evaluation and testbed development bhavani thuraisingham the university of texas at dallas...
TRANSCRIPT
Evaluation and Testbed Development
Bhavani ThuraisinghamThe University of Texas at Dallas
Jim Massaro and Ravi SandhuThe University of Texas at San Antonio
Tim FininUniversity of Maryland, Baltimore County
2
Outline
Project Tasks Accomplishments NCES/GIG Security AIS Questionaire Next Steps
3
Project Tasks
Year 1: Determine Base-line, Gather requirements from AIS Community, Develop scenarios
Year 2: Testbed architecture design and preliminary prototype addressing subset of the requirements
Year 3: Enhanced prototype for evaluation by interested organizations
Optional years: Continue with the development
4
Accomplishments
Base-Line: NCES and GIG Security/Information Assurance
Questionaire to be distributed to the Services to gather requirements Will work with Dr. Herklotz to identify people to
send the questionaire to Two courses taught at AFCEA (Armed
Forces Communications and Electronics Association) May 2008 with units on Assured Information Sharing
5
NCES Security: WS-* Security Standards framework
Transport level security SSL/TLS
Network level security IPSec
XML security XML Encryption
XML Signature
SOAP foundation
Message security
WS SecurityWS
SecureConversation
Reliable Messaging
WS ReliableMessaging
Security mgmt.
XKMS WS-Trust
XACML SAML
WS-Policy
Policy & Access Control
Identity Mgmt.
WS-federation Liberty SAML
6
What is NCES?
NCES enables information sharing by connecting people/systems who have information* with people/ systems who need information For people who have information, NCES provides global
information advertising and delivery services For people who need information, NCES provides global
services to find and receive information http://www.disa.mil/nces/about_nces/
NCES_Overview_06-15-2007.ppt
* Information – data and services (web services)
7
What is the Global Information Grid (GIG)?*
The GIG represents a globally interconnected, end-to-end set of information capabilities and processes for collecting, processing, and managing information on demand to warfighters, policymakers, and support personnel.
The GIG provides a critical foundation for the DoD’s Network-Centric vision by: (1) supporting the posting of data to shared spaces as early as possible; (2) providing users with an enhanced capability to pull required data from wherever they are, whenever they need it; and (3) ensuring information assurance measures are applied effectively and across the enterprise.
The enterprise services component of the GIG consists of a suite of reusable core enterprise services such as (1) discovery of potential new users or data sources, (2) mediation between various data formats, (3) discovery of data and applications to solve problems, and (4) provisioning of the appropriate security services and keys to allow access to the data required.
*Source: http://www.globalsecurity.org/intell/systems/gig.htm
8
Portal Application
ServiceConsumer
Service Consumer
Attribute Service Policy Decision Service
Policy AdminService
Policy Retrieval Service
ServiceProvider
Certificate Validation Service
PolicyEnforcement
Point
PolicyEnforcement
PointRequest / Response Request / Response
NCES Security Services
Name Protocol Format Standards Body
Service Request / Response HTTP / SOAP SOAP, WS-Security, XML-DSIG, SAML, WS-Addressing
OASIS / W3C
Attribute Service SAML-P SAML OASIS
Policy Decision Service SAML-P SAML OASIS
Certificate Validation Service XKMS XKMS / W3C
Policy Retrieval Service NCES-defined* XACML OASIS
Policy Administration Service NCES-defined* XACML OASIS
Security Services: Detail ViewUser
9
Logical Component Overview
Application
ServiceConsumer
Authentication
NCES Service Security
Attribute Service
Policy Decision Service
Policy Admin Service
Policy Retrieval Service
DOD PKI &
LDAP
ServiceProvider
Certificate Validation Service
Policy Store
Identity Store
PolicyEnforcement
Point
Attribute Store
User
10
Questionaire
The purpose of the (Web-based) Questionaire is to gather requirementds from DoD and its partners for Assured Information Sharing to guide our research
For each question, if you answer “yes”, please elaborate on your answer. For each question you answer “no”, please state your future plans with respect to that question
11
Questionaire: Basic questions
Is your organization adopting DoD’s Information Sharing Strategy?
If no, what information sharing strategy is your organization following?
If there is no strategy, then are you planning to have one in the future?
Is yes, are you planing to implement all five implementation strategies proposed by the DoD?
12
Questionaire: Policies
What policies are important to your organization for AIS Confidentiality, Privacy, Trust, Integrity, Other Explain each type of policy
Is multilevel security important to your organization for AIS? If so, how do you handle information flow from High to Low?
Are you utilizing a trusted guard/filter for information sharing across security levels?
13
Questionaire: Partners and Trust
Do you have to share information with partners at different trust levels?
How do you handle partners of different trust levels?
How are trust levels assigned in your environment?
Are the trust levels changing with time for a partner?
14
Questionaire: Standards
Is you organization adopting NCES and GIG strategies?
What standards is your organization adopting? E.g., Web 2.0, SOA?
Are you using XACML, SAML for policies? Are you preparing for Web 3.0? Is your organization adopting DODAF?
15
Questionaire: Technologies
Do you belong to a federated environment? What knowledge management practices do you
enforce? Will you adopot the DoD KM strategy (e.g., AKM)? Are their incentives for you to share data? Describe how social networking is gaining
importance in your organization and what are the tools you are using?
What information management strategies do you follow?
Describe any other activities/scenarios related to AIS
16
Next Steps
Send questionaire to government agencies; work with AFRL and other DoD Labs
Present our research results to DoD agencies and get feedback
Work with our partners (e.g., Raytheon) and discuss opportunities for technology transfer
Scenario development