Bringing Security to NATO's Front Lines Requires Policy, Governance and Legal Action
While the push forward for better collaboration and information-sharing capabilities will require technical advances, the experts at a NATO workshop in
Emphasizing that any system must be interoperable, Lt. Col. Richard Faulkner, USA, program manager and chief executive, Synchronized Pre-deployment and Operational Tracker program, staff of the U.S. Undersecretary of Defense, said that for a federated approach to work, consistent standards that cut across systems are necessary, and industry must be included in the solution. Strong governance also is necessary to make sure companies and groups play by the rules, but governance is “the long pole in the tent,” according to the colonel, who stressed that organizations have to figure out how to manage the life cycle.
The banking industry, historically a broker of trust between transaction parties, had a prominent presence in the workshop. Konstantin Zografov, who gave a presentation for a representative of the Bulgarian National Bank, said the front line always is the money and that financial secrets are no less important than military ones. While security is essential for both segments, Zografov allowed that the difference is that in banking, everyone is a client, not an enemy.
Perhaps the most widely recognized example of federated identity management is the automated teller machines (ATMs) that can be accessed from most bank terminals across the world. The closer an individual gets to money, the higher the identity management level must be. It is about risk management too, not just technology, suggested Hilary L. Ward, who heads the managed identity services for Citigroup’s global transaction services. Ward allowed that industry is looking to banks to credential its processes and to cut costs and expedite operations. Credentialing is not the core competency for business as it is for banking, so banks as an institution can take on that burden for organizations and create a trusted relationship. Government is looking at both banks and the gaming world to help it determine how best to do protection and to access information, she concluded.
Standards and accreditation organizations as well as NATO representatives and other industry members discussed various products and case studies. Clearly, one size does not fit all, but there have to be mechanisms in place so that information can be shared and identities can be verified. The appropriate level of access can change in different scenarios, and the role of individuals can change as well.
Identity management topics within the federated environment have legal, political, governance, social, technical and security elements. Workshop attendees broke into three groups to explore these topics and to make recommendations for the NATO leaders in attendance to take back to their organization.
Legal issues for NATO are complex, and not all nations have legislation that deals with identity management issues. The challenge the group identified for NATO is how to establish the lowest common denominator for legislation and work toward that.
In addressing political issues, the group said the problem is to determine what can be shared or stored between nations and what level of trust can be given to nations outside of NATO. The organization also has to look at the impact of changing requirements, including unfunded infrastructure and, ultimately, the political will of each nation.
The group looked at laterally driven identity rules because bilateral agreements do not scale; it recommended that NATO consider a graded approach. The nations will need to agree on whether it will be a federated or a central management issue.
From a social standpoint, a federated approach to identity management has no downside for NATO; however, this could lead to a citizen’s perception of Big Brother.
The technical panel said the first problem that needs to be addressed is that not all nations have the same definition. No one thought technology was the biggest issue, but they agreed that the problems to be discussed are governance and policies. The security group also recommended that the terminology be harmonized to make sure all are heading to common ground.