Information Sharing and Security in Dynamic Coalitions
description
Transcript of Information Sharing and Security in Dynamic Coalitions
SACMAT02-1
Information Sharing and Security in Information Sharing and Security in Dynamic CoalitionsDynamic Coalitions
Profs. T.C. Ting and Steven A. Demurjian Computer Science & Engineering Department
191 Auditorium Road, Box U-155The University of Connecticut
Storrs, Connecticut 06269-3155http://www.engr.uconn.edu/~steve
Charles E. Phillips, Jr.Computer Science & Engineering Department
191 Auditorium Road, Box U-155The University of Connecticut
Storrs, Connecticut [email protected]
SACMAT02-2
Overview of PresentationOverview of Presentation
IntroductionIntroduction The Dynamic Coalition ProblemThe Dynamic Coalition Problem
Civilian Organizations Military Involvement/GCCS
Information Sharing and SecurityInformation Sharing and Security Federating Resources Data Integrity Access Control (DAC and MAC) Other Critical Security Issues
Candidate Security ApproachCandidate Security Approach Conclusions and Future WorkConclusions and Future Work
SACMAT02-3
IntroductionIntroductionCrisis and CoalitionsCrisis and Coalitions
A A Crisis Crisis is Any Situation Requiring National or is Any Situation Requiring National or International Attention as Determined by the International Attention as Determined by the President of the United States or UN President of the United States or UN
A A CoalitionCoalition is an Alliance of Organizations: is an Alliance of Organizations: Military, Civilian, International or any Military, Civilian, International or any CombinationCombination
A A Dynamic CoalitionDynamic Coalition is Formed in a Crisis and is Formed in a Crisis and Changes as Crisis Develops, with the Key Concern Changes as Crisis Develops, with the Key Concern Being the Most Effective way to Solve the CrisisBeing the Most Effective way to Solve the Crisis
Dynamic Coalition ProblemDynamic Coalition Problem (DCP) is the Inherent (DCP) is the Inherent Security, Resource, and/or Information Sharing Security, Resource, and/or Information Sharing Risks that Occur as a Result of the Coalition Being Risks that Occur as a Result of the Coalition Being Formed QuicklyFormed Quickly
SACMAT02-4
IntroductionIntroductionNear Simultaneous CrisesNear Simultaneous Crises
Ship Wreck(UK,SP)
Olympic Games
BOSNIA(NATO)
KOSOVO(US,UK)
Earthquake(United Nations)
Crisis PointNATO Hq
SACMAT02-5
Evaluation vs. DCPEvaluation vs. DCP Emergent Need for Coalitions Emergent Need for Coalitions
““Coalitions must be flexible and no one coalition is Coalitions must be flexible and no one coalition is or has the answer to all situations.”or has the answer to all situations.”
» Secretary of Defense, Donald Rumsfeld “Whenever possible we must seek to operate
alongside alliance or coalition forces, integrating their capabilities and capitalizing on their strengths.”
» U.S. National Security Strategy
“Currently, there is no automated capability for passing command and control information and situational awareness information between nations except by liaison officer, fax, telephone, or loaning equipment.”
» Undersecretary of Defense for Advanced Technology
SACMAT02-6
The Dynamic Coalition ProblemThe Dynamic Coalition Problem
Dynamic Coalition ProblemDynamic Coalition Problem (DCP) is the Inherent (DCP) is the Inherent Security, Resource, and/or Information Sharing Security, Resource, and/or Information Sharing Risks that Occur as a Result of the Coalition Being Risks that Occur as a Result of the Coalition Being Formed QuicklyFormed Quickly
Private Organizations (PVO)Private Organizations (PVO) Doctors Without Boarders Red Cross
Non-Government Organizations (NGO)Non-Government Organizations (NGO) NYPD
Government AgenciesGovernment Agencies FBI CIA Military
SACMAT02-7
Supporting Advanced ApplicationsSupporting Advanced ApplicationsDCP Objectives for CrisisDCP Objectives for Crisis
Federate Users Quickly and DynamicallyFederate Users Quickly and Dynamically Bring Together Resources (Legacy, COTs, GOTs, Bring Together Resources (Legacy, COTs, GOTs,
DBs, etc.) Without ModificationDBs, etc.) Without Modification Dynamically Realize/Manage Simultaneous CrisesDynamically Realize/Manage Simultaneous Crises Identify Users by Roles to Finely Tune Access Identify Users by Roles to Finely Tune Access Authorize, Authenticate, and Enforce a Scalable Authorize, Authenticate, and Enforce a Scalable
Security Policy that is Flexible in Response to Security Policy that is Flexible in Response to Collation NeedsCollation Needs
Provide a Security Solution that is Portable, Provide a Security Solution that is Portable, Extensible, and Redundant for SurvivabilityExtensible, and Redundant for Survivability
Include Management/Introspection Capabilities to Include Management/Introspection Capabilities to Track and Monitor System Behavior Track and Monitor System Behavior
SACMAT02-8
The Dynamic Coalition ProblemThe Dynamic Coalition ProblemCoalition ArchitectureCoalition Architecture
Resources Provide ServicesClients Using Services
French Air Force
Client
U.S. NavyClient
U.S. ArmyClient
GermanCOTSClient
NATODatabase
Client
U.S. LegacySystem
COTS
GCCS (US)NGO/PVOResource
LFCS(Canada)
SICF (France)
HEROS (Germany)
SIACCON (Italy)
Federal Agencies(FEMA, FBI, CIA, etc.)
Client
NGO/PVO(Red Cross, NYPD, etc.)
Client
NATO SYS
SACMAT02-9
The Dynamic Coalition ProblemThe Dynamic Coalition ProblemJoint and Combined Information FlowJoint and Combined Information Flow
GCCS-N
JMCIS
GCCS-AF
TBMCS
Common Operating Environment
GCCSGCCS-A
MCS
BN
COFBCB2
BDE
MCSBSA TOC
CORPS
MCSABCS
MCS
ASAS
CSSCS
FAADC2I
AFATDS
DIV
MCS
BN
XX
X
| | | |
| |
AdjacentJoint Task Force
X X
TCO
GCCS-M
NATOSystemsCoalitionSystems
ARMY
Marines Navy
Air ForceCoalitionPartners
Joint - Marines, Navy, Air Force, Army
Combined: Many Countries
SACMAT02-10
The Dynamic Coalition ProblemThe Dynamic Coalition ProblemCombined Information FlowCombined Information Flow
Logistics
Air Defense/Air OperationsFire Support
Network and Resource Management
Intelligence
GCCS - Joint/Coalition -Maneuver
Combined Database
SACMAT02-11
The Dynamic Coalition ProblemThe Dynamic Coalition ProblemCoalition Artifacts and Information FlowCoalition Artifacts and Information Flow
Marine Corps
NavyAir Force
Army
GCCS
FADDAFATDS
GCCS-A
MCS
ASAS
CSSCS
Other
ABCS
Battle Management
System
JointCommand
System
Army Battle Command
System
CombatOperations
System
U.N.
U.S.A
NGO/PVO
NATO
GOAL: Leverage information in a fluid, dynamic environment
Dynamic Coalition
U.S. Global C2 Systems
Army C2
SACMAT02-12
The Dynamic Coalition ProblemGlobal Command and Control System
Client/Server
Client/Server
INTELSUPPORT
MISSION PLANNING
TOPO ARTY AIR DEFENCE
AIR DEFENCE
ARTY
MOBILE SUBSCRIBER EQUIPMENTDATA RADIO
X
X X
Situational AwarenessMOBILE SUBSCRIBER EQUIPMENT
ARTY
SUPPORT
TOPO
SUPPORT
MISSION PLANNINGMET
GCCS Provides:- Horizontal and Vertical Integrationof Information to Produce a Common Picture of the Battlefield- 20 separate automated systems- 625 locations worldwide- private network
SATCOM
SATCOM
SATCOM
MET
Company
Platoon
Squad
FBCB2/EBC
BATTLEFIELD C2 SYSTEMEMBEDDED BATTLE COMMAND
FBCB2/EBC
TacticalInternet
Client/Server
GLOBAL C2 SYSTEMSGLOBAL C2 SYSTEMS
MANEUVERCONTROL
SATELLITE
AIR DEFENCE
INTEL
INTEL
MANEUVERCONTROL
MANEUVERCONTROL
SACMAT02-13
The Dynamic Coalition ProblemThe Dynamic Coalition ProblemGlobal Command and Control SystemGlobal Command and Control System
Joint Services: a.k.a Weather METOC Video Teleconference TLCF Joint Operations Planning and Execution System JOPES Common Operational Picture COP Transportation Flow Analysis JFAST Logistics Planning Tool LOGSAFE Defense Message System DMS NATO Message System CRONOS
Component Services: Army Battle Command System ABCS Air Force Battle Management System TBMCS Marine Combat Operations System TCO Navy Command System JMCIS
SACMAT02-14
The Dynamic Coalition ProblemThe Dynamic Coalition ProblemGlobal Command and Control SystemGlobal Command and Control System
Common PictureCommon Picture
Common Operational PictureCommon Operational Picture
SACMAT02-15
The Dynamic Coalition ProblemThe Dynamic Coalition ProblemGCCS Shortfalls: User RolesGCCS Shortfalls: User Roles
Currently, GCCS Users have Static Profile Based Currently, GCCS Users have Static Profile Based on Position/Supervisor/Clearance Levelon Position/Supervisor/Clearance Level
Granularity Gives “Too Much Access”Granularity Gives “Too Much Access” Profile Changes are Difficult to Make - Changes Profile Changes are Difficult to Make - Changes
Done by System Admin. Not Security OfficerDone by System Admin. Not Security Officer What Can User Roles Offer to GCCS?What Can User Roles Offer to GCCS?
User Roles are Valuable Since They Allow Privileges to be Based on Responsibilities
Security Officer Controls Requirements Support for Dynamic Changes in Privileges Towards Least Privilege
SACMAT02-16
The Dynamic Coalition ProblemThe Dynamic Coalition ProblemGCCS Shortfalls: Time Controlled AccessGCCS Shortfalls: Time Controlled Access Currently, in GCCS, User Profiles are Indefinite Currently, in GCCS, User Profiles are Indefinite
with Respect to Timewith Respect to Time Longer than a Single Crisis Difficult to Distinguish in Multiple Crises No Time Controllable Access on Users or
GCCS Resources What can Time Constrained Access offer GCCS?What can Time Constrained Access offer GCCS?
Junior Planners - Air Movements of Equipment Weeks before Deployment
Senior Planners - Adjustment in Air Movements Near and During Deployment
Similar Actions are Constrained by Time Based on Role
SACMAT02-17
The Dynamic Coalition ProblemThe Dynamic Coalition ProblemGCCS Shortfalls: Value Based AccessGCCS Shortfalls: Value Based Access
Currently, in GCCS, Controlled Access Based on Currently, in GCCS, Controlled Access Based on Information Values Difficult to AchieveInformation Values Difficult to Achieve Unlimited Viewing of Common Operational
Picture (COP) Unlimited Access to Movement Information Attempts to Constrain would have to be
Programmatic - which is Problematic! What can Value-Based Access Offer to GCCS?What can Value-Based Access Offer to GCCS?
In COP Constrain Display of Friendly and Enemy Positions Limit Map Coordinates Displayed Limit Tier of Display (Deployment, Weather, etc.)
SACMAT02-18
The Dynamic Coalition ProblemThe Dynamic Coalition ProblemGCCS Shortfalls: Federation NeedsGCCS Shortfalls: Federation Needs
Currently, GCCS is Difficult to Use for DCPCurrently, GCCS is Difficult to Use for DCP Difficult to Federate Users and Resources U.S. Only system Incompatibility in Joint and Common Contexts Private Network (Not Multi-Level Secure)
What are Security/Federation Needs for GCCS?What are Security/Federation Needs for GCCS? Quick Admin. While Still Constraining US and
Non-US Access Employ Middleware for Flexibility/Robustness Security Definition/Enforcement Framework Extend GCCS for Coalition Compatibility that
Respects Coalition and US Security Policies
SACMAT02-19
Information Sharing and SecurityInformation Sharing and SecurityFederated ResourcesFederated Resources
JSTARS
Unmanned Aerial Vehicle
Satellites
Bradley / EBCEmbedded Battle Command
ABCS
Fwd Support ElementAmmo/FuelRefit
AIR DEFENCE Embedded Battle Command
INTEL FUSION
Embedded Battle Command
MANEUVER CONTROL Embedded Battle Command
PERSONNEL AND LOGISTICS Embedded Battle Command
FIELD ARTILLERY Embedded Battle Command
Common Picture
RESOURCESCommand&Control VehiclesArmy Airborne Command & Control System
Army Battle Command System Embedded Command System
SACMAT02-20
Information Sharing and SecurityInformation Sharing and SecuritySyntactic ConsiderationsSyntactic Considerations
Syntax is Structure and Format of the Information Syntax is Structure and Format of the Information That is Needed to Support a CoalitionThat is Needed to Support a Coalition
Incorrect Structure or Format Could Result in Incorrect Structure or Format Could Result in Simple Error Message to Catastrophic EventSimple Error Message to Catastrophic Event
For Sharing, Strict Formats Need to be MaintainedFor Sharing, Strict Formats Need to be Maintained In US Military, Message Formats IncludeIn US Military, Message Formats Include
Heading and Ending Section United States Message Text Formats (USMTF) 128 Different Message Formats
Text Body of Actual Message Problem: Formats Non-Standard Across Different Problem: Formats Non-Standard Across Different
Branches of Military and CountriesBranches of Military and Countries
SACMAT02-21
Information Sharing and SecurityInformation Sharing and SecuritySemantics ConcernsSemantics Concerns
Semantics (Meaning and Interpretation)Semantics (Meaning and Interpretation) USMTF - Different Format, Different Meaning
Each of 128 Messages has Semantic Interpretation Communicate Logistical, Intelligence, and
Operational Information Semantic ProblemsSemantic Problems
NATO and US - Different Message Formats Different Interpretation of Values
Distances (Miles vs. Kilometers) Grid Coordinates (Mils, Degrees) Maps (Grid, True, and Magnetic North)
SACMAT02-22
Information Sharing and SecurityInformation Sharing and SecurityPragmatics IssuesPragmatics Issues
Pragmatics - The Way that Information is Utilized Pragmatics - The Way that Information is Utilized and Understood in its Specific Contextand Understood in its Specific Context
For Example, in GCCSFor Example, in GCCS
Intra-TOC•ACDB DBSynchronization(RPC-based SR)
Intra-TOC•ACDB DBSynchronization(RPC-based SR)
•Messaging•VMF•USMTF•Situation Awareness•BFA unique
•Files and DB Snapshots•Unicast FTP•Multicast FTP•E-mail•Global Broadcast Satellite(GBS)
•Database Replication
Inter-TOC
M-1068 M-1068
M-1068 M-1068
TOC 2/A-Cell
TOC 2/B-Cell
M-1068 M-1068
M-1068 M-1068
TOC-1
Mixture of clients andservers
OperationalChallenges•Autonomy•Jump TOCs•Split TOCs•Survivability•BandwidthContention•Scalability
OperationalChallenges•Autonomy•Jump TOCs•Split TOCs•Survivability•BandwidthContention•Scalability
TacticalWAN
SACMAT02-23
Information Sharing and SecurityInformation Sharing and Security Pragmatics Issues Pragmatics Issues
Pragmatics in GCCSPragmatics in GCCS
X
XXX
X
XX
XX
XX
XX
X
DSCS
A2C2SDIV CDR
C2VDIV CDR
SINCGARS (FS)EPLRS (AD)
Info/Intel/Plans
DIV REARVTel
SINCGARS (FS)EPLRS (AD)
Sustainment
Mobility
TGT/Fires
BVTC
DMAINBVTC
SINCGARS (FS)EPLRS (AD)
BVTC
BVTC
BVTC
Relay
DR
SINCGARS (FS)EPLRS (AD)
Division Slice
404 ASB
Theater Injection Point
(TIP)
HCLOS
HCLOS
Note: 3rd BDE not part of 1DD in Sep 2000.
DR
Relay
SEN
Relay
DR
CMDR
BCVGBS DR
TAC
DR
MVR BNGBS
DR DR
MVR BNGBS
DR DR
MVR BNGBS
DR DR
4ENG
DR DR
GBS
DRGBS DR
3rd BDE BVTC
SEN GBS
64 FSB
DR
DR DRGBS
3-29FA
1/10CAV
CMDR
BCV
DR
1/10 CAV Sqdn
DRGBSSEN
SEN
CMDR
BCV
GBS DR
TAC
DR
MVR BNGBS
DR DR
MVR BNGBS
DR DR
MVR BNGBS
DR DR
588ENG
DR DR
GBS
DRGBS DR
2nd BDE BVTC
SEN GBS
4 FSB
DR
DR DRGBS
3-16FA
SEN
CMDR
BCV
GBS DR
TAC
DR
MVR BNGBS
DR DR
MVR BNGBS
DR DR
MVR BNGBS
DR DR
299ENG
DR DR
GBS
DRGBS DR
1st BDE BVTC
SEN GBS
204FSB
DR
DR DRGBS
4-42FA
SEN DRGBS DR
DTAC 1 BVTC
DR DRGBS
9-1FA
DRGBS
2/4 AVN BN
SEN DRGBS DR
4th BDE BVTC
DRGBS
1/4 AVN BN
SEN GBS
SEN SENGBS GBS
DR
VTel
DRGBS
GBS DR
124th SIG BN
GBS DR
SINCGARS (FS)EPLRS (AD)
SEN GBS DR
DISCOM BVTC
SEN GBS DR
704MSBSEN LEN
GBS
GBS
GBS
GBS
SEN GBS DR
DIVARTY BVTC
SINCGARS (FS)EPLRS (AD)
GBS
Node Estimate
Current FDD laydown has 53 autonomous Command Post/TOCs (i.e., nodes)
For a full Corps >200 nodes
Node Estimate
Current FDD laydown has 53 autonomous Command Post/TOCs (i.e., nodes)
For a full Corps >200 nodes
Basic Distribution Requirement• Distribution Polices• Automation & Notification• User Controls • Transport Mechanisms• System and Process Monitors• Security, Logs, and Archives
Basic Distribution Requirement• Distribution Polices• Automation & Notification• User Controls • Transport Mechanisms• System and Process Monitors• Security, Logs, and Archives
• How - Prioritized- Encrypted- Network
Distribution Policy
• What • When• Where
SACMAT02-24
Information Sharing and SecurityInformation Sharing and SecurityData IntegrityData Integrity
Concerns: Consistency, Accuracy, ReliabilityConcerns: Consistency, Accuracy, Reliability Accidental ErrorsAccidental Errors
Crashes, Concurrent Access, Logical Errors Actions:
Integrity Constraints GUIs Redundancy
Malicious ErrorsMalicious Errors Not Totally Preventable Actions:
Authorization, Authentication, Enforcement Policy Concurrent Updates to Backup DBs Dual Homing
SACMAT02-25
Information Sharing and SecurityInformation Sharing and Security Discretionary Access Control Discretionary Access Control
What is Discretionary Access Control (DAC)?What is Discretionary Access Control (DAC)? Restricts Access to Objects Based on the
Identity of Group and /or Subject Discretion with Access Permissions Supports
the Ability to “Pass-on” Permissions DAC and DCPDAC and DCP
Pass on from Subject to Subject is a Problem Information Could be Passed from Subject (Owner)
to Subject to Party Who Should be Restricted For Example,
Local Commanders Can’t Release Information Rely on Discretion by Foreign Disclosure Officer
Pass on of DAC Must be Carefully Controlled!
SACMAT02-26
Information Sharing and SecurityInformation Sharing and Security Role Based Access Control Role Based Access Control
What is Role Based Access Control (RBAC)?What is Role Based Access Control (RBAC)? Roles Provide Means for Permissions to
Objects, Resources, Based on Responsibilities Users May have Multiple Roles Each with
Different Set of Permissions Role-Based Security Policy Flexible in both
Management and Usage Issues for RBAC and DCPIssues for RBAC and DCP
Who Creates the Roles? Who Determines Permissions (Access)? Who Assigns Users to Roles? Are there Constraints Placed on Users Within
Those Roles?
SACMAT02-27
Information Sharing and SecurityInformation Sharing and Security Mandatory Access Control Mandatory Access Control
What is Mandatory Access Control (MAC)?What is Mandatory Access Control (MAC)? Restrict Access to Information, Resources,
Based on Sensitivity Level (Classification) Classified Information - MAC Required
If Clearance (of User) Dominates Classification, Access is Allowed
MAC and DCPMAC and DCP MAC will be Present in Coalition Assets Need to Support MAC of US and Partners Partners have Different Levels/Labels Need to Reconcile Levels/Labels of Coalition
Partners (which Include Past Adversaries!)
SACMAT02-28
Information Sharing and SecurityInformation Sharing and SecurityOther IssuesOther Issues
Intrusion DetectionIntrusion Detection Not Prevention Intrusion Types:
Trojan Horse, Data Manipulation, Snooping Defense:
Tracking and Accountability SurvivabilitySurvivability
Reliability and Accessibility Defense:
Redundancy CryptographyCryptography
Fundamental to Security Implementation Details (key distribution)
SACMAT02-29
Candidate Security ApproachCandidate Security ApproachSoftware ArchitectureSoftware Architecture
WrappedResource for LegacyApplication
WrappedResource
for DatabaseApplication
LookupService
General Resource
WrappedResource
for COTSApplication
JavaClient
LegacyClient
DatabaseClient
SoftwareAgent
COTSClient
Lookup
Service
Security AuthorizationClient (SAC)
Security Policy Client (SPC)
Global ClockResource (GCR)
SecurityRegistration
Services
Unified Security Resource (USR)
Security Policy
Services
SecurityAuthorization
Services
SecurityAnalysis and
Tracking (SAT)
SACMAT02-30
SecurityAuthorization
Services
Security Registration
Services
LookupService
GCCSClient
1 Register_Client(DoRight,100.150.200.250, ArmyLogCR1)
10 Return Result of Check_Privileges(…)
4 Return Result,Create_Token(DoRight,ArmyLogCR1,Token)
6 CrisisPicture(Token,CR1, NA20, NC40)
3 Client OK?
11 Return Result,CrisisPicture(…)
5. Discover/Lookup(GCCS,Joint,CrisisPicture) Returns Proxy to Course Client
7 IsClient_Registered(Token)
9 Check_Privileges(Token, GCCS, Joint, CrisisPicture, [NA20,NC40])
2 Verify_UR(DoRight,ArmyLogCR1)
SecurityPolicy
Services
GCCSResource
8 Return Result of IsClient_Registered(…)
USR
Candidate Security ApproachCandidate Security ApproachEnforcement FrameworkEnforcement Framework
TrackingTool
GlobalClock
SACMAT02-31
Candidate Security ApproachCandidate Security ApproachSecurity Assurance ChecksSecurity Assurance Checks
Start Constraint-Based Assurance Checks
Authentication Unsuccessful
(to error handler)
No
No
No
No
Yes
Yes
No
Yes
RequiredUser-Authentication
Check
Authentication Successful
MandatoryAccess Control
Check
ValueConstraint
Check
Time Constraint
Check
Authorization Unsuccessful
(to error handler)
Authorization Successful
(continue process)
Yes
SACMAT02-32
Conclusions and Ongoing WorkConclusions and Ongoing Work
Explored Information Sharing IssuesExplored Information Sharing Issues Defined the Dynamic Coalition ProblemDefined the Dynamic Coalition Problem Discussed Coalition ParticipantsDiscussed Coalition Participants Examined GCCS and Needed ImprovementsExamined GCCS and Needed Improvements Offered Candidate Security ApproachOffered Candidate Security Approach Related/Ongoing Research IncludesRelated/Ongoing Research Includes
Support for Mandatory Access Controls Role Deconfliction and Mutual Exclusion User Constraints User Role Delegation Authority www.engr.uconn.edu/~steve/DSEC/dsec.html