Assured Session II
From AFCEAWiki
Contents |
[edit] Session II: Assured Collaboration
JOIN THE ONGOING SOLUTIONS DIALOGUE ON THE GOOGLE GROUP SITE
[edit] Abstract
How do we protect data across the enterprise to include Multi Domain Dissemination System (MDDS), encryption, identity assurance/network access control (NAC), and metadata tagging?
[edit] Moderator
- Dr. Dan Wiener, Vice President and Chief Technology Officer, BAE Systems
[edit] Panel
- Mr. Bruce Brody, Vice President for Cyber Security and Chief Security Officer, The Analysis Group, LLC
- Mr. Bill Ross, Director, IA Systems and Programs, General Dynamics C4 Systems
- Dr. Ed Siomacco, Deputy Commander for Enterprise Services
Network Enterprise Technology Command (NETCOM)/ 9th Signal Command (Army)
[edit] Session II: Assured Collaboration
JOIN THE ONGOING SOLUTIONS DIALOGUE ON THE GOOGLE GROUP SITE
[edit] Abstract
How do we protect data across the enterprise to include Multi Domain Dissemination System (MDDS), encryption, identity assurance/network access control (NAC), and metadata tagging?
[edit] Moderator
- Dr. Dan Wiener, Vice President and Chief Technology Officer, BAE Systems
[edit] Panel
- Mr. Bruce Brody, Vice President for Cyber Security and Chief Security Officer, The Analysis Group, LLC
- Mr. Bill Ross, Director, IA Systems and Programs, General Dynamics C4 Systems
- Dr. Ed Siomacco, Director OIAC, USA
Panel:
Mr. Bruce Brody, V.P., Cyber Security and Chief Security Officer, The Analysis Group 1. There is an atmosphere of compliance instead of insurance, many of the environements arent' secure security environments
Mr. Bill Ross, Business Director, IA Systems and Programs, General Dynamics C4 Systems 1. Responsible for info assurance aspects, programs TSAT, high assurance platforms 2. Assured Collaboration, asked to address how do we protect data 3. Identity Assurance, PKI is going, authentication, integration and application domain, this is on the critical path or critical dependency 4. Meta data, i.e. how do we deal with label compartments, old into diverse labeling of meta data 5. software integrity checking 6. ability to measure software environment and attribute to white list approved capability 7. need to draft off of large scale commercial technology advisors 8. define API's and technology patterns that they are bringing to the mainstream 9. we need a flagship to go after, we have a lot of pilots, good but how does it scale, prove scaleability
Dr. Ed Siomacco, DISA 1. responsible for policy implementation of info assurance for army 2. service oriented architectures 3.
Moderator: Dr. Dan Wiener, Vice President and CTO, BAE Systems Question: If u think it's a money issue how can we ball park that and is it politically feasible?
Mr. Bill Ross, General Dynamics: Their investment in deritive markets and capabilities are enormous, if we can get 99 cents on the dollar and if we can get with the EMC's, the Intels, the Dell's, the large cos who provide the devices to the mass market and build what we need, yes its hard to do but think economics will prove successful in the end.
Mr. Siomacco: horizon is contrained budgets, portfoloio managment of tools, products, services, vunerabilites will continue to pop up.
Mr. Brody: Not necessarily amount of money but how its spent, requirements and mandates force your hand on how you spend the money, if there were some refereeing on that on a higher level that would be helpful
Audience Mike Jones, information assurance, army: what are key ingredients of success for meta tagging for gov't and commercial as well.
Mr. Siomacco: security fields, when you tag data, security fields needs to be part of taggin process, that will be a prerequisite. Can only be effective if data has attached appropriate level of data accessibility to an individual. We need to start tagging info so info will be exposed to right individuals. How can we provide the correct automated tools to tag the data?
Mr. Brody: key is tagging data, so you can have one database and everyone accessing information from that one database
Mr. Ross: ability to tag data exists, challenge is in enterprise level, cryptographically attach your meta data, manage data through its lifecyle is one of the problems at the enterprise level
Audience Question: How will we tag and assure tagging is maintained for its validity throughout
Mr. Siomacco: Content management, we need to know and manage value of data and information through meta data, he's sees it as a blossoming area.
Mr. Ross: meta data is associated with content management, need for transitory labeling, application and network labeling is needed
Audience Question: meta data changes over time, geographic area as one unit, meta data tagging is useful, look at what industry has done with it
Mr. Siomacco: Vulnerabilities and tracking of data, sensor grids and having another level of data control. Perishable vs. non perishable info. that has meta data attached to it.
Mr. Ross: Lifecycle of meta data. How do we deal with staleness of data? Access control with identity management.
Audience Question: If we pick the wrong entities we will only be locked into those entities, we cant predispose what those environments are. If in a msg environment, you can do it in layers, but if in an unstructured enviroment, what should we be investing in?
Mr. Ross: There are a lot of people looking at those spaces. He agrees that we need to set the bar higher rather than reinforce it.
Mr. Siomacco, DISA: we are seeking a single identity store, whether that's a federated store, they have someone working on it. Everyone wants DoD to solve identity management problem. Army has AKO to reach out to loved ones.
Mark Jones:
Mr. Ross: he has not seen assessment of cost of certification, they're products deal in type 1 world
Mr. Siomacco: looking at hardware with firmware, must look it from an end to end capability, there's a risk to the warfighter to raise the bar on that product, vulnerabilities should be looked at from designation authority, Phipps 140 Level I, Level II
christopher Mckey, system plus: sounds like your moving to a construction key management system,
panel: to be determined
mckey: how do you culturally change people?
moderator: tell them if they want access this is how they will do it, cultural issue easier solved them imagined, only problem was people being locked out from cards, don't think it will be as much of a cultural change now as a decade ago
moderator: we talked a lot about content, and content awareness rights and privileges,how does this factor in fr a policy standpoint
mr. Siomacco: releasing it to another service or coalition member is decided at a local level, several products are being looked it and can change depending on operational scenario. Architecture is a federated approach, that's where folks are going, army will federate with navy and so on.
mr. ross: content awareness and policy, done at the local level, screams for federated trust models, to release to a known entity, critical to make content based risk decisions, make the data truly automatic
Mr. brody: talked about next session, cyber warfare
moderator: as we look toward assured collab, what role will framework, models in architecture play in assuring we maintain content awarenes?
mr. siomacco: config, mgmt of an asset visibility of entire enterprise will help isolate vulnerabilities that will continue to pop up, network ops, and mgmt constructs follow either at dept of army level where they look at policy to put structure adn standardization at the enterprise level so we can be more efficient and mgmg the enterprise and respond rapidly to unexpected vulnerabilities
mr. brody: there are constant conflicts between int'l standards, nat'l standards, dept standards and policies, then oversight
Mr. ross: what gaps exist?
mr. siomacco: identity store, we don't have one single one, that's a capability gap, semper net side, authoritative attribute sources, we need to find the owners for the .govs and the .orgs, we have to provide a way of identifying authorized individuals
Mr. brody: 5 things I should know with 100% certainty a. boundaries, b. what are the devices c. configuration d. who is accessing e. what are they doing to access.
Mr. Siomacco: There are boundaries of control. Reciprocity is connected to the boundary issue. A device everyone sees as ok to be used in their network is something that has be acknowledged by the governing bodies.
Audience Question: Are you aware of a testing initiative to do these types of things to go from JAWICKS to Internets?
Audience member, Deb, CACI, : People do ask for things like that. Types of vulnerabilities, they don't want to risk the family "jewels" getting out. 7 to 9 different standards that need to be developed, we need folks working on definition of rules to operate and automate it. Someone needs to emphasize this.
Mr. Ross: NSA R2 have real users that are wrestling with issues on how to use virtual machine architechture, rt. now they are sticking with adjacent domains.
Carey: What are your thoughts on a collaborate efforts on counter attack, but collaboration on network defense and how to collaborate?
Mr. Siomaco: CND and the exporation, they r collaborating within the same room and the forensics are there, capability gap is strategic
Al Mink: Status of dealing with Netcom and dealing with the network
Mr. Siomacco: button 2 is adobe connect and jabber, that DISA offers as an enterprise solution, bandwidth efficient collaboration tool, but we need more of a federated architechture. web based, video ip tools do not scale out over a federated architechture. We must plan over a federated architechture. we don't have solid standards for web conferencing, we need to strive to come up with industry standards for federating web conferencing.
Al Mink: should we downscale to 1 or 2 collaboration tools?
Mr. Ross: theory of competition, multiple solutions, know how industry is motivated, in the end let the users choose and let the best product prevail
Mr. Brody: depends on what side of the fence you're on
Mr. Siomacco: hoping for standards specifications no matter what the tool is, yes, it's easier to pick one but they're constantly getting feedback about one tool or another, we need to look at a common level, yet others have achieved it, example: routers and switches
Moderator: tradeoff between protection and allowing openness for collaboration, how do we develop a construct, across the 3 boundaries civilian, defense and private sector. Will there be a convergence?
Mr.Brody: i hope so, some frameworks are fractured, he would like to see federal hone in on 1 security framework
Mr. ross: more of a skeptic, more of a federal model over time,awhile before we get there.
moderator: what will some of those models look like
Mr. siomacco: trust model, for the first responders of disaster relief, the policies have to be set and have the agility to respond to situation at end, much more difficult at a different security level
Question: What r the measures of effectiveness
Mr. Brody: Not measureing effectiveness, measuring performance
Audience: Are there some breakthrough technologies that can help the IA?
Ross: personal partnership with the lg companies, example Intel, chip sets to support IO memory mgmt units to keep malicious IO devices from memory space, virtualize the hardware. Lg cos. like virtualization. Software integrity checks, to make policy based decisions. The new wave is concept of a white list, Intel is banking the ability to do software integrity checks and validate against a white list. This is a new unique tool in toolkit. This will make a dent in assurance issues.
Moderator: Discussion Gate 2.0, joint infrastructure, common policies and standards, comments on gov't side and industry side how it surrounds around collaborative side
Mr. Siomacco: There is a DoD standard of meta data. Industry does not have standards of this. We need joint service level agreements in metrix. Assurance that when software is brought into navy or army dod network it will meet the intended service level. He sees cynergy between army, navy, marine corps, cio's, on how to decide on how to become joint, that's what we need to make 2.0 a reality.
Audience Question, Mike Jones: Within industry, what do you use to enforce policies?
Mr. Ross: Dabbling in use of meta data to restrict and automate enforcement of policy. Long way to go but starting. We can live in a more enterprise isolated environment. We don't have as much need to share.
Mr. Brody: When you say industry, there are so many different industries.
Mike Jones: what have you seen in businesses you've worked at?
moderator: parent is a foreign co., compliance is something people go through mandatory training quarterly. Ultimately it comes down to the individual.
Audience Question, Navy IA tech authority: What else is there? what can we do to protect the data
Mr. Siomacco: how can workflow be achieved across the entire network with different services, do you go with a certificate approach along with a messaging approach, may not work in the navy from ship to ship, how do you impose asecurity level implementation as an overhead against the ad hoc networks. how do you look at different alternatives other than identity mgmt.
Audience Question: information sentric security? it needs to be mapped into what we're doing. not sure where to start
Mr. Ross: take identity mgmt and set aside, solve information sentric security, deal with coalition partners with different capabilities,
Mr. Siomacco: integration of other related items, example: search, interweave security as part of the search, knowing who's on the chat session, the idea of portals and single signons. there are a lot of complimentary services, where data can be effectively managed but also has to be secured
Audience Queston: now we've protected the data, what does that do for forensics, law enforcements, etc.
Mr. Ross: not mutually exclusive, use of meta data for search is still valid,
Audience Question, sparta: someone will put data in wrong place, what tools do you need to detect this and then clean it up once it happens?
Mr. Siomacco: there are tools, if we have a robust meta data solution they can do an assessment of where it is supposed to be, cannot rattle off from his head the tools
Audience Question: what tools find anomolies? some they use for IDS may be applicable
Carey: example of a tool
Moderator: idle framework, data anomolies
