Information Assurance in the Global Information Grid
Stuart Schaeffer, Colin Cole, Nicole Carlson, Daniel Faigin, Tim Lelesi, Leo Marcus, and Deborah Shands
The Department of Defense is constructing the Global Information Grid, a foundation for network-driven defense operations. This massive complex of computational and communication resources requires new approaches to ensure the confidentiality, integrity, and availability of data moving through the system.
The Global Information Grid is an ambitious undertaking to integrate virtually all of the Department of Defense (DOD) information systems into a single, seamless, secure "network-centric" system. The goal is to enable rapid dissemination of information, regardless of which agency owns it and which user, anywhere in the world, needs it. This requires data owners to let people or systems outside their control access their data. Thus, it is necessary to provide assurance that the network is sufficiently trustworthy to permit sharing of information without compromising either the data or the mission of the owner.
Trust in the Global Information Grid is dependent on technologies that protect the systems against the unauthorized disclosure, modification, or destruction of data and ensure its availability to those who need it. Aerospace is researching various technologies and engineering methods that provide such protection. Important components of this work include adaptive security infrastructure, cross-domain solutions, enterprise rights management, and cryptographic key management.
Aerospace is developing a prototype to test the utility of the Adaptive Security Infrastructure (ASI) for delegating authority and composing responses. It consists of an administrative console through which security policy rules are specified, a network of sensors that detect security-related events, and a controller that analyzes sensor reports and initiates protective responses governed by the policy rules. |
Adaptive Security Infrastructure
Adaptive security refers to the ability of a network to adjust automatically to changing circumstances such as intrusions, node failures, new connections, hardware or software modifications, and configuration changes. In the Global Information Grid, dynamically forming communities will interconnect to share information, then disband and disconnect. For example, a number of federal, state, and local government agencies may come together with nongovernmental aid groups and commercial organizations to provide rapid response to a natural disaster. Satellite data may be offered to many of the organizations to help direct relief efforts. After the emergency has passed, this community may disband or change into a longer-term rebuilding community with different organizational partners. Many of these organizations would no longer need access to the satellite data, so the access parameters would need to change to accommodate the new requirements.
Malicious attacks are also a concern. Most networks are subject to attacks against information or operations, and some attacks can spread quite rapidly. For example, in 2003, the Slammer worm scanned 90 percent of the Internet in less than 10 minutes, doubling the number of infected network nodes every 8.5 seconds. Manual responses are clearly insufficient to meet such rapid attacks; automated responses are now essential to protect critical systems.
The local adaptability of individual security mechanisms (such as firewalls, antivirus software, and intrusion detection systems) has improved within the past few years, but there is little understanding of the effects of such adaptations at the enterprise level. When multiple mechanisms adapt independently, the enterprise-wide (or Grid-wide) results can be unpredictable. For example, if individual firewalls adapt by generating different access control policies, user access to enterprise resources may be permitted from some hosts, but not others. This can lead to errors in software applications, frustrated users, and significant time spent troubleshooting by network administrators. Thus, it is critical to ensure that a system employing adaptive security mechanisms will behave as expected and that an automatically generated local response will not cause problems at the enterprise level.
To address these concerns, Aerospace created the Adaptive Security Infrastructure project. The focus is on developing models and technologies to help improve the enterprise-level reliability and predictability of security adaptations. This includes research into languages for specifying security adaptations, adaptation semantics, techniques for identifying compositions of system elements to preserve security properties, definition of adaptation strategies, association of security adaptivity with system architectures, and techniques for architecture-independent adaptation.
Part of this project has involved the development of a mathematical model covering the delegation and response of security tasks and security properties. An enterprise-wide security policy is enforced by assigning subpolicies to independent components. The interconnections that combine components to form the enterprise must also exhibit specific security properties. The model would determine whether enforcement of the subpolicies, together with satisfactory security properties, would result in the enforcement of the enterprise-wide policy.
Components are responsible for enforcing their subpolicies, despite changing conditions within the enterprise. This requires component-level autonomy to locally adapt elements such as parameter values, data, connections, and permissions. At the same time, component-level adaptations must be constrained to control their impact on the enterprise. For example, when a new partner joins a community of interest, an existing partner may choose to share some, but not all, of the resources on a Web server. To allow requests from the new partner to reach the server, the administrator must "open up" some firewall configurations; however, restrictions must also be added to prevent the new partner from accessing material that is not intended for sharing. It is important that the firewall configurations not be opened before the restrictions are in place.
Aerospace is developing a prototype to test the utility of the Adaptive Security Infrastructure for delegating authority and composing responses. It consists of an administrative console through which security policy rules are specified, a network of sensors that detect security-related events, and a controller that analyzes sensor reports and initiates protective responses governed by the policy rules. The prototype has been used to demonstrate adaptive security functions in two scenarios based on an imaginary Air Force operation: the management of a sensitive e-mail distribution system under both "normal" and mission-critical conditions, and defense against a denial-of-service attack under the same conditions. These demonstrations have shown the validity of the theoretical model and the viability of its implementation.
Cross-Domain Solutions
An important characteristic of the Global Information Grid is the interconnection of individual networks on a grand scale, enabling information to flow from its owners to users, such as intelligence analysts and war fighters, without requiring them to share a single network. This is considered essential by DOD planners; however, much information, such as classified or U.S.-only data, must be restricted to particular groups and individuals. In addition, critical systems need to be protected from malicious software and network attacks. Hence, there is a need to control the flow of information.
A "cross-domain solution" is a device that controls the flow of data between two domains. Most commonly, domains are enclaves or subnetworks of different classification levels; they may also be owned by different entities and have different access policies. The cross-domain solution has two primary responsibilities. Outbound transmissions (from the more controlled domain to the less controlled domain) must be inspected to ensure that they do not disclose restricted information. Inbound transmissions must be inspected to prevent the introduction of malicious software. These inspections are typically done using rules specific to the type and content of the data being transmitted, indicated by the data source and descriptive metadata.
Cross-domain solutions are derived from "guard" technology. Guards are devices that monitor network connection points and determine, according to a set of rules, whether individual data packets should be permitted to go to their destinations. A firewall can be viewed as a type of guard, and firewalls with sophisticated rule sets may approach the functionality of a cross-domain solution; however, cross-domain solutions are distinguished from guards and firewalls by a greater level of assurance—that is, they have been shown to operate correctly through more intense analysis and testing.
Cross-domain solutions are most commonly used for connections to long-haul networks such as the DOD's SIPRNET and NIPRNET (Secret Internet Protocol Router Network and Nonsecure Internet Protocol Router Network). In space systems, they mediate the connections between classified ground control systems and the unclassified Air Force Satellite Control Network (AFSCN). They are also used at internal connections between different single-level subsystems, such as internal local area networks of different classifications, and may also be indirectly connected to other systems.
Including a cross-domain solution in a system is considerably more complex than putting in a firewall. It requires a justification of need, a review by upper-echelon boards at the Defense Information Systems Agency (DISA) and National Security Agency (NSA), and custom engineering to fit the intended system. Failure to begin planning early enough (or at all) can result in significant schedule slips and cost increases and is likely to delay system accreditation and availability.
Aerospace has been addressing the issue of cross-domain solutions in space systems, particularly regarding the connection of ground command and control networks to AFSCN. In contrast to a standard cross-domain solution, which generally processes only Internet Protocol data traffic, a cross-domain solution for a ground control network must recognize specialized satellite control protocols—although it may also have more traditional traffic concerns, such as SIPRNET connections, internal local area networks of different classifications, and U.S.-only vs. foreign access requirements. Aerospace is working with several national security programs to determine their cross-domain solution needs, guide them through the implementation process, and assist them with certification and accreditation. In conjunction with DISA, Aerospace has also been pressing for the development of standardized cross-domain solution interfaces for the next generation of space networks. An approved standard solution that builds upon AFSCN resources could achieve considerable cost and schedule advantages in the long run.
Enterprise Rights Management
A cross-domain solution can help control the flow of information, but provides no assurance about what happens after the information gets to its intended destination. One emerging technology, known as enterprise rights management, enables the data owner to maintain some control over information, even after it's received by someone outside the owner's organization. Enterprise rights management evolved from digital rights management, which was devised to control the distribution of commercial content such as movies and music. Enterprise rights management is intended to control more sensitive data, such as trade secrets, whose unauthorized use would be far more serious. Aerospace is investigating whether the technology might also be suitable for protecting national security data with high confidentiality and integrity requirements.
In most commercial enterprise rights management schemes, data are encapsulated in discrete objects, which are then tagged with metadata containing access control information. These objects may then be disseminated; theoretically, they will be useless (that is, unreadable, unwriteable, inaccessible) unless the accessor presents credentials that match the metadata restrictions. If this is the case, the data object is transmitted from a central repository to the accessor's workstation, where it is generally only viewable in a special application that isolates it from the rest of the local system. For example, the ability to copy and paste to and from the Windows clipboard is disabled, as are screen captures and print commands.
Several types of access-control information are commonly found, in addition to the familiar permissions to read, write, modify, and delete an object. Key among these is rights delegation, the ability of the owner of a data object to control what a recipient may do with it. For example, Alice may permit Bob to view a certain document, but she may or may not permit Bob to forward it to Carol, and she may or may not allow Bob to control what Carol does with it.
This technology has obvious ramifications for the distribution of sensitive defense information. For example, during a battle, an operations officer may need a classified satellite image from an intelligence agency immediately. The Global Information Grid makes it possible to send the request from the field to the agency and to receive the image while the information is still useful; however, the image must not be seen by anyone but the operational command staff, and when the image is no longer needed, it must disappear from the battlefield computer. Historically, organizations have been unwilling to share information in this fashion. They might be more willing to do so if a mechanism existed that enabled the information owner to retain control over the information, even when it resides on someone else's computer.
An enterprise rights management (ERM) scheme. A data object is created and tagged with metadata containing sensitivity level, required user access rights, and disposition rights. The object is placed in a repository that authenticates the object source and ensures that source has appropriate access rights. A search engine finds the object and presents the requester's credentials. The repository authenticates the credentials, verifies access rights, and, if appropriate, sends the data object. The user's computing platform verifies the integrity of object and may authenticate the repository as well. Based on the credentials contained in the computing platform, the user might only be able to view portions of the object. If authorized, the user may annotate the object or combine it with other objects to generate a new object, in which case the user would attach new metadata (possibly different from original object's metadata). |
Prior to the development of enterprise rights management, the so-called multilevel system was the only technology available to control the transfer and disclosure of data with different levels of sensitivity stored on the same computing platform. Multilevel systems are complex and difficult to implement and have not been widely adopted. Enterprise rights management has the potential to provide more capabilities than multilevel systems without the implementation problems.
Still, enterprise rights management is not yet strong enough to meet DOD needs, and there are significant areas that need to be addressed. For example, most currently available products are designed for specific computing platforms and are not suited to mixed-platform environments. Furthermore, the protection mechanisms they use are proprietary and are not standardized, and they cannot interoperate. Nevertheless, the technology holds great potential.
Aerospace is investigating the behavior and implementation of several commercial enterprise rights management schemes. Specific areas of interest are policy modeling, interoperability, assuring correct behavior, and penetrability (how difficult it is to break protection and circumvent controls). The goals are to establish criteria to evaluate and compare enterprise rights management products, assess their suitability for national security applications, and identify enhancements that will strengthen data protection.
Cryptographic Key Management
One of the foundations of secure information flow through a network is encryption of data. Encrypted data are unintelligible, and only those who possess the encryption key can restore the information to its original intelligible form.
The National Security Agency is responsible for the creation and distribution of cryptographic keys for all classified data in space systems. The currently implemented distribution system for keys protecting classified information, the Electronic Key Management System, uses a network of distributed message servers feeding dedicated key-distribution computing platforms, communicating over public phone lines using secure terminals to maintain confidentiality. The system relies on detailed knowledge of each of its end users, who must have prearranged accounts. It also relies on trusted human operators to make correct distribution decisions. However, the sheer size and dynamic nature of the Global Information Grid would overwhelm human decision-making capabilities while increasing the risk of breaches of trust by human intermediaries. Therefore, a more sophisticated and automated scheme will be needed.
To meet this need, NSA is developing a system called the Key Management Infrastructure, which relies on a number of key-request clients connected to a distributed network of key servers. The use of intelligent client software and network-based key distribution is intended to mitigate the possibility of human error and intentional redirection while improving distribution and management functions.
NSA requires space system programs to have a key management plan that explains how keys will be controlled during their life cycle of generation, distribution, use, replacement, and eventual destruction. These plans detail what keys will be ordered from NSA, how many, their classification, the equipment that will use them, and information about the program's distribution network.
A key management plan is constructed around a key management architecture, the operational structure for ensuring that the ordering, distribution, use, and destruction of keys are all performed securely. Commonly used techniques for secure distribution include encrypting keys with other keys that are distributed via a different route, physically protecting keys from their point of origin to their destinations, and maintaining periodically audited records of key distribution and usage. A key management architecture can use one or more of these methods in combination with restrictions on keys and equipment in accordance with NSA procedures (such as requirements for two people to handle certain types of keys, or for two people to be present when cryptographic equipment is operated).
Creation of a key management plan requires specialized knowledge of both the available cryptographic technology and NSA requirements. Moreover, the NSA requirements governing the Key Management Infrastructure are still being written, and the cryptographic technology is still under development—all of which adds to the difficulty of developing an acceptable key management plan. Aerospace has a long history of working with NSA on defining and satisfying cryptographic requirements for space systems and is tracking the development of the Key Management Infrastructure. Aerospace has also been working with national security space programs to help design key management architectures and plans that will meet NSA requirements for certification (see sidebar, Security Validation).
Engineering Methods
Space programs have historically suffered from poorly defined and poorly understood processes for acquisition and engineering of information assurance. The problem is multifaceted and inherently complex. Diverse information assurance processes, such as certification and accreditation and cryptographic device acquisition, run in parallel, with little coordination, throughout the program's life cycle. Moreover, these information assurance processes are poorly integrated with DOD-mandated processes for managing system acquisition. There is a tendency to emphasize implementation of particular technologies and products without considering how the functions they perform should be integrated into the overall system. This commonly results in "backward" or after-the-fact information assurance engineering.
New government policies promise to streamline space system acquisition and enhance information assurance in the Global Information Grid, but, as policy requirements, they do not provide technical guidance for integrating information assurance engineering with other engineering disciplines. The resulting difficulty in mapping the myriad of policy requirements to tasking and deliverables has resulted in confusion, duplication of effort, missed tasking, and diminished productivity among program participants.
Acquisition requirements can be fairly complex, and a different large subset applies to every acquisition. Engineering methods help rationalize conformance and provide a uniform process across all acquisitions. |
In response to these issues, Aerospace has been developing an array of products to guide space programs in integrating information assurance into their acquisitions. For example, the Aerospace Institute course "Information Assurance for Space Systems Acquisitions" presents overviews of DOD information assurance policy, certification and accreditation processes, cryptographic device acquisition, and cryptographic key management, all in the context of formal acquisition policy and the major engineering milestones of the acquisition schedule.
Aerospace has also constructed an internal Web site for the dissemination of information assurance guidance and reference material. The site will host executive summaries of relevant government publications; recommendations for allocating requirements to government program offices, contractors, and system operators; guidance that maps requirements to standard certification mandates; guidance for contractors on including information assurance in their designs; examples of required documents, including system security authorization agreements, program protection plans, key management plans, and templates for contract clauses; suggestions for compliance and reference documents; and conference briefings and proceedings.
Currently, Aerospace is analyzing existing information assurance engineering processes with the goal of developing a methodology that would mesh with more traditional systems and software engineering disciplines. These efforts are expected to produce a much needed capability that does not currently exist in the space acquisition community. Ultimately, this guidance should streamline the acquisition process and improve system security engineering.
Conclusion
The Global Information Grid will profoundly enhance defense operations by making critical information available to those who need it, when they need it, wherever they need it. But before the Grid can fully meet its objectives, system planners will need to resolve fundamental issues affecting the safety, integrity, and availability of sensitive data. Ensuring that information stays out of the wrong hands and gets into the right ones will require reliable and comprehensive methods for controlling how and to whom information is distributed and how sensitive data can be processed and stored. Moreover, achieving the necessary level of assurance that information is adequately protected will depend on nascent and immature technologies, and the development of the Grid must be sufficiently flexible to accommodate them as they evolve. To attain these goals, new space systems must be designed for integration into this dynamic framework from the earliest conceptual phases.
