Bringing it all together

 

Connecting state and local government leaders

SOA design plays a key role in paring down secret data-sharing links.

For decades, the Defense Department and intelligence agencies cultivated a garden of specialized technologies that shifted classified data ' typically files, text chat and e-mail ' across security classifications and network domains.As a result, there are now more than 800 of these cross-domain interfaces, most of them customized. They range from simple sneakernet arrangements, where data is carried by hand from one machine to another, to network interface cards with dedicated 'high side' and 'low side' connections that bridge highly sensitive and less sensitive networks.To simplify matters, the intelligence community, the Pentagon and their information technology vendors are whittling this unruly rabble of cross-domain interfaces ' many based on proprietary hardware ' down to a cadre of some two dozen software-based, platform-independent entities.'We see it as a very, very good step,' said Michael Ryan, senior vice president of sales and marketing at Crossflo Systems, maker of DataExchange cross-domain middleware. 'It's more effective for us to be able to standardize on a smaller set of technologies.'Getting to a simpler set of technologies, however, may require some work, given the wide range of what is offered now.Simplification of the cross-domain offerings has been in the works for at least a year.The chief intelligence officers of the Pentagon and the Office of the Director of National Intelligence (ODNI) created the Cross Domain Management Office (CDMO) in March 2006 to choose a baseline group of the cross-domain entities and mandate their exclusive use. The tentative result is a baseline set of about 15 cross-domain interfaces and 10 exceptions covering special cases.More than 750 cross-domain interface projects won't make the cut. The Pentagon and the intelligence community plan to eliminate funding for the interfaces that don't graduate to the baseline list and send that money to the remaining projects, officials said.Several interface vendors interviewed recently sounded unsure of the role of the CDMO in setting standards, yet most agreed that the sharp reduction in approved interfaces will simplify agencies' choices.Still, consolidation is not standardization. The vendors noted that several of the interfaces on the baseline list are still government off-the-shelf systems developed in-house, some others are the commercial variety, and some are hybrids.That's not to say there is no cross-vendor interoperability, or at least 'seamless co-existence,' said Ed Hammersla, chief operating officer at Trusted Computer Solutions, a maker of fat- and thin-client desktop systems and other products used in several systems that have already been approved for inclusion in the baseline list.'A government buyer could purchase three or four solutions from the approved list, and they would interoperate to solve his problem,' Hammersla said.Hammersla said three technologies dominate the cross-domain arena.Data transfer devices move data between domains with different security levels, such as various levels and flavors of the top-secret collection of information, which are grouped as the top-secret fabric. Comparable fabrics of classified domains operate at the secret and sensitive-but-unclassified levels.Some domains include foreign agencies and military units, and some cross-domain interfaces exchange data among several such communities of interest.But the CDMO does not include direct representation from any foreign government, officials said. CDMO leaders decided that if they allowed even one foreign intelligence service to participate in its deliberations, excluding others would become too difficult.The data transfer devices include high-assurance guards, which shift data only in one direction ' for example, from sensitive-but-unclassified or controlled-unclassified information to the secret or top-secret levels and higher.Data transfer devices often specialize in a particular data type, such as text messages and chat, or graphics files containing, say, digital photos of sensitive sites. The specialized guards often cannot handle other types of intelligence data, such as radar tracks, officials said.Data diodes are another type of data transfer devices. They are fiber-optic network entities that sit between two servers.'The idea is that you have enforcement of the one-way policy at both endpoints, rather than a firewall box in the middle,' said Ron Mraz, president and chief technology office at OWL Computing Technology, who said the company's Dual-Diode technology is the only point-to-point system on the baseline list.The second category of cross-domain interfaces, access devices, consolidates data from different secure networks onto a single screen. Access devices can take the form of a fat client, such as a desktop PC with several network interface cards, or a thin client displaying data from a central server.The third and final category of the interfaces covers multilevel security systems. MLS entities attempt to segregate security levels primarily through specialized software running on servers and desktops.In recent years, federal computer users increasingly have replaced proprietary, hardware-intensive systems with software that runs on a wider variety of dedicated platforms, and subsequently on generic desktop PCs and servers.Not surprisingly, trusted versions of three enterprise operating systems form the core of today's CDMO-approved cross-domain interfaces. The three operating systems also underpin emerging, more broadly distributed entities for sharing classified information.The three operating systems already approved for such use, Hammersla said, are Sun Microsystems' Trusted Solaris; Security-Enhanced Linux (SELinux) supported by vendors such as Red Hat; and BAE Systems' Secure Trusted Operating Program (STOP).Bill Vass, president and chief operating officer at Sun Federal, said trusted OSes take two main approaches to security: trusted extensions and labeling, and type enforcement. He said Sun has placed its initial bet on the latter, and Solaris 10 with Trusted Extensions is undergoing testing for Common Criteria certification, a required security approval.Trusted Extensions allow as many as 8,000 security 'zones' or containers, each with its own IP address and security level, in a single instance of Solaris. 'You can have on the same server an unclassified domain, a classified domain and a top-secret domain,' Vass said.Sun executives are considering adding type enforcement, a more granular approach used in SELinux, to their OS, but Vass added that his company is also considering adding it to its Java language because it sees merit in both. 'The issue is implementing them in a cross-domain system,' Vass said.Widely available commercial software, such as virtual private networks, is increasingly part of the cross-domain equation. Mraz said he has seen DOD and intelligence prototypes of encrypted 'tunnels' that talk with top-secret networks.The VPN approach also figures in systems built by Verizon Business Federal. The Ma Bell descendent, which claims security-conscious three-letter agencies among its customers, now uses federated user-rights directories, firewalls at each endpoint and an assortment of standard encryption technologies including public-key encryption to manage access to domains that share closed private networks.Bill Edwards, Verizon's chief scientist, said one military customer uses his company's service to process digital photos of military installations through third-generation cellular and satellite-radio networks. 'That picture would have an authentication, its own digital signature,' Edwards said.Software-only and commercial solutions, however, might never completely meet the needs of top-secret agencies, some specialists in the field say.'The problem is, when you get into [Common Criteria Evaluation Assurance Level] 4 and higher, then often the hardware has to get pulled into the evaluation,' said Andrew Earle, manager of solutions development at BAE Systems, which makes several cross-domain interfaces, including a guard on the baseline list.There are a total of seven EALs, but foreign governments recognize only the lowest four, specialists in the field say.But a new federal commercial offering from three prominent players seeks to upend that notion. The Secure Information Sharing Architecture is a joint venture of Cisco Systems, Microsoft, EMC and two smaller vendors. SISA combines Cisco network infrastructure, EMC storage and Microsoft OS and collaboration software to manage not only secure physical access but also Extensible Markup Language data and applications on familiar desktop and mobile devices.'Any technology that does authentication will work with this architecture,' said Chris Shenefiel, Cisco's federal government industry solutions manager. With SISA, communities of interest could communicate over their own dedicated virtual local-area networks, Shenefiel said.SISA's proponents have high hopes, claiming it could eventually replace the specialized cross-domain interfaces. 'In the near term, there will be a niche market for the high-assurance guards, especially at the high-security level,' said Eric Rosenkranz, Microsoft's public-sector industry manager.Microsoft's Active Directory lies at the heart of SISA. For example, Cisco uses it to centralize authentication.But the initial version of SISA, which customers are beta-testing now, works only in a single environment. 'This is not multilevel security,' Rosenkranz said. 'I would call it a significant improvement to role-based collaboration security, at a single classification level.' A federated version should be announced this summer, he said.Although CDMO's consolidation project is gradually steering agencies to interoperable commercial systems, 'there has been no policy-setting body that has said, 'Here's all the attributes we're looking for,' ' said Dave Graham, OWL's vice president. He added that his company's Dual-Diode interface can carry any kind of data because it operates at the asynchronous transfer mode level. In addition, hardware-based enforcement lets it work with several operating systems, Graham said.'There really has been no vendor who has stepped [in] to put together the true, commercial cross-domain solution that covers all the attributes necessary,' Graham added.The CDMO's role aside, the industry is using standards that could aid cross-vendor interoperability. For high-assurance guards, which can do their job of passing data from one domain to another unassisted, interoperability is a nonissue. 'Usually there's one guard, and you don't want to mess around with putting another one in,' Earle said.Vass named a specialized form of service-oriented architectures, trusted SOAs, as the holy grail that most agencies seek. The building blocks of such systems are available today, with Sun claiming numerous technology demonstrations, Vass said.He cited an example of a visual Web service for imagery that requires high security clearances. 'These visual Web services are available to you based on how strongly you authenticate,' Vass said, adding that the trust goes both ways.'You have to be able to trust the service, too,' Vass continued. 'Let's say I created a service called GetTarget. Would that be available to all levels [of security] and they only see information based on that, or would it only be available to top-secret people? All of these concepts are in the SOA definitions that we've put together.'Sun technologists hold that SOAs could handle current security needs. 'You would publish the services based on the risk of the services and the role of who should get it,' Vass said. Users 'would use their identities to log on to all the domains they have access to, and people would publish services at the differentlevels.'But the migration to SOA creates additional security concerns. 'It's no longer just that single box,' said Mark Morrison, chief information assurance officer at the Defense Intelligence Agency.'As we move to an SOA type of arrangement, we don't have a standard set of processes,' he continued. 'The certification and accreditation and risk assessment process to effectively address that is [still] evolving.'The ODNI technology leadership recently announced the results of a months-long process to reform C&A requirements and related intelligence security criteria, officials said.Certification involves confirming that a cross-domain interface, or any system handling classified data, meets Common Criteria requirements under testing authorized by the National Information Assurance Partnership. Accreditation is a primarily legal and policy evaluation of whether a system meets the standards in a specific environment.Vass agreed with Morrison's viewpoint. 'The technology to do all that is probably here today, but putting it all through C&A is probably a long pole in the tent.The low-hanging fruit while we're doing all that is to have a trusted desktop that gives you access to all these domains.'DNI's chief information officer organization recently orchestrated a wide-ranging reform of the C&A process that began with an open call for advice on the topic from the general public worldwide and concluded with the release of several changes to federal IT security rules. The policy reform generated a consolidated definition of the protection levels (PLs) that regulate the handling of various forms of classified data across federal agencies, as well as the C&A changes.The PL reform was greeted enthusiastically by vendors who previously had struggled with incompatible rules used by the Pentagon, the intelligence community and civilian agencies that are required to follow procedures mandated by the National Institute of Standards and Technology.But the recently adopted C&A reforms are just now gaining traction across the dozens of agencies that will have to put them into effect, officials said.Industry-specific variants of XML are becoming the common language that allows cross-domain information sharing across agencies, specialists in the field say.Earle said XML, through its tagging capabilities, can also handle the security requirements. He added that BAE sells an XML-compliant guard. In addition, the Security Assertion Markup Language is emerging as a cross-domain authentication standard for Web services.'In the intelligence community, we've gone forward with XML, and we set up XML standards,' Morrison said. 'We've never had XML cross-domain solutions before [that can handle XML tagging and filter based on that standard],' Morrison said. 'We're seeing the shift into the marketplace.'For example, intelligence data exchange in the law enforcement and counterterrorism arena has benefited from the increasing adoption of the Global Justice XML Data Model (GJXDM), a framework developed in recent years under Justice Department auspices. Justice's data exchange standard plays a critical role in systems such as the FBI-sponsored Law Enforcement Online network that is deployed nationwide to link interagency Joint Terrorism Task Forces and state and local police forces. The GJXDM also governs the Regional Information Sharing System Network, a law enforcement system funded largely by Justice and controlled by six regional coalitions of police agencies.In one implementation of the Justice-sponsored data model, the New Jersey State Police are using it with Crossflo CDX to standardize law enforcement terms in a master name index shared among counties, municipalities and the state ' more than 600 agencies in all.Without GJXDM, 'we would still be arguing about fields and whose definition are we going to use,' said Chris Rein, a state police special investigator and IT program manager. 'Now we have a standard that we can all look at.'Rein said the state is building a Java-based SOA that handles role-based access control and user credentialing over a private network. He added that GJXDM has allowed the state to share gang-related data with another state, and several counties to pilot links to the National Information Exchange Model and the FBI's NIEM-based National Data Exchange.The SOA and XML models embedded in those law enforcement systems figure prominently in the technological work of the Information Sharing Environment, an agency that reports to the ODNI. ISE systems architects have defined architecture requirements that apply to new systems in about 20 agencies with primary responsibilities for counterterrorism work.OMB enforces the ISE technology requirements, including their SOA features, via the Form 300 submissions that federal agencies must provide before receiving funding for new systems.Despite such progress, cross-domain interfaces remain an esoteric technology struggling to go mainstream. 'We're, at best, at the 20-yard line,' Hammersla said.

At the 2007 JavaOne conference, John Weeks, senior software engineer at Sun Microsystems Federal, showed how to set up a multilevel security system that could share information across networks of different classification security levels using an application server, standard Web services and a set of experimental label-aware Java classes.

The goal in setting up information exchange that accommodates multiple security levels is to allow individuals in the higher security settings to look at information tagged with lower ratings, and yet not allow individuals operating in these lower security networks to use that connection to access more sensitive material.

In this case, Weeks showed a single computer running four Trusted Java Desktop System workspaces, each at a different security level: public, internal, need-to-know and restricted.

Each workspace ran a copy of the Firefox browser. For demonstration purposes, Weeks ran all four copies of the browser within a single workspace, though the actions of each remained restricted to its own security level thanks to the labeling capability of the Solaris operating system.

In this scenario, the public information would be available to anyone with access to the network. Information encoded as internal would be restricted to a smaller set of individuals, need-to-know information would be even more restrictive, and restricted would provide the highest sensitivity level of all. Each browser window represented what the user of its security level would see.

For this demonstration, Weeks created a sample document with each paragraph tagged with one of these four security levels. In the intelligence world, this approach is often called creating tearlines.

In this system, the document would appear differently depending on what level of access the requester of that document had. The document from a public access level would only show a few permitted sentences. Someone with internal privileges would see more material than was presented to the public user, though not as much as the person with need-to-know access would see. Those with restricted access would see the entire document.

How did this setup work? Who sees what is decided by the combination of an application server and a credential checker that sits between the user and the document. An authentication agent using the Extensible Access Control Markup Language checks the credentials of the requester of the document and passes the approval on to the application server. The application server then parses the requested document and passes along only information the requester is allowed to see.

'I was using the label from the browser connection to determine the level of access,' Weeks said later. 'This was done to simplify the demo environment. In a real deployment, user credentials would be included with the level of the network connection to determine access.'

This approach isn't limited to text documents, either. Weeks offered a second example using a photograph. The public viewer saw a very small photograph of what appeared to be an almost completely submerged submarine. The Internal tab offered a slightly larger rendition with some annotation, need-to-know access provided some additional resolution and annotation, and restricted access provided the largest version with the highest resolution and most complete annotation.

The source was a single photograph which was scaled and annotated according to the requester's security level.

Of course, in a working system, all the information would need to be tagged, either by hand or through an automated method of some sort. Multilevel-security systems such as Solaris 10 with Trusted Extensions can recognize sensitivity labels such as the hypothetical ones Weeks developed and apply the appropriate mandatory access control rules. Weeks also developed a set of experimental Java classes that would allow external Java programs to recognize such labeling.

For more information on Weeks' setup, along with links to the Java interfaces and (eventually) some sample servlet code, see GCN GCN.com/778.

' Joab Jackson

'The technology is probably here today, but putting it all through C&A is probably a long pole in the tent.' ' Bill Vass, Sun Microsystems Federal

Rick Steele












Get in line















Special needs





















Cross domain for the masses







Two types of trusted



























































In XML we trust






















David Essex is a freelance technology writer based in Antrim, N.H. GCN deputy news editor Wilson P. Dizard III contributed to this article.

NEXT STORY: Wyatt Kash | Code proofing

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.