Information Sharing and Security in Dynamic Coalitions Charles E. Phillips, Jr. Computer Science & Engineering Department 191 Auditorium Road, Box U-155 The University of Connecticut Storrs, Connecticut 06269-3155 charlesp@engr.uconn.edu Profs. T.C. Ting and Steven A. Demurjian Computer Science & Engineering Department 191 Auditorium Road, Box U-155 The University of Connecticut Storrs, Connecticut 06269-3155 http://www.engr.uconn.edu/~steve steve@engr.uconn.edu Good Morning! I am Chip Phillips and I will be presenting the following. I am a first year Ph.D. student at the University of Connecticut. I am also a LTC in the United States Army sent to UConn in preparation for future instructor duty at the U.S. Military Academy at West Point, NY. I am relatively new to the security research area, and will be attending a security workshop in Italy for 2 weeks in at the end of September.
Overview of Presentation Introduction The Dynamic Coalition Problem Civilian Organizations Military Involvement/GCCS Information Sharing and Security Federating Resources Data Integrity Access Control (DAC and MAC) Other Critical Security Issues Candidate Security Approach Conclusions and Future Work This is how I will cover the topic this morning. This overview follows the outline of the paper. However, I will be concentrating on our proposed software architecture and prototype work.
Introduction Crisis and Coalitions A Crisis is Any Situation Requiring National or International Attention as Determined by the President of the United States or UN A Coalition is an Alliance of Organizations: Military, Civilian, International or any Combination A Dynamic Coalition is Formed in a Crisis and Changes as Crisis Develops, with the Key Concern Being the Most Effective way to Solve the Crisis Dynamic Coalition Problem (DCP) is the Inherent Security, Resource, and/or Information Sharing Risks that Occur as a Result of the Coalition Being Formed Quickly Next, we will bring together the concept of this lookup service and security, specifically, role-based security. Current - requires programmer intervention - does not consider role Goal - off slide Approach - use facets and capabilities of a distributed resource environment as conceptual underpinnings to construct a set of resources for role-based security definition, authorization, authentication, and enforcement. - create resources to set up and enforce security policy - The resources are: above
Introduction Near Simultaneous Crises Crisis Point BOSNIA (NATO) NATO Hq KOSOVO (US,UK) Olympic Games Earthquake (United Nations) This is how I will cover the topic this morning. This overview follows the outline of the paper. However, I will be concentrating on our proposed software architecture and prototype work. Ship Wreck (UK,SP)
Evaluation vs. DCP Emergent Need for Coalitions “Coalitions must be flexible and no one coalition is or has the answer to all situations.” Secretary of Defense, Donald Rumsfeld “Whenever possible we must seek to operate alongside alliance or coalition forces, integrating their capabilities and capitalizing on their strengths.” U.S. National Security Strategy “Currently, there is no automated capability for passing command and control information and situational awareness information between nations except by liaison officer, fax, telephone, or loaning equipment.” Undersecretary of Defense for Advanced Technology
The Dynamic Coalition Problem Dynamic Coalition Problem (DCP) is the Inherent Security, Resource, and/or Information Sharing Risks that Occur as a Result of the Coalition Being Formed Quickly Private Organizations (PVO) Doctors Without Boarders Red Cross Non-Government Organizations (NGO) NYPD Government Agencies FBI CIA Military Next, we will bring together the concept of this lookup service and security, specifically, role-based security. Current - requires programmer intervention - does not consider role Goal - off slide Approach - use facets and capabilities of a distributed resource environment as conceptual underpinnings to construct a set of resources for role-based security definition, authorization, authentication, and enforcement. - create resources to set up and enforce security policy - The resources are: above
Supporting Advanced Applications DCP Objectives for Crisis Federate Users Quickly and Dynamically Bring Together Resources (Legacy, COTs, GOTs, DBs, etc.) Without Modification Dynamically Realize/Manage Simultaneous Crises Identify Users by Roles to Finely Tune Access Authorize, Authenticate, and Enforce a Scalable Security Policy that is Flexible in Response to Collation Needs Provide a Security Solution that is Portable, Extensible, and Redundant for Survivability Include Management/Introspection Capabilities to Track and Monitor System Behavior Note: Signature of service is incomplete: name, parameter types, return types The signature of a method is the method name, return type, and parameter names and types. These are the three referenced resources. We will discuss each individually but not with the detail in the paper. This is how they compare. Role-Based Privileges -define role - grant revoke access - registration Services Authorization List - Client Profile (clients are not only people) - Authorize Role Security Registration - Identity Registration
The Dynamic Coalition Problem Coalition Architecture Clients Using Services Resources Provide Services Federal Agencies (FEMA, FBI, CIA, etc.) Client NATO SYS COTS U.S. Army Client LFCS (Canada) U.S. Navy Client SICF (France) French Air Force Client HEROS (Germany) U.S. Legacy Next, we will bring together the concept of this lookup service and security, specifically, role-based security. Current - requires programmer intervention - does not consider role Goal - off slide Approach - use facets and capabilities of a distributed resource environment as conceptual underpinnings to construct a set of resources for role-based security definition, authorization, authentication, and enforcement. - create resources to set up and enforce security policy - The resources are: above System SIACCON (Italy) NATO Database Client NGO/PVO Resource German NGO/PVO (Red Cross, NYPD, etc.) Client COTS GCCS (US) Client
The Dynamic Coalition Problem Joint and Combined Information Flow Common Operating Environment Combined: Many Countries GCCS ARMY GCCS-A MCS BN CO FBCB2 BDE BSA TOC CORPS ABCS ASAS CSSCS FAADC2I AFATDS DIV XX X | | Joint Task Force Adjacent Marines Navy Coalition Partners Air Force GCCS-M GCCS-N GCCS-AF NATO Systems TCO JMCIS TBMCS Coalition Systems X X Next, we will bring together the concept of this lookup service and security, specifically, role-based security. Current - requires programmer intervention - does not consider role Goal - off slide Approach - use facets and capabilities of a distributed resource environment as conceptual underpinnings to construct a set of resources for role-based security definition, authorization, authentication, and enforcement. - create resources to set up and enforce security policy - The resources are: above Joint - Marines, Navy, Air Force, Army
The Dynamic Coalition Problem Combined Information Flow Logistics Air Defense/Air Operations Fire Support Network and Resource Management Intelligence GCCS - Joint/Coalition - Maneuver Combined Database Next, we will bring together the concept of this lookup service and security, specifically, role-based security. Current - requires programmer intervention - does not consider role Goal - off slide Approach - use facets and capabilities of a distributed resource environment as conceptual underpinnings to construct a set of resources for role-based security definition, authorization, authentication, and enforcement. - create resources to set up and enforce security policy - The resources are: above
The Dynamic Coalition Problem Coalition Artifacts and Information Flow U.S. Global C2 Systems Air Force Navy Joint Command System Battle Management System NGO/ PVO GCCS U.N. Army Battle Command System Combat Operations System NATO U.S.A Army Marine Corps Next, we will bring together the concept of this lookup service and security, specifically, role-based security. Current - requires programmer intervention - does not consider role Goal - off slide Approach - use facets and capabilities of a distributed resource environment as conceptual underpinnings to construct a set of resources for role-based security definition, authorization, authentication, and enforcement. - create resources to set up and enforce security policy - The resources are: above Dynamic Coalition AFATDS FADD GOAL: Leverage information in a fluid, dynamic environment ASAS ABCS GCCS-A CSSCS MCS Other Army C2
The Dynamic Coalition Problem Global Command and Control System GLOBAL C2 SYSTEMS GCCS Provides: - Horizontal and Vertical Integration of Information to Produce a Common Picture of the Battlefield - 20 separate automated systems - 625 locations worldwide - private network MOBILE SUBSCRIBER EQUIPMENT DATA RADIO SATELLITE MISSION PLANNING MET SUPPORT INTEL SATCOM MANEUVER CONTROL X X AIR DEFENCE TOPO ARTY Client/Server MET MISSION PLANNING AIR DEFENCE SUPPORT X INTEL Client/Server MANEUVER CONTROL SATCOM TOPO ARTY AIR DEFENCE Company SUPPORT FBCB2 /EBC INTEL Client/Server Platoon ARTY MANEUVER CONTROL Tactical Internet BATTLEFIELD C2 SYSTEM EMBEDDED BATTLE COMMAND SATCOM Situational Awareness FBCB2 /EBC Squad MOBILE SUBSCRIBER EQUIPMENT
The Dynamic Coalition Problem Global Command and Control System Joint Services : a.k.a Weather METOC Video Teleconference TLCF Joint Operations Planning and Execution System JOPES Common Operational Picture COP Transportation Flow Analysis JFAST Logistics Planning Tool LOGSAFE Defense Message System DMS NATO Message System CRONOS Component Services Army Battle Command System ABCS Air Force Battle Management System TBMCS Marine Combat Operations System TCO Navy Command System JMCIS Next, we will bring together the concept of this lookup service and security, specifically, role-based security. Current - requires programmer intervention - does not consider role Goal - off slide Approach - use facets and capabilities of a distributed resource environment as conceptual underpinnings to construct a set of resources for role-based security definition, authorization, authentication, and enforcement. - create resources to set up and enforce security policy - The resources are: above
The Dynamic Coalition Problem Global Command and Control System Common Operational Picture Common Picture Next, we will bring together the concept of this lookup service and security, specifically, role-based security. Current - requires programmer intervention - does not consider role Goal - off slide Approach - use facets and capabilities of a distributed resource environment as conceptual underpinnings to construct a set of resources for role-based security definition, authorization, authentication, and enforcement. - create resources to set up and enforce security policy - The resources are: above
The Dynamic Coalition Problem GCCS Shortfalls Difficult to Establish Roles Requires Host Administrator Not Separate Roles No Time Controllable Access Time Limits on Users Time Limits on Resource Availability Time Limits on Roles No Value Constraints Unlimited Common Operational Picture Unlimited Access to Movement Information Difficult to Federate Users and Resources U.S. Only system Private Network (Not Multi-Level Secure) Next, we will bring together the concept of this lookup service and security, specifically, role-based security. Current - requires programmer intervention - does not consider role Goal - off slide Approach - use facets and capabilities of a distributed resource environment as conceptual underpinnings to construct a set of resources for role-based security definition, authorization, authentication, and enforcement. - create resources to set up and enforce security policy - The resources are: above
The Dynamic Coalition Problem GCCS Shortfalls: User Roles Currently, GCCS Users have Static Profile Based on Position/Supervisor/Clearance Level Granularity Gives “Too Much Access” Profile Changes are Difficult to Make - Changes Done by System Admin. Not Security Officer What Can User Roles Offer to GCCS? User Roles are Valuable Since They Allow Privileges to be Based on Responsibilities Security Officer Controls Requirements Support for Dynamic Changes in Privileges Towards Least Privilege Next, we will bring together the concept of this lookup service and security, specifically, role-based security. Current - requires programmer intervention - does not consider role Goal - off slide Approach - use facets and capabilities of a distributed resource environment as conceptual underpinnings to construct a set of resources for role-based security definition, authorization, authentication, and enforcement. - create resources to set up and enforce security policy - The resources are: above
The Dynamic Coalition Problem GCCS Shortfalls: Time Controlled Access Currently, in GCCS, User Profiles are Indefinite with Respect to Time Longer than a Single Crisis Difficult to Distinguish in Multiple Crises No Time Controllable Access on Users or GCCS Resources What can Time Constrained Access offer GCCS? Junior Planners - Air Movements of Equipment Weeks before Deployment Senior Planners - Adjustment in Air Movements Near and During Deployment Similar Actions are Constrained by Time Based on Role Next, we will bring together the concept of this lookup service and security, specifically, role-based security. Current - requires programmer intervention - does not consider role Goal - off slide Approach - use facets and capabilities of a distributed resource environment as conceptual underpinnings to construct a set of resources for role-based security definition, authorization, authentication, and enforcement. - create resources to set up and enforce security policy - The resources are: above
The Dynamic Coalition Problem GCCS Shortfalls: Value Based Access Currently, in GCCS, Controlled Access Based on Information Values Difficult to Achieve Unlimited Viewing of Common Operational Picture (COP) Unlimited Access to Movement Information Attempts to Constrain would have to be Programmatic - which is Problematic! What can Value-Based Access Offer to GCCS? In COP Constrain Display of Friendly and Enemy Positions Limit Map Coordinates Displayed Limit Tier of Display (Deployment, Weather, etc.) Next, we will bring together the concept of this lookup service and security, specifically, role-based security. Current - requires programmer intervention - does not consider role Goal - off slide Approach - use facets and capabilities of a distributed resource environment as conceptual underpinnings to construct a set of resources for role-based security definition, authorization, authentication, and enforcement. - create resources to set up and enforce security policy - The resources are: above
The Dynamic Coalition Problem GCCS Shortfalls: Federation Needs Currently, GCCS is Difficult to Use for DCP Difficult to Federate Users and Resources U.S. Only system Incompatibility in Joint and Common Contexts Private Network (Not Multi-Level Secure) What are Security/Federation Needs for GCCS? Quick Admin. While Still Constraining US and Non-US Access Employ Middleware for Flexibility/Robustness Security Definition/Enforcement Framework Extend GCCS for Coalition Compatibility that Respects Coalition and US Security Policies Next, we will bring together the concept of this lookup service and security, specifically, role-based security. Current - requires programmer intervention - does not consider role Goal - off slide Approach - use facets and capabilities of a distributed resource environment as conceptual underpinnings to construct a set of resources for role-based security definition, authorization, authentication, and enforcement. - create resources to set up and enforce security policy - The resources are: above
Information Sharing and Security Federated Resources JSTARS Unmanned Aerial Vehicle Satellites Bradley / EBC Embedded Battle Command ABCS Fwd Support Element Ammo/Fuel Refit AIR DEFENCE INTEL FUSION MANEUVER CONTROL PERSONNEL AND LOGISTICS FIELD ARTILLERY Common Picture RESOURCES Command&Control Vehicles Army Airborne Command & Control System Army Battle Command System Embedded Command System Next, we will bring together the concept of this lookup service and security, specifically, role-based security. Current - requires programmer intervention - does not consider role Goal - off slide Approach - use facets and capabilities of a distributed resource environment as conceptual underpinnings to construct a set of resources for role-based security definition, authorization, authentication, and enforcement. - create resources to set up and enforce security policy - The resources are: above
Information Sharing and Security Syntactic Considerations Syntax is Structure and Format of the Information That is Needed to Support a Coalition Incorrect Structure or Format Could Result in Simple Error Message to Catastrophic Event For Sharing, Strict Formats Need to be Maintained In US Military, Message Formats Include Heading and Ending Section United States Message Text Formats (USMTF) 128 Different Message Formats Text Body of Actual Message Problem: Formats Non-Standard Across Different Branches of Military and Countries Next, we will bring together the concept of this lookup service and security, specifically, role-based security. Current - requires programmer intervention - does not consider role Goal - off slide Approach - use facets and capabilities of a distributed resource environment as conceptual underpinnings to construct a set of resources for role-based security definition, authorization, authentication, and enforcement. - create resources to set up and enforce security policy - The resources are: above
Information Sharing and Security Semantics Concerns Semantics (Meaning and Interpretation) USMTF - Different Format, Different Meaning Each of 128 Messages has Semantic Interpretation Communicate Logistical, Intelligence, and Operational Information Semantic Problems NATO and US - Different Message Formats Different Interpretation of Values Distances (Miles vs. Kilometers) Grid Coordinates (Mils, Degrees) Maps (Grid, True, and Magnetic North) Next, we will bring together the concept of this lookup service and security, specifically, role-based security. Current - requires programmer intervention - does not consider role Goal - off slide Approach - use facets and capabilities of a distributed resource environment as conceptual underpinnings to construct a set of resources for role-based security definition, authorization, authentication, and enforcement. - create resources to set up and enforce security policy - The resources are: above
Information Sharing and Security Pragmatics Issues Pragmatics - The Way that Information is Utilized and Understood in its Specific Context For Example, in GCCS Next, we will bring together the concept of this lookup service and security, specifically, role-based security. Current - requires programmer intervention - does not consider role Goal - off slide Approach - use facets and capabilities of a distributed resource environment as conceptual underpinnings to construct a set of resources for role-based security definition, authorization, authentication, and enforcement. - create resources to set up and enforce security policy - The resources are: above
Information Sharing and Security Pragmatics Issues Pragmatics in GCCS X XXX XX DSCS A2C2S DIV CDR C2V SINCGARS (FS) EPLRS (AD) Info/Intel/Plans DIV REAR VTel Sustainment Mobility TGT/Fires BVTC DMAIN Relay DR Division Slice 404 ASB Theater Injection Point (TIP) HCLOS Note: 3rd BDE not part of 1DD in Sep 2000. SEN CMDR BCV GBS TAC MVR BN 4 ENG 3rd BDE 64 FSB 3-29FA 1/10 CAV 1/10 CAV Sqdn 588 ENG 2nd BDE 4 FSB 3-16FA 299 ENG 1st BDE 204FSB 4-42FA DTAC 1 9-1FA 2/4 AVN BN 4th BDE 1/4 AVN BN 124th SIG BN DISCOM 704MSB LEN DIVARTY Node Estimate Current FDD laydown has 53 autonomous Command Post/TOCs (i.e., nodes) For a full Corps >200 nodes Basic Distribution Requirement Distribution Polices Automation & Notification User Controls Transport Mechanisms System and Process Monitors Security, Logs, and Archives How - Prioritized - Encrypted - Network Distribution Policy What When Where Next, we will bring together the concept of this lookup service and security, specifically, role-based security. Current - requires programmer intervention - does not consider role Goal - off slide Approach - use facets and capabilities of a distributed resource environment as conceptual underpinnings to construct a set of resources for role-based security definition, authorization, authentication, and enforcement. - create resources to set up and enforce security policy - The resources are: above
Information Sharing and Security Data Integrity Concerns: Consistency, Accuracy, Reliability Accidental Errors Crashes, Concurrent Access, Logical Errors Actions: Integrity Constraints GUIs Redundancy Malicious Errors Not Totally Preventable Authorization, Authentication, Enforcement Policy Concurrent Updates to Backup DBs Dual Homing Next, we will bring together the concept of this lookup service and security, specifically, role-based security. Current - requires programmer intervention - does not consider role Goal - off slide Approach - use facets and capabilities of a distributed resource environment as conceptual underpinnings to construct a set of resources for role-based security definition, authorization, authentication, and enforcement. - create resources to set up and enforce security policy - The resources are: above
Information Sharing and Security Discretionary Access Control What is Discretionary Access Control (DAC)? Restricts Access to Objects Based on the Identity of Group and /or Subject Discretion with Access Permissions Supports the Ability to “Pass-on” Permissions DAC and DCP Pass on from Subject to Subject is a Problem Information Could be Passed from Subject (Owner) to Subject to Party Who Should be Restricted For Example, Local Commanders Can’t Release Information Rely on Discretion by Foreign Disclosure Officer Pass on of DAC Must be Carefully Controlled! Next, we will bring together the concept of this lookup service and security, specifically, role-based security. Current - requires programmer intervention - does not consider role Goal - off slide Approach - use facets and capabilities of a distributed resource environment as conceptual underpinnings to construct a set of resources for role-based security definition, authorization, authentication, and enforcement. - create resources to set up and enforce security policy - The resources are: above
Information Sharing and Security Role Based Access Control What is Role Based Access Control (RBAC)? Roles Provide Means for Permissions to Objects, Resources, Based on Responsibilities Users May have Multiple Roles Each with Different Set of Permissions Role-Based Security Policy Flexible in both Management and Usage Issues for RBAC and DCP Who Creates the Roles? Who Determines Permissions (Access)? Who Assigns Users to Roles? Are there Constraints Placed on Users Within Those Roles? Next, we will bring together the concept of this lookup service and security, specifically, role-based security. Current - requires programmer intervention - does not consider role Goal - off slide Approach - use facets and capabilities of a distributed resource environment as conceptual underpinnings to construct a set of resources for role-based security definition, authorization, authentication, and enforcement. - create resources to set up and enforce security policy - The resources are: above
Information Sharing and Security Mandatory Access Control What is Mandatory Access Control (MAC)? Restrict Access to Information, Resources, Based on Sensitivity Level (Classification) Classified Information - MAC Required If Clearance (of User) Dominates Classification, Access is Allowed MAC and DCP MAC will be Present in Coalition Assets Need to Support MAC of US and Partners Partners have Different Levels/Labels Need to Reconcile Levels/Labels of Coalition Partners (which Include Past Adversaries!) Next, we will bring together the concept of this lookup service and security, specifically, role-based security. Current - requires programmer intervention - does not consider role Goal - off slide Approach - use facets and capabilities of a distributed resource environment as conceptual underpinnings to construct a set of resources for role-based security definition, authorization, authentication, and enforcement. - create resources to set up and enforce security policy - The resources are: above
Information Sharing and Security Other Issues Intrusion Detection Not Prevention Intrusion Types: Trojan Horse, Data Manipulation, Snooping Defense: Tracking and Accountability Survivability Reliability and Accessibility Redundancy Cryptography Fundamental to Security Implementation Details (key distribution) Next, we will bring together the concept of this lookup service and security, specifically, role-based security. Current - requires programmer intervention - does not consider role Goal - off slide Approach - use facets and capabilities of a distributed resource environment as conceptual underpinnings to construct a set of resources for role-based security definition, authorization, authentication, and enforcement. - create resources to set up and enforce security policy - The resources are: above
Conclusions and Ongoing Work Explored Information Sharing Issues Defined the Dynamic Coalition Problem Discussed Coalition Participants Examined GCCS and Needed Improvements Offered Candidate Security Approach Related/Ongoing Research Includes Support for Mandatory Access Controls Role Deconfliction and Mutual Exclusion User Constraints User Role Delegation Authority www.engr.uconn.edu/~steve/DSEC/dsec.html