Reach567-Nice Find-General Dynamics touts TCG!
The article is by one Mel Crocker of General Dynamics
Some excerpts below
The Defense Information Assurance Certification and Accreditation Process (DIACAP), still in draft format3, introduces changes that provide a framework for certifying system solutions … to support the paradigm shift from need to know to need to share [5]. The DIACAP is applicable to tactical information sharing and introduces a process that could be used to certify and accredit the high-level security solution proposed in this article.
Technology Advances
Several technologies are creating opportunities for better cross-domain security solutions.
The Trusted Computing Exemplar (TCX) project is creating a framework for rapid high assurance system development, addressing how high assurance software components can be built [6]. With the system solution envisaged in this article, several high assurance components will be required at various places in the system and the TCX project identifies a process prescribing how these types of components can be built. Moreover, there are a number of companies who have significantly matured their software development processes, achieving the Software Engineering Institute’s Capability Maturity Model and Capability Maturity Model Integration Level 5. Beyond mature software development processes, the improvements in verification of software have also been significant and are becoming the focus of intense research [7]. Creating software that predictably and verifiably does what it purports to do and nothing more is becoming achievable within reasonable expense. All these elements are critical to building a system solution.
The Advanced Encryption Standard (AES) was approved in Federal Information Processing Standards Publication 197 dated 26 Nov. 2001 to encrypt unclassified U.S. government traffic. In June 2003, the National Security Agency (NSA) approved AES to protect classified U.S. traffic, an unprecedented action in the world of high-assurance encryption [8]. Because the algorithm is publicly available, coalition partners can independently implement the algorithm and with a common key, they can securely exchange information.
The Trusted Computing Group (TCG)4, an alliance of manufacturers, is in the process of establishing a number of relevant security hardware and system standards, effectively creating a framework for secure system solutions. The TCG recognizes the critical link with hardware, and several manufacturers are beginning to market compliant equipment. Regarding the solution suggested in this article, TCG compliant equipment would create an affordable, stable hardware base for the high assurance software components.
snippage
There have been a number of significant advances recently toward certified components leading toward a certified Multiple Independent Levels of Security (MILS) architecture [10]. A MILS architecture leads toward a degree of confidence in the separation of information within the system, avoiding so much technical complexity that the system cannot practically be built. This creates well-enforced system sandboxes where software can be forced to execute only within approved parameters. The High Assurance Platform (HAP) is a computer that provides MILS capabilities using industry standard commercial hardware, software and applications, and should be available to a narrow community in 2007. It is intended to provide NSA certified separation to multiple operating systems running simultaneously in different security domains5.
snippage
The following functionality must exist at information source points, often personal computers:
Trusted identification and access control measures must be resident in the source data terminals. These measures link user triggered actions to individuals and confirm privileges before allowing actions. Systems and protocols provide the means to manage identities across disparate networks with a high degree of confidence and minimum inconvenience to the user community. Regarding authorization, the use of X.509 based attribute certificates and a Privilege Management Infrastructure offers considerable flexibility to handle role based authority [12] and progress has been made extending Public Key Infrastructures into tactical environments.
Trusted audit measures must be resident on the data terminals to capture all security relevant events. With the establishment of the TCG standards and resulting hardware, the audit logs can be securely protected and with the availability of inexpensive storage, the logs can hold a tremendous amount of information before needing to be rolled over.
Trusted domain separation must exist on the data terminals. There is considerable research into making trusted operating systems more accessible and commercial operating systems more secure, providing sufficient flexibility to strike the right risk exposure and functionality. Moreover, with the establishment of TCG standards and hardware, the increased confidence in the operating systems and software will be strongly based on trusted hardware. This should make domain separation on desktops achievable and affordable in the near term.
Trusted encryption measures with an appropriate algorithm must provide adequate confidentiality and integrity protection for information flows between data terminals. Trusted Network Connect from the TCG offers an assured encryption solution and the digital signature, random number generation and protected storage of the Trusted Platform Module, again from the TCG, offers the other necessary primitives for a secure solution.
snippage
A boundary protection system should contain the following functionalities at the network boundaries-
Identity and access control to ensure the users passing information or drawing information across the domain boundary are authorized to do so.
Conclusion
To support the unity of effort necessary in today’s combat environment, warfighters have a duty to share information widely and quickly in rich exchanges, some of which must cross security domains. This article suggests a holistic high-level solution to securing cross-domain exchanges that will not excessively constrain the exchanges, taking advantage of advances in technology and policy. The solution effectively takes some of the trust and functionality originally resident in traditional CDS and moves it into information sources, system services, and boundary protection devices.
Although the solution suggested here has been applied to the tactical environment, elements of the system solution may lend itself to other environments with similar problem spaces. Instead of tactical domains, one could consider the domains relevant in medical information systems. Patients must securely share private information with family general practitioners, and occasionally general practitioners must share elements of this information with specialists. The exchange between patient, general practitioner, and specialist creates a small community of interest. At the same time, some of this information may be useful to those needing statistics, but the posting agency may not really be aware of the information needs of the authorized consumers and may not be best able to manage the makeup of the authorized consumers. Managing access might be better placed with others whose primary expertise is privacy, access control, and information presentation. Throughout these exchanges, actions must be logged to ensure violations can be handled quickly.
