Transient Partnerships Stretch Security Policy Management
All-or-nothing information sharing technologies fail multinational reality test.
The U.S. Defense Department is coordinating a multidimensional effort to seek out technologies that would bring order to the oftentimes chaotic environment of a coalition operation. Among the top priorities is identifying information security approaches that ensure continued communications when the composition of the coalition changes or the ad hoc area network is attacked.
Both industry and academia are contributing their expertise to address the challenges that large, transitory collaborative organizations pose. One goal is to determine how to manage and validate dynamically operational configurations across multiple theaters of operation. A second yet no less important objective is to disseminate data security within large groups. Finally, researchers are taking advantage of public key infrastructure technologies and exploring ways to accommodate the policy management issues of rapid revocation and cross-certification of key information.
The Defense Advanced Research Projects Agency (DARPA), Arlington, Virginia, is funding the research under its Dynamic Coalitions program, an effort that primarily focuses on small- to medium-scale coalitions. Participants include NAI Labs, a division of PGP Security, Network Associates Incorporated, Los Angeles, and the Microelectronics Center of North Carolina, Research Triangle Park, North Carolina, as well as Johns Hopkins University, Baltimore; Northeastern University, Boston; and Veridian-PSR, Arlington, Virginia. In all, more than 15 organizations are researching the various components that make up the program.
The Dynamic Coalitions program is part of DARPA’s information assurance and survivability effort. Other projects include research into strategic intrusion assessment, intrusion tolerant systems, fault tolerant networks, information assurance science and engineering tools, autonomic information assurance and cyber command and control. Coordination of the effort will occur through joint experimentation, shared laboratory facilities and joint principal investigator meetings. The projects aim at developing technologies that support the next generation of information systems described in Joint Vision 2010, which calls for information dominance in a high-tempo, tightly integrated multinational environment. Technologies must be cost effective and scalable in the near future.
One key component of the effort is the exploration of systems that would provide continuous network operations even after a cyberattack. This is a significant concern for the Defense Department because attempts to break into its systems continue. Although improvements in security products have mitigated penetration-attempt success, the need still exists for techniques that will allow communications to continue should these attacks succeed.
Military leaders recognize that technology is only one part of the solution to information assurance. Some Dynamic Coalitions program participants are examining policy management, group communications and supporting infrastructure services.
According to DARPA officials, three key challenges must be addressed. First, traditional architectures have central nervous systems. If they are attacked, the entire network could be disabled. Second, corrupted or malicious member entities can lead to incorrect functions of the system as a whole. Third, existing group membership protocols do not support the security needs of multidimensional organizations. The overarching challenge is creating secure groups rapidly. This is a significant issue when countries are faced with an operation that requires immediate multinational attention.
The current plan is to examine a variety of technologies then integrate them to provide the required capabilities for a specific environment. The technologies will be demonstrated individually as well as together within several scenarios.
One goal of the Dynamic Coalitions program is to create technologies that support distributed rather than hierarchical coalition security policies for essential operations. This includes securing the underlying group communication technologies and providing the necessary coalition infrastructure services for secure collaboration in a coalition environment.
To accomplish this task, the program will use existing DARPA information survivability research and invest in multidimensional security policy management, secure group management and coalition infrastructure services. Work in these three areas may overlap, so DARPA hosts regular meetings with program participants to prevent duplication of efforts.
Although secure communications technology is a critical part of allied operations, DARPA officials say policy management also is a crucial element in establishing and maintaining network-centric coalitions. Issues that must be considered in this arena include local systems and operating system interactions, networking capabilities, middleware services and application support. The multinational nature of coalition operations also involves network topology, group size and disparate capabilities challenges that must be addressed. Dynamic Coalitions program participants are examining policy as it relates to representation and translation, negotiation and agreement, and distribution and enforcement to deal with these concerns.
NAI Labs recently received a contract under the Dynamic Coalitions program to conduct research into technology that would support the policy management aspect of the project. Terry Benzel, director, NAI Labs, explains that her organization focuses on understanding trust relationships. Benzel, who is also the vice president of advanced security research at Network Associates, contends that while today’s technology enables sharing data among individuals of similar organizations, the U.S. armed services for example—it does not support an environment of dissimilar members. “The technology for sharing information today is either all or nothing,” she says.
To address this issue, NAI Labs is taking a two-pronged approach. First, the organization is examining the policy for setting up attribute-based access control, a technique that would allow entities to view information but not change or add to it. Models are being developed to explore this approach.
Once NAI Labs has a workable model, it will develop new technology that can enforce access control based on a rich set of attributes, Benzel says. “Right now, we’re tied to a user ID. But in most military environments what we’re interested in is the role the user is playing. Is he a NATO coordinator, commander or a ground soldier? Today, when setting up sharing relationships a lot goes on outside the computer and is based on knowing each other,” she explains.
Benzel offers a common business activity as an example of the state of today’s processes. To set up a three-way conference call, at least one person has to set up the telephone number and access code and then communicate this information to the other two. So, the call’s participants have to know something about each other to ensure that they have a reason to communicate.
“We’d like communications to be based on more general information. I don’t know who you are, but I know you have the authority to participate in this communication. In coalitions, we want to be able to dynamically change the access control. We may want to bring in other players or take out certain players. We’re developing ways to quickly pull back certain credentials for access to information,” she relates.
The logistics community as well as commercial purchasing departments also could benefit from NAI Labs’ research. Attribute-based access control would authorize entry into a system based on credit limit, job title, spending authority, employer, military rank or other criteria. For instance, a system could permit a purchase request from a user who is unknown to the authorizing system but who works for a business partner and has appropriate spending authority.
Allowing access and action based on attributes is only one part of the equation, Benzel points out. In a coalition environment, the real benefit would be the ability to do this quickly and in an ever-changing environment.
While NAI Labs’ research focuses on understanding relationships, work at the Microelectronics Center of North Carolina (MCNC) concentrates on designing the technology tools that support the other two pieces of the Dynamic Coalitions program: secure group management and coalition infrastructure services.
MCNC’s research, called the Yalta project, focuses on three primary concerns. The first goal is to determine how to build a distributed computing platform that fosters the ubiquitous development and deployment of coalition applications. Second, project researchers are examining how to provide some of the critical infrastructure services for information assurance within coalitions including basic confidentiality and authentication as well as public key infrastructure. Finally, the team must determine how to make this platform scalable, survivable and extensible.
To accomplish these tasks, MCNC researchers are working with representatives at North Carolina State University in Raleigh to create a secure collaborative space from shared-space technologies that were developed in the distributed computing research community. The objective is to build a certification authority service based on threshold cryptography that is integrated into the collaborative space. Intrusion tolerance and scalability will be achieved through multiple groups of shared certification authority services. Certificate revocation notifications would be implemented by an event notification mechanism within the shared space. The researchers also aim to support the collaborative space as a coordination channel for setting up special communications that can accommodate specific needs such as very high bandwidth data exchange or encrypted communications using nonstandard algorithms.
T.J. Smith, principal investigator for the Yalta project, MCNC, points out that one of the key characteristics of a coalition activity is the limited or transient trust among partners. MCNC researchers seek to create a public key infrastructure for issuing digital certificates where the technology can be shared among the parties. “This is threshold cryptography where all parties have control over the issuance of security. It is not a pyramid. It is distributed,” he explains.
“There is a need to be able to revoke credentials quickly. There has been a long lag-time for this in the past, so short-term relationships weren’t possible,” he adds.
Dan Stevenson, director of network research, MCNC, points out that this capability is particularly critical in a multinational operation environment. “In the context of a coalition, if you have an operation where a trust relationship has a set of parameters for communication, and then something occurs—information leaks or a relationship changes—the trust level changes. If a nation’s status changes, the credential system will alter it in the coalition environment. It will allow very quick responses to policy changes,” Stevenson relates. Because control is shared, anyone in the coalition could initiate the action, Smith adds.
One issue that must be addressed if this approach is adopted, Stevenson observes, is whether all allied partners would have equal influence about the decision to switch the status of coalition members. “This issue is fairly clear in the hierarchical mode. But what we’re proposing is allowing the decision to be made in a distributed mode. One of the restrictions that we don’t quite have answers about is if you would want one partner to have a stronger vote,” Stevenson remarks. Smith points out that this issue could be addressed by employing the United Nations Security Council model.
The Yalta project also addresses another requirement of the Dynamic Coalitions program. “The issuance capability is survivable. So you could lose members of the group yet continue operations,” Smith explains.
Because members of a coalition may have different technical capabilities, MCNC is implementing its system on top of Java. “We are assuming a very low common denominator among the partners,” Smith states. The center aims to design the technology so that it can be used from a laptop computer, he adds.
MCNC is currently building a prototype, and a proof-of-concept demonstration is planned for the summer of 2002. The goal is to complete the project in 2003, Stevenson relates.