/$26.00 ©2011 IEEE

threats and situations such as terminating or when working in covert modes to reduceIntercept or Low Probability of DetectiFinally, some define Tactical services as agmight need to adapt to lower interoperabilitand might require multiple data hops befointended destination. [2] 3.1 Tactical services from the Enterprise While there are varying assumptions on wenvironment looks like in terms of capabilities, processing capabilities, and securdebate also exists on what equipment anlocations are served by the tactical infrastrucenvironment of extending the digital edge soldier and sensor, we don’t have a clear cut btactical. We have virtualized services and pdistributed servers to accommodate currenneeds. The best way to think about the IT terms of several tiers of service that supporhand. We have adopted the 9 Layer Model bto clearly show the continuous services fromthrough regional services and into the edge seillustrates the tiers of service.[3]

3.1.1 Security Domains The security domains are each organizainformation systems, data and processes. Fhave the Unclassified, Confidential, Secret, compartments. Other agencies have differentprotected IT systems. Commercial entities alsdata that includes healthcare, banking and evecompetes in the marketplace to sell producThese systems are isolated from the internaccess via different methods that span the uencryption and authentication, to physical isol 3.1.2 Protection Basics The first question that comes to mind iprotecting? Since we have defined the securneed to protect confidential information fromor manipulated by unauthorized elemeauthenticated users are given a certain access them to access up to their maximum authorizlevel can be dynamically changed to includsecure information based on threat level and cThe other part of this survey includes undersadversaries are. Like any other organizationhave the Internal Threat, External Threat, andHowever, in the Information Sharing situatio

lowering signals e Probability of ion capabilities. gile systems that ty circumstances ore reaching the

what the tactical communications

rity structure, the nd geographical

cture. In today’s to reach every

between core and portals that have nt and eventual capabilities is in rt the mission at because it seems

m core enterprise ervices. Figure 1

ation’s protected For the DoD, we

and Top Secret t names for their so have protected ery company that cts and services. net and external se of passwords, lation.

is what are we rity domains, we m being accessed ents. So the

level that allows zed level. That de more or less urrent mission. standing who the n or network we d Natural Threat. on where highly

confidential information is being shdefense, non government, and foremuch greater due to the dynamic na

Figure 1 Notional 9 Layer Core-to-EDoD Enterpr

3.2 Crossing Domains Most organizations employ some ttheir internal data from intruders anthe users access to their public prevent discovery and automated sexternal entities. Guards on the oallow access and/or transfer of dataToday, most guards are still built point (P2P) between domains, but Domain Services (CDS) that are avthe network. Once that capabilityservice bus, we would need tPrecedence & Preemption (P&P)(QoS). Figure 2 shows a highproposed Cross Domain Services en 3.2.1 Cross Domain (CD) FunctioWhen dealing with CD, we first required capabilities: Low to HigAccess Not Allowed, High to LoHuman Review, High to Low Accedata tagging and Crypto-binding, AThe rules seem simple for comstandard domains; however thesecomplicated as the number of conneAdditionally, there is no agreemmultiple organizations and multconsidered high and low. Each n

hared between government, eign partners, the threat is

ature of Coalition members.

Edge Representation of the ise [4]

type of Firewall to protect nd hackers, while allowing site. However, firewalls

sharing of information with other hand are designed to a between security domains.

to accommodate point-to-the trend is to build Cross

vailable to subscribers over y is made available over a o introduce queuing for ) and Quality of Service

h level description of the nvironment.

ns need to identify the basic

gh transfer, Low to High ow transfer with Reliable ess with Anonymizer, Meta udit Trail.

mmunications between two e quickly get much more ected domains is increased. ment when dealing with iple nations on what is

nation has to consider their

network and the more secure a network is the more integrated protection there is from any external entity illegally accessing higher security data as shown in the Figure 3.

Figure 3 High Level Architecture of the proposed CDES

3.2.2 Information Sharing Core to Edge While working with many of the stakeholders interested in the mandated federal government information sharing environment, the Unified Cross Domain Management Office (UCDMO) led the development of these main CD capabilities. Figure 4 shows the taxonomy of CD services. This process was designed to assess the current needs and derive any current or future technology gaps to ensure funding is allocated and duplicate efforts eliminated.[5]

Figure 3 Notional Cross Domain System between multiple

Security Domains

3.2 3 Publish Find Bind The use of SOA principals in Publish-Find-Bind is a cornerstone of SOA philosophy, but many customers question whether it can be realized in a more efficient manner. A new robust discovery algorithm can significantly enhance the overall image of a SOA and eliminate the need for custom development while leveraging previously known services in a

library. A dynamic service discovery implementation can transparently increase its capacity to provide more accurate, dependable service discovery results by utilizing the timeliest and appropriate information. Such service will lead to an architecture that can discover, access, and share “the right data” across the multiple domains at the “right time”. Figure 5 shows the traditional SOA Traditional Publish-Find-Bind processes.[6]

Figure 4 Taxonomy of CD services

Figure 5 Traditional Publish-Find-Bind SOA Infrastructures

4.0 INFORMATION SHARING The Federal Agencies are in the process of developing agreements that seek to create a services-based information environment and to reinforce collaboration towards implementing business and information services and service-oriented architecture. This environment, which leverages commercial practices, offers functionality as ‘services’ rather than stand-alone applications and is based on building capabilities using standard Web technologies. All

stakeholders must develop complementary strategies to achieve information sharing, where these strategies should communicate a common vision of how to best achieve effective, efficient, and agile information sharing.[7] To achieve a shared vision, all stakeholders must support the common goal to ensure the envisioned services-based environment is achieved. These goals include: (1) provide services (2) use services (3) govern the environment; and (4) manage the environment. The service oriented vision and strategies will be shared with other government agencies and other stakeholders to enhance the information sharing environment.[8] 4.1 Sharing with Allied and Coalition The current US policy is to share information with friendly nations including Allied, Coalitions and others that we have close ties and share values and objectives with. Today’s battleground there are soldiers from multiple nations working together and with the host nation and multiple non-military and nongovernmental organizations to provide services to the population. When there is an attempt to use the communication systems and the IT infrastructure to communicate between these agencies and organizations, we have to have some common standards/format to transfer the data and to provide the required security to prevent intruders and un-cleared personnel from accessing them. It should be clear that even with the attempt to use common terms in classifying information, (i.e. Confidential, Secret, Top Secret), the classification within each country is considered its own domain.[9] 4.2 Sharing with other agencies Information sharing between departments, organizations and agencies has been hampered by technical, cultural, policy, and political constraints where sharing of information has been restricted by infrastructure, culture and policy. Many organizations have been constrained by the resources available to them, creating stovepipes of information that do not allow data to be shared. The other problem is that even when the systems are physically connected the inability to discover what exists in the attached IS forces duplicate efforts in building similar functionalities and data to use in information sharing. There is a strong need for policies that promote cross-agency cross mission information sharing. The most common challenges include: 4.2.1 Policy: Current Policy doesn’t exist to conform to a common data and interface standards when building new systems or modifying existing ones. Moreover, common standards are still being developed and will need to have the stakeholders buy into these standards. After the standards are

developed and accepted, the process to enable information sharing through them will require the Certification and Accreditation (C&A) to adapt these standards and accept the implied reciprocity to lead us out of the current information stovepipes. 4.2.2 Technology: This subject tends to get the most attention when discussing information sharing, but also seem to end up being a big challenge to resolve. Organizations tend to want to build components that resolve their internal tasks, and not worry about interfaces. Additionally, legacy systems can introduce additional challenges where documentations are insufficient and modifications are expensive. We end up with differences in architectural platforms which make it difficult to re-use existing systems in traditional architectures, and we cannot leverage components in other organizations. The outcome is having information that cannot be securely discovered and consumed outside of the controlling institution and often cannot even be discovered within. 4.3 Approach In order to deal with these challenging and complex ideas on information sharing, we must consider one of the premier drivers that provide the infrastructure to achieve this notion of Core to Edge security to enable information sharing. NetOps is the nucleus of GIG10 operations in a net-centric framework and is a critical cog in the wheel of the Net-Centric Operations. NetOps guarantees that the key components of the GIG generates an environment that protects and maintains the integrity and quality of information, thereby ensuring that users can easily post, access, and share relevant information and collaborate to conduct Net-Centric Operations or Information sharing.[11] The current information sharing systems are mainly built on either manual or P2P cross domain services. These services need to be increasingly automated to allow for automated discovery of data in multiple external domains simultaneously and fusion of that data in real time to allow the development of in-time reports to the requesters. The “Crawl, Walk, Run” analogy fits well within this particular environment. The following section provides an outline of how we can incrementally reach our objective.

5.0 ANALYSIS OF ALTERNATIVES Technology changes and provides increased capabilities at an exponential rate. In 6 months there could be even better technologies that will enhance our ability to securely share information from the core to the edge. The following are the latest technologies that have assessed to enable the performance and security needed for our mission needs.

5.1 Virtualization Virtualization is a technique used to providof software implementation of a machineprograms giving the impression machine environment. Full virtualization prsimulation of the underlying service layers whcapable of execution on the intended hardwathe virtual machine. Other Virtualization mecertain or modified software to run within a Cloud Computing utilizes the concept of provide remote services to the customercomputing infrastructure while appearing to services to each user.

Figure 7 Conceptual Cloud Computing model fData Sharing

5.2 Cloud Concepts Cloud computing is utilizing shared resouorganization or externally as a service overinter-net to provide dynamically scalable compservices. Cloud computing services often papplications that are accessed from a remotethe software stored on the servers and datservers from the user location. Users need nknowledge of or control over the technology the "cloud" that supports them. Due to the conin demand for processing and storage, systealways looking for architectures and algoridata quicker than currently possible with avaThe cloud approach attempts to assemble verysystems consisting of many small, inexpencomponents. The advantages of migrating toinfrastructure include the facts that the compthe clouds tend to be much less costly thanmachine with comparable capabilities. 5.3 Quality of Service (QoS) and SOA Of course we can evaluate technology withouover-used SOA construct. In this paper we about a Services-based architecture rather th

de a certain kind e that executes

of physical rovides complete here any software are can be run in ethods allow only

virtual machine. virtualization to

rs over general have customized

for Inter-Domain

urce within the r an Intra-net or

mputing or storage provide common e location, where ta is sent to the not have detailed

infrastructure in ntinuous increase em designers are ithms to process ailable resources. y large, powerful

nsive commodity wards the clouds onent systems in

n a single, faster

ut bringing up the are truly talking

han oriented, but

creating reusable services is going ESSM to the edge. So now, environment, we need to discuss which refers to a level of service threquired applications to run ancomprehend the data. In commerciabout providing best level of servabout meeting user requirements deAgreement (SLA). Here the (SLAthe agreement between the customeas to what constitutes 'satisfactory'. commonly used in networking, distributed multimedia to describconsumer side in terms of latencycapacity. When negotiating SLAagreement will usually includecharacteristics: Bandwidth (or throuJitter, Error Rate, Availability Security.[12][13]

5.5 Precedence Levels It is often misunderstood that the Qservices and the application that rlatency, and speed to deliver a houtcome. The DoD defined PrecePriority, Immediate Flash, Flash Oassigned a Precedence level by the olevel he/she is granted. The higheresource it is given to ensure that ithe expected time. Higher precedeto preempt lower ones in times oPrecedence and Preemption (P&commander prioritize messages ove 5.6 QoS and P&P Since the precedence is based on tare urgent needs to develop mechaThis is more prevalent in such a netbecause entering the network fromunder a higher Precedence level canto the hacker’s capability to preemmessages that are attempting to derrors. We also need definition scenarios where the commander'clearly understood. The goal is toaccess the network and masqueraduser and sending streams of conservice from the controllers, thencontroller with requests, the sysreduced. At a minimum, we nee

to be the key to providing in a globally dispersed

Quality of Service (QoS) hat is satisfactory to enable

nd allow users to easily ial applications, QoS is not vice across the board - but efined in the Service Level ) is often used to describe er and the service provider The term QoS, as it is most

telecommunications and be the data stream at the y, reliability, accuracy, and A with a provider, the e as a minimum these ughput), Latency (or delay),

(or uptime), Network

oS is associated with the IP requires certain reliability, human or machine usable edence levels are Routine,

Override. They message is originator up the maximum r the precedence, the more it reaches its destination in ence messages are allowed f network overload so the

&P) is used to help the er limited bandwidth.[14]

the initiator's address, there anisms to prevent spoofing. twork that implements P&P m any of its access points n create greater damage due mpt lower precedence level discover status and correct

of the requirements and s intent and authority is o prevent an enemy from ding as a high precedence ntrol messages requesting n by simply flooding the stem's efficiency will be ed to insert the following

controls to ensure positive controls over the shared system resources: User authentication, Precedence level access, Network survivability, Header Encryption, Network Robustness, Network Forensics. 5.7 Class of Service for Core to the Edge The Core to the Edge capability to deliver critical information to the warfighter is a somewhat inconsistent environment. There are many capabilities that are distributed in different geographical areas. However, the class of service in each of these areas is not constant depending of loading, weather, and other environmental conditions. The following table outlines the various classes of service for the different mechanisms proposed in this paper.

Class of

service

Manual P2P Automated Low level

Service

Full Enterprise

Services A X X X X X B X X X X C X X X D X X E X

• A: Class A Service will require high bandwidth and high reliability with

high QoS. • B: This link will have moderate bandwidth and moderate QoS. • C: This class of CD capability is assigned for automated systems that

have multi point connectivity through a portal or similar access points. • D: This type of link is a Point to Point attachment which acts as a pipe

and filter to relay data between two distinct systems. • E: This service is needed when we have no datalink connections.

6.0 SUMMARIES AND CONCLUSION

The traditional philosophy of minimal data sharing outside a security domain has been replaced by an era of encouraging secure information sharing among services, agencies, coalition partners and state/local organizations. This new viewpoint also includes providing the appropriate data to the tactical edge through means of enhanced CD methods and secure communications. This means that our soldiers (boots on the ground) are no longer at the mercy of some organization or Agency on the other side of the globe determining what information is relevant to them. This analysis presented the tactical requirements and technology alternatives from Cloud Computing to SOA to deliver the required data to the warfighter. We provided an analysis of various types and levels of protection, data integrity and alternative architecture options to support the stated Tactical CD requirements with their built-in variations. These new requirements include automated data discovery and dealing with compromised assets and codes to provide real-time situational awareness. Additionally, the definition of the enterprise and its boundaries

and where the tactical operations rules begin have been under discussion with a multitude of stakeholders. We are focusing on the tactical environment because the need is so great and it resides in a limited communications setting with variable link capacities, QoS, data bursts, error rates and multiple connectivity/handoff issues. We investigated the threat levels within the tactical environments and the effects on the overall enterprise security and integrity. The overall approach will eliminate the stovepipe architectures that restrict data sharing due to the Point-to-Point approach that is prevalent in the tactical community and opens the doors to share information across traditional and non-traditional domain boundaries.

7.0 References

[1] Tactical Edge Characterization Framework, MITRE Technical Report, F. Dandashi P. Glasow, 2008 [2] Global Information Grid Joint Tactical Edge Networks , Engineering White Paper, V3.1, Sept 2008 [3] Report On Core Enterprise Services to the Tactical Edge (CES2TE), Core Enterprise Services to the Tactical Edge Focus Team, Dec 2008 [4] Cyber Capability Assessment: Architecting a seamless Assured Information Sharing Infrastructure for the Tactical Warfighter, B. Farroha, D. Farroha, M. Whitfield, IEEE International Systems Conference 2010 in San Diego, CA. [5] Challenges and Alternatives in Building a Secure Information Sharing Environment through a Community Driven Cross Domain Infrastructure, B. Farroha, M. Whitfield, D. Farroha, MILCOM 2009, Boston, MA. [6] Net-centric transformation to empower the warfighter through enhanced enterprise data services: exploring the SOA approaches, D. Farroha, B. Farroha, SPIE Defense and Security Symposium 2009, Orlando, FL. [7] From the DoD CIO: The Net-Centric Information Enterprise, John G. Grimes, CROSSTALK The Journal of Defense Software Engineering July 2006 [8] The National Intelligence Strategy of the United States of America, August 2009. [9] Analysis of Three Multilevel Security Architectures, Timothy E. Levin, Cynthia E. Irvine, Clark Weissman, Thuy D. Nguyen, CSAW’07, ACM, November 2007 [10] Global Information Grid, Globalsecurity.org [11] Making It Work – The Net-Centric Global Information Grid NetOps Strategy, Thomas Lam, Office of the Assistant Secretary of Defense, Crosstalk July 2007 [12] SOA as a Catalyst to Empower the Warfigher through Improved Enterprise Data Access Over the GIG, D. Farroha, B. Farroha, IEEE International Systems Engineering Conference 2009, Vancouver, Canada. [13] Policy-Based QOS Implementation in a SOA Enterprise Framework”, D. Farroha, B. Farroha, MILCOM 2007, November 2007 Orlando, FL.