Presentation on theme: "6/13/20141 The Rise and Fall of DMS/FORTEZZA: Lessons Learned in U.S. Defense Messaging The small but smart supplier of superior messaging software. Kathy."— Presentation transcript:
6/13/20141 The Rise and Fall of DMS/FORTEZZA: Lessons Learned in U.S. Defense Messaging The small but smart supplier of superior messaging software. Kathy Nuckles CEO/President firstname.lastname@example.org www.commpower.com
6/13/20142 Introduction/Background Context of Presentation Security Adversaries DMS Timeline: 14+ years in the making DMS Future (per Mandate) Next Generation Security Focused Building Blocks Common Data Medium: XML Common Security Labeling & Access Control: SPIF Common Access Card (CAC) Commerciality Security Summary
6/13/20143 Established in 1984; California Corporation [Small Business] Specialize in Military/Weather Product Development and System Integration Products: 6 Military Gateway Products; 1 Text-to-Speech Product; 2 Security Label Toolsets Systems: Turn-Key COMMCENs for the U.S. Air Force and Defense Logistics Agency, U.S. Federal Aviation Administration, U.S. National Weather Service Key Team Member of the U.S. Defense Message System (DMS) Program Since Inception (1995) Visit www.commpower.comwww.commpower.com
6/13/20144 Typical organization of a theater of operations as envisaged by War Department Doctrine, 1940 http://en.wikipedia.org/wiki/File:Theater_of_operations.gif As a key product supplier and team member to the U.S. Defense Message System (DMS) program for 14+ years, CommPower has amassed a wealth of communications and security experience. This presentation is based on that experience. Please note that the views and opinions presented are CommPowers and dont necessarily reflect the views of the U.S. Government.
6/13/20145 The goods are availableWhy dont they want them?
Cost: Considered an overhead burden; Must not be a big ticket item Ease of Use: If it is not intuitive, users will mount an attack Availability of Alternatives : If there is a workaround, users will find it Enforcement: Without enforcement, security will be bypassed 6/13/20146
FORTEZZA at the Desktop Introduction of Web-based clients w/ CAC Access Expansion of Web Systems to include Stovepipe Interfaces (DMS/FORTEZZA bypass) Begin to Retire DMS and Introduce Command Email (or other) 6/13/20147 2010 Outlook & Domino Clients (Thick) FORTEZZA at the desktop Message is encrypted upon client submission SPIF based security labels; Overly complicated client interface for security label generation RAAUTJAZ RUWQAAAA0001 0151500UUUU-... ZNR UUUUU... UNCLAS SUBJ: OPERATIONS IN... Teletype format Human readable COMMCEN operations Closed backbone infrastructure Organic Security model Continued Outlook (thick) client with usability improvements. Introduction of Proxy model with CAC enabled web clients and server resident FORTEZZA services (AMHS). FORTEZZA access control is limited to transport; AMHS informational access controls are local and proprietary Discontinued Outlook (thick) client AMHS proxy model is prolific Reduced (or shared) organizational certificates becomes attractive AMHS backside stovepipes start appearing with proprietary security labeling methods Mandate to retire DMS and adopt commercial capabilities Command E-mail concept begins to form; no solid definition to date Panic retreat back to legacy Stove- Pipes 1995 2000 2008 Security model fragments Security begins to retreat Front Line Security Unknown
AuthenticationConfidentiality Allied Interoperability DMS Transitional Interoperability Cross Domain Common Security Labeling 6/13/20148 DMS retires in 2012 Adopt Commercial Technology NOW DMS Replacement will NOT be provided... but, lets not lose site of basic security requirements. MROC (??) **Multi-command Required Operational Capability
6/13/20149 From the confusion there IS opportunity...
6/13/201410 Dont expect Industry to deliver a single, consolidated capability on its own; Give them critical building blocks to take and run with... <!ELEMENT cpe-Payload (cpe-CONTENT-TYPE, cpe-IDENTIFIER, cpe-ORIGINATOR, cpe-RECIPIENT+, cpe-SIGNERS-DN*, cpe-CONTENT-SIZE?, cpe-CONTAINS-BINARY-ATTACHMENTS?, cpe-ALT-DELIVERY-ALLOWED?, cpe-LATEST-DELIVERY-TIME?, cpe-SECURITY-LABEL, cpe-EXTENSIONS?, cpe-CONTENT)> Basic Payload Construct CommPower proposes XML Commercially prolific Easily processed Carries all data types Easily extended and customized Backward compatibility is supported
6/13/201411 Security Labels: Valid and consistent security labeling is an integral part of military communications, yet not an integral part of commercial communications. This, therefore, cannot be left to chance. Security Label Toolset CommPower proposes an XML based SPIF definition and a freely distributed toolset. Same XML merits as for the message format apply Vendors could integrate the toolset without having to understand the intricacies. Security Label Simple button to invoke Security Label Creation. Vendor would use the provided toolkit to create a custom user interface look and feel
6/13/201412 Security Token: The Common Access Card is based on commercial technology and is widely deployed and accepted. Keep running with it!!! Common Access Card Infrastructure in place and operational Based on accepted and practiced commercial technologies Multi-Platform support
6/13/201413 Next Generation Military Information Exchange: New and innovative products based on the three commercially aligned building blocks DMS Community CP-EXP DMS MTA Mail Relay AMHS Client AMHS AMHS Client CP-EXP Client Other incl.CP-XJP SMTP SPIF Security Label Client CP-EXP X.400 SPIF Security Label X.400 SPIF Security Label SMTP SPIF Security Label Allies Future DMS Replacement
14 RESTRICTED Consistent information throughout Office Chat Collaboration Outlook 6/13/2014
15 Government Responsibilities: Its not enough to simply demand COTS; Action is Required Maintain the building blocks Evolve the building blocks ENFORCE USE OF THE BUILDING BLOCKS Setting an example is not the main means of influencing another, it is the only means. ~Albert Einstein
6/13/201416 Sound Security Building Blocks Woven into the fabric of operations Can be carried toward the front line as required... Yet still remain embraced by Industry Commerciality Military/Defense
6/13/201417 Boldon James: Boldon James, a wholly-owned QinetiQ subsidiary since October 2007, has over 20 years experience specialising in secure messaging solutions tailored to meet the formal information exchange requirements of the worldwide defence and secure government sectors. Its Version 3 Secure Information Exchange architecture now provides a suite of Microsoft commercial off-the-shelf (COTS) functional extensions across the Unified Communications collaboration and conferencing suite, resulting in solutions with a low total cost of ownership (TCO) and significantly reduced deployment risk. Boldon James are a Microsoft Gold Partner and the Microsoft Global Go To Market Partner for Messaging in Defence and Public Safety sectors. Cadmidium: Cadmidium Services Ltd is a technical consultancy specialising in communications system procurement, support services and product development. Cadmidium services have a diverse range of expertise backed up by decades of experience. Cadmidium currently have staff engaged with clients on a number of projects across land, sea and air environments. Clearswift: Since 1982, Clearswift have provided internet content filtering solutions to more than 17,000 organizations around the world. We design our technologies and services around how people interact, developing adaptable solutions that define business communication. Clearswift solutions, available through an extensive partner network of qualified security specialists, safeguard information and communications, leaving employees free to communicate and collaborate, creating an environment that nurtures growth. Clearswift solutions allow you to strike the right balance between growth, cost and risk. CommPower: CommPower, since its inception in 1984, has been seeking excellence in the product development and integration market, with emphasis on secure, real-time message processing/switching and data communications applications for military and meteorological markets. For these sectors, CommPower offers a host of gateway/dissemination products as well as Microsoft Exchange-based offerings all of which adhere to popular and open industry standards. eB2Bcom: eB2Bcom builds and markets the high performance View500 Discovery & Directory server that combines LDAP, X.500 and XMLeD protocols in a single system. Renowned for its searching and matching capabilities and integrated WebDUA, View500 is deployed in Australia, Asia, USA, and Europe. Isode Ltd: Isode builds high performance messaging and directory server products, using Open Standard protocols. Isode has customers in over 30 countries with exports accounting for over 60% of sales. Isodes products are used in sectors where security, scaleability, reliability and excellent support are core requirements. JSC: JSC Ltd provides design, integration, support, specialist training and technical consultancy services to the defence and defence related sectors. We specialise in the delivery and support of high-end secure messaging, directories and PKI-based solutions. Nexor: Nexor is a leading provider of information assurance solutions to defence and government agencies. We ensure that sensitive information is accessed, controlled and shared in accordance with prevailing security policies by handling the connection, transformation and protection of that information. Our specialist capability and technology has been developed over two decades and our comprehensive portfolio is readily tailored to provide a value for money contribution to information assurance programmes. SMHS Ltd: SMHS is a small, UK-based, company providing scientific, technical and integration consultancy services for a range of core enterprise services. These services include messaging (both formal and informal); directory services, security services and web services.