Mike DavisSD ISSA / SPAWAR 5.1.8Michael.h.davis@navy.mil(858) 537-8778

CyberSecurity Collaboration Summit

General Results Overview

AFCEA - C4ISR Symposium

“EASY”button

Michael JonesThe Security Network mbjones@thesecuritynetwork.org 619-450-4600 ext. 141

20 November, 2008San Diego CA

20 November, 2008San Diego CA

Agenda / Topics 7:30 am to 8:00 am Continental Breakfast and Check In

8:00 am to 8:10 am

Opening Remarks/Introductions/Admin remarks Mike Davis, SPAWAR 5.1Jim Pietrocini, TechTeam

8:15-9:15am Critical Issues in IA (Panel Discussion)- Mike Davis, Moderator

9:15-9:30am Break/Collaboration

9:30-10:30am IA/Security Vision (Panel Discussion)- Mike Davis, Moderator

10:30-10:45am Break/Collaboration

10:45-11:45amSecurity/Information Assurance (Future Requirements, Disruptive Technologies, Innovation/Gap

Fillers)- Jim Pietrocini, Moderator

11:45-1:00pm Lunch- Lunch speaker- Lessons from Estonia (lunch in same room)

1:15-2:15pm SOA Security (Panel Discussion)- Mike Davis, Moderator

2:15-2:30pm Break/Collaboration

2:30pm-3:30pm First Responders Panel (Needs and Assessments, including Collaboration)- Mike Davis, Moderator

3:30-3:45 pm Break

3:45-4:30pmEducating Leadership- What’s our collective “bottom line message”- Panel discussion, Mike Davis,

Moderator

4:30-5pm pm Final Remarks, Next Steps, key action items documented

5:15pm Social- Red Marlin

TOP TEN IA ISSUES1. Overall IA Master Plan / vision, and architecture, requirements,

goals/objectives therein

2. Improve speed to capability – affordably! (it’s not all about just technology either)

3. IA/security Governance / consistent policies integrated at all levels

4. Workforce training, qualification and certification at all levels, integrated and enforced

5. Provide Enterprise Wide CM Capability down to the major security component level (that is an enforceable process)

6. Maintain and sustain the IA/security posture that you have

7. Follow ONE IA Enterprise Architecture (EA) and selectively prescribed, directed standards (and extensions therein)

8. Better IA/security network awareness (dashboard) AND integrated with enterprise management

9. IA metrics that matter wrt outcomes – impacts to users / data (DLP)

10. Establish a data/information centric security approach – implementing effective IA metadata is harder than you think

4

Issues SummaryActions to collaborate / facilitate

• What’s our end- state / vision (“start with the end in mind!”) (then define requirements and determine gaps)

• Who’s in charge anyway? Enforcement? (aka - Governance)

• Prescriptive implementation guidance required (EA, stds, trust model, CM, etc)

• What’s “good enough” IA/Security? Outcome metrics that matter, support the business success factors, risk management.

• Complexity is rising versus falling (we can’t begin to do V&V on SoS – how do we do T&E to prove IA is effective?!)

“IA” is all encompassing, we can’t “win” if we don’t know where we are collectively going or narrow the playing field

IA VISION (s)• Dynamic Information Assurance for the Business (or GIG)

• Highly secure, reliable and manageable enterprise network environment

• Assured ubiquitous information dominance empowering the business drivers (or commander’s intent)

• Affordable IA that automatically keeps up with new threats and is invisible to the users, while providing “good enough security” protecting people, assets and data.

Mission: the right access, to the right folks, at the right time, anywhere, anytime, with the appropriate level of assured availability and data quality of protection, while also minimizing data loss - all affordably; that is - a best value in IA measured against effective enterprise risk management.

Is it even possible to have ONE vision, as “IA” is the same, right?Is it even possible to have ONE vision, as “IA” is the same, right?

IA Strategy / RequirementsTransactional Information Protection

Granular end-to-end security controls to enable protected information exchange within the variable trust net-centric environment

•Digital-Policy Enabled Enterprise Dynamic response to changing mission needs, attacks, and systems degradations through highly automated and coordinated distribution and enforcement of digital policies

•Defense Against an Adversary From Within Persistently monitor, track, search for, and respond to insider activity and misuse within the enterprise

•Integrated Security Management Dynamic and automated net-centric security management seamlessly integrated with operations management

•Enhanced Integrity and Trust of Net-Centric Systems Robust information assurance embedded within enterprise components and maintained over their life-cycle

IA VisionFind the right balance between competing priorities

Protection

OverallEffectiveness

Agility

Minimal Cost

Getting the right information to the right place at the right time……and to only the right user

Effectively AND affordably

8

IA Vision SummaryActions to collaborate / facilitate

• What are the main future requirements? Who says so?

• What is OUR IA business basis / ROI? (metrics therein?)

• How automated can/should we make IA (thus complex?)

• What is the risk environment for the future? – Continue to bet on technology? Use threats or consequences or both?– What are the real gaps / barriers WE need to address to get “there?”

• Is there a “unified theory” for IA that is “KISS”?

IA VISION proposal: Ubiquitous, dynamic information assurance dominance empowering commander’s intent, enhancing critical business drivers!

IA VISION proposal: Ubiquitous, dynamic information assurance dominance empowering commander’s intent, enhancing critical business drivers!

Gap Fillers / Disruptive Technologies(major companies / sponsors perspectives)

Issues/Actions NeededIssues/Actions Needed

• Info-centric vice Network Centric

• Poor MLS/CDS requirements definition

• Automate DIACAP to reduce cost, decrease time

• Factor the 4th dimension of time in security- Is SSL good-enough

• Virtualization- will be key technology in a downsizing/DOD consolidation market

• SLAs for IA

• Remove as much subjective decisions out of C&A process

• We over-encrypt our networks which will cause social unrest with our users (USB Ports and Facebook)

• Mobility/PortablityWhen is Navy supporting iPhone and MacBook?

• Just live on SIPRNET?

Definitive authorization – (minimize ambient authority issues)

Build in, with a Pgm Mgmt focus, Compliance, versus add on

Training at al levels… user, developers, etc

More granularity in access / auditing

Visibility for security as a SoS approach at all levels (need implementation level guidance)

Clear governance throughout, supported by technology

And Applications security, Applications security, Apps sec…

Gap Fillers / Disruptive Technologies(major companies / sponsors perspectives)

Summary / recapSummary / recap

Estonian Lessons Learned(overview)

Coordination ahead of time… folks knew each other

Common, established network security – preplaced ahead of time

Information sharing and media coverage

Best practices:

--- internal cooperation – agency to agency and support companies

--- International cooperation - politics, technical, LEGAL…

Added perspectives…

Understand and design for the “mindset of attacks” as well

NATO focus / support – share training comms/processes/ideas

SOA IA CONCERNS• If systems and communities are going to intersect we need effective

Governance from ALL perspectives• There is not deployable guidance or standards for establishing trust

between systems across organizations in the enterprise• Approaches to IA and EA implementation and certification are not

interoperable between programs and systems• Trusted enforcement devices and implementation standards do not exist

for establishing and enforcing policy• “SOA” is antithetical to existing vetting, certification and accreditation

(C&A) processes – no common V&V / T&E methods exist!• SOA IA concepts require common ontology, semantics and meaning• Digital policy standardization across the DoD is, at best, immature• NO accepted CONOPS for federal, coalition, and first-responder

collaboration and information sharing• Top Down Strategy does not extend to implementation details - especially

for “last mile” or “DIL” environments• SOA security requirements not common in the enterprise nor linked to

clear operational business requirements, impacts or valueWithout an overall C&A framework - “re-useable and shareable” SOA

applications cannot be installed in DOD environments!!!

13

SOA IA SummaryActions to collaborate / facilitate

• DOD CONOPS / governance approach needed

• Requirements, requirements, requirements

• Need a flexible enterprise DOD IA Design “implementation” level strategy / approach, including trust model, access control schema, that can adjust the level of protection to the requirements

• Standard architectures / standards / approaches which all must synchronize, interoperate, including a dynamic digital policy execution schema and ontology to normalize effect

• T&E / V&V approach to measure results / residual risksSOA makes great business sense, but WE must have a

comprehensive trust model, C&A game plan to make it work!

First Responder Needs(overview)

DHS - Make intrusions difficult but not impossiblecollaboration, sharing, leverage what exists

STTAC (State Terrorism Threat Assessment Center) (CA) - capability development training… SCADA, total mobile security,

Medical perspective (CalPSAB member) - Standards based – implementable specifications (& ZBAC)KNOW who the requestor is wrt ID… and what is authorized

Local Police Chief – What protection level is REALLY needed at each level? (content management)… get right info to only right person asap… low SWAP… (weight / power)

Regional 3Cs program – affordable, as they do without it if too costly… minimize sustainment costs, front load $$$Commonality… foster local / regional relationships

Leadership Summary / Recap(first draft - what do we want to tell our bosses WE ALL need to do?)

•Common vision / end state / master plan – where are we going?

•Governance & more governance – coordinate ALL those in charge?

•Specified requirements and then some – top down, detailed needs

•Prescriptive implementation guidance required – fidelity in the “what”

•What’s “good enough” IA/Security? Must have a common threshold

•Pedigree approach – simplify verification and compliance (build in)

•What is the IA business basis / ROI? (AND success metrics therein?)

•What is the future risk environment? Threats, consequences, etc?

•Training at all levels, especially user and SW development

•Standard architectures / standards / profiles (and a Trust Model!!!)

• SOA security is vague - at best (No T&E / C&A Plans at all!), but…• Application security and web security, or lack there, is huge too

•Common vision / end state / master plan – where are we going?

•Governance & more governance – coordinate ALL those in charge?

•Specified requirements and then some – top down, detailed needs

•Prescriptive implementation guidance required – fidelity in the “what”

•What’s “good enough” IA/Security? Must have a common threshold

•Pedigree approach – simplify verification and compliance (build in)

•What is the IA business basis / ROI? (AND success metrics therein?)

•What is the future risk environment? Threats, consequences, etc?

•Training at all levels, especially user and SW development

•Standard architectures / standards / profiles (and a Trust Model!!!)

• SOA security is vague - at best (No T&E / C&A Plans at all!), but…• Application security and web security, or lack there, is huge too

WE must collectively quantify & prioritize these for leadership actionsWE must collectively quantify & prioritize these for leadership actions

16

The IBM Security FrameworkIA Vision - THEN SOA:

The IBM Security Framework

Common Policy, Event Handling and Reporting

The IBM Security Framework

Common Policy, Event Handling and Reporting

Security Governance, Risk Management and Compliance

Security Governance, Risk Management and Compliance

Network, Server, and End-point

Physical Infrastructure

People and Identity

Data and Information

Application and Process

• SECURITY COMPLIANCE

• Demonstrable policy enforcement aligned to regulations, standards, laws, agreements (PCI, FISMA, etc..)

• IDENTITY & ACCESS (USERS)

•Enable secure collaboration with internal and external users with controlled and secure access to information, applications and assets

• INFORMATION SECURITY (DATA)• Protect and secure your data and information assets

• APPLICATION SECURITY

•Continuously manage, monitor and audit application security

• INFRASTRUCTURE SECURITY

• Comprehensive threat and vulnerability management across networks, servers and end-points

IBM Cyber Security

SOA Security - To Get A Better AnswerAsk A Better Question

• No battle plan survives contact with the

– Enemy

– IT Dept.

• The Alluring Illusion of the Wise God

– Engineering: breaking an impossible problem into parts so small, each can be solved by mere mortals

• Real Question: How do we distribute the power to stitch together the network we need?

• Real answer: Need To Know/Do based Sharing

– Dynamic - Cross-Domain

– Attenuated - Chained

– Composable - Accountable

• ZBAC: the only known enabler

NuParadigmNuParadigm

What’s an end-state look like?

Need to factor that in with SOA

What’s an end-state look like?

Need to factor that in with SOA

info@objectsecurity.com www.objectsecurity.com

How to close the SOA IA loop?

Part of the solutions picture:model-driven security

2. How do we know the IT does the IA we intend?

• How do we do application & process layer monitoring & reporting?

– Network layer IDS not enough• How can we achieve “good enough

C&A” for SOA?– Complex: IA is distributed, cross-layer,

externalized…– “System of systems” potentially unknown

at C&A time– Verification of IA properties

difficult/infeasible

1. How do we say what IA we want? And how make it happen?

• Where does the policy come from?– Usually focus on mechanisms– Authorization management hardest– Difficult in agile systems

• How to align business IA requirements and IT IA enforcement?

– Usually a huge disconnect

© 2008 ObjectSecurity – all rights reserved

www.secure-soa.infowww.modeldrivensecurity.org

www.openpmf.com

Security and SOASO what’s still potentially missing?

• SOA (& web services overall), is generally thought of as service producer-to-consumer, not system-to-user. But security has to be user-focused AND data centric as well, for example:– What metadata is discoverable? what is the schema for crypto-binding data– Data aggregation, dynamic “re”classification authority, overall data schema

• The ROI for SOA is based on applications, NOT security– Unclear measures/metrics/SLAs wrt data-based assessments & decisions

• Security must be institutionalized enterprise-wide — beyond single applications – e.g., enforcing an EA and select “specified” standards– Which versions and extensions? We must agree or “global” SOA can’t work!

• Fine grained “IA” (C-I-A) access control – supporting the “need to share”– IA&A beyond the first application; supporting automation and “NPEs”– Current “JEDS” 13+2 attributes not adequate for specific services / NPE use..– Will PKI scale to what is needed – IS it even needed? What is plan “B” – IBE?

• An enterprise-wide policy statement, schema and enforcement needed– No federally proposed schema socialized, let alone implemented digitally

• Residual major design items to consider, accommodate– Re: “NO” Enterprise Trust model / federation, loosely coupled Identity Management

(IdM), Autonomy central to Navy SOA strategy, PKI-centricity, etc…

SOA IA Questions to clarify

• E2E access control implementations can create security risks

• Enterprise E2E IA/security strategy still needed – many options

• IA Security SLAs / E2E audit processes - weak / unclear

• “Standard” Standards needed (and versions and extensions, options therein)

• IV&V / operational security T&E processes unclear – new NNWC C&A Process pushes “ST&E” to user environment

• Unclear E2E security CONOPS and IA requirements traceability

• IA / security / IA&A taxonomy, lexicon, definitions differences

• No recognized state, local, allied, and coalition PKI / token

• Numerous “common” implementation resolutions/details needed

There are some plans to address most, but nothing found enterprise wideThere are some plans to address most, but nothing found enterprise wide

SOA IA Questions to clarify• Verbose protocols problematic wrt IA overhead at the tactical edge

• Digital policy standardization, collaboration and implementation is an immature capability DoD wide, which affects the ability of PDPs in mixed domains

• GIG designs are going to require a different approach to difficult last mile bandwidth constraints. This creates asymmetric IA patterns and integration patterns which can create significant emergent behavior issues.

• C&A for Programs should be developed in parallel to the system functions as it will be a complex, coordination and governance task

• IA validation testing is impacted by the maturity of STIGs for web services/SOA where testing is already complex – and now must include inheritance aspects!

• Scalability can also be an issue with disadvantaged low bandwidth environments and the increase in numbers of users / NPE.

There are some plans to address most, but nothing found enterprise wideThere are some plans to address most, but nothing found enterprise wide

Authorization / access control deltas(from the OSD / NSA/GIAP / DISA / IC “SIE” Panel – Sep 08)

• Establish / codify digital authorization policy model, schema and adjudication process

• Establish attribute governance process

• Trust Model / details (& Supply chain issues)

• Define / Identify Authoritative attribute sources

• Identity management foundation

• Measure and respond to authentication assurance level; measure confidence

• Authorization schema / guidance needed

Still much to quantify and agree on in the whole E2E IA&A processStill much to quantify and agree on in the whole E2E IA&A process

Auth & AC SIE Panel Conclusions (from the OSD / NSA/GIAP / DISA / IC “SIE” Panel - Sep 08)

• Understand and define trust models that align with the enterprise (e.g., DoD, IC, DHS, coalition, industry)

• Create robust authentication technologies • Create smarter PDPs and PEPs• Define/identify/collect better attributes (e.g.,

location, situation)• Accommodate the “IA metadata” issues (slides

follow)

• Long term goal is to move toward RAdAC

AKA – We still do not know how to fully build SOA IA yet, let alone C&AAKA – We still do not know how to fully build SOA IA yet, let alone C&A

IA Metadata General Issues 1 of 3 (from the OSD / NSA/GIAP / DISA / IC “SIE” Panel - Sep 08)

• Need to refine the definition of IA metadata– Need to justify IA metadata by use case (operational, research,

theoretical)– What is the scope of metadata? E.g., consumer organizational

affiliation might be used as an attribute in an ABAC solution– Need a common lexicon for IA metadata terms in general

• Need to separate the technology transition issues from the basic research issues

• Lack of trust model – need policy, procedures, and systems that support the model. Compounded by requirements to operated in a federated environment.

• Statutory and regulatory requirements must drive what must be marked for interoperability. Need to identify current requirements and develop/recommend additional guidance that meets the needs to protect and use IA metadata for information sharing in a net-centric environment.

• Impractical to maintain metadata on all data assets at all times.

• Dependent on key management. E.g., what are key management requirements for the range of security environments?

• Overhead (bandwidth, processing, storage, etc) imposed by IA metadata

– Overhead required by binding (cost, performance, infrastructure requirements)

• Policy for changing historical metadata

IA Metadata General Issues 2 of 3 (from the OSD / NSA/GIAP / DISA / IC “SIE” Panel - Sep 08)

IA Metadata General Issues # of 3 (from the OSD / NSA/GIAP / DISA / IC “SIE” Panel - Sep 08)

• Need to develop and provide implementation guidance on how to use IA metadata

• Maintaining linkage between and among the data asset, binding metadata, multiple metadata records describing the same data asset– e.g., Navy best practice to maintain data asset and metadata on the same

LAN• Usage patterns are not fully understood, therefore requirements for scope of

IA metadata and management are incomplete• When establishing a COI, institutional or dynamic, there are requirements

for developing vocabulary and other metadata artifacts . This vocabulary must be consistent with IA metadata related standards

• Ability to generate and utilize digital policy based on standards compliant IA metadata

• Reliability and currency of embedded metadata• Need for an implementable IA metadata auditing policy

– As applied to the metadata infrastructure– Link to provenance