Embed Size (px)
Citation preview
DCP-1
CSE333
Information Sharing and Security in Information Sharing and Security in Dynamic CoalitionsDynamic Coalitions
Steven A. Demurjian Computer Science & Engineering Department
371 Fairfield Road, Box U-2155The University of Connecticut
Storrs, Connecticut 06269-2155http://www.engr.uconn.edu/~steve
DCP-2
CSE333
Overview of PresentationOverview of Presentation
The Dynamic Coalition ProblemThe Dynamic Coalition Problem Civilian Organizations Military Involvement/GCCS
Information Sharing and SecurityInformation Sharing and Security Federating Resources Data Integrity Access Control (DAC and MAC) Other Critical Security Issues
Stepping BackStepping Back Security Issues for Distributed and
Component-Based Applications Conclusions and Future WorkConclusions and Future Work
DCP-3
CSE333
Crisis and CoalitionsCrisis and Coalitions
A A Crisis Crisis is Any Situation Requiring National or is Any Situation Requiring National or International Attention as Determined by the International Attention as Determined by the President of the United States or UN President of the United States or UN
A A CoalitionCoalition is an Alliance of Organizations: is an Alliance of Organizations: Military, Civilian, International or any Military, Civilian, International or any CombinationCombination
A A Dynamic CoalitionDynamic Coalition is Formed in a Crisis and is Formed in a Crisis and Changes as Crisis Develops, with the Key Concern Changes as Crisis Develops, with the Key Concern Being the Most Effective way to Solve the CrisisBeing the Most Effective way to Solve the Crisis
Dynamic Coalition ProblemDynamic Coalition Problem (DCP) is the Inherent (DCP) is the Inherent Security, Resource, and/or Information Sharing Security, Resource, and/or Information Sharing Risks that Occur as a Result of the Coalition Being Risks that Occur as a Result of the Coalition Being Formed QuicklyFormed Quickly
DCP-4
CSE333
Near Simultaneous CrisesNear Simultaneous Crises
Ship Wreck(UK,SP)
Olympic Games
BOSNIA(NATO)
KOSOVO(US,UK)
Earthquake(United Nations)
Crisis PointNATO Hq
DCP-5
CSE333
Crises in 2005Crises in 2005
Tidal Wave in Southeast AsiaTidal Wave in Southeast Asia Hurricanes in USHurricanes in US
Katrina – Louisiana and Mississippi Rita – Texas and Louisiana
Mudslides in Guatemala Mudslides in Guatemala Earthquake in Pakistan/IndiaEarthquake in Pakistan/India
Key QuestionsKey Questions How do we React to Such Crises? What is Potential Role for Computer Scientists
and Engineers in Process? Can we Automate the Interactions Required for
the Critical Computing Infrastructure?
DCP-6
CSE333
Emergent Need for CoalitionsEmergent Need for Coalitions
““Coalitions must be flexible and no one coalition is Coalitions must be flexible and no one coalition is or has the answer to all situations.”or has the answer to all situations.”
» Secretary of Defense, Donald Rumsfeld “Whenever possible we must seek to operate
alongside alliance or coalition forces, integrating their capabilities and capitalizing on their strengths.”
» U.S. National Security Strategy
“Currently, there is no automated capability for passing command and control information and situational awareness information between nations except by liaison officer, fax, telephone, or loaning equipment.”
» Undersecretary of Defense for Advanced Technology
DCP-7
CSE333
The Dynamic Coalition Problem (DCP)The Dynamic Coalition Problem (DCP)
Dynamic Coalition ProblemDynamic Coalition Problem (DCP) is the Inherent (DCP) is the Inherent Security, Resource, and/or Information Sharing Security, Resource, and/or Information Sharing Risks that Occur as a Result of the Coalition Being Risks that Occur as a Result of the Coalition Being Formed QuicklyFormed Quickly
Private Organizations (PVO)Private Organizations (PVO) Doctors Without Boarders Red Cross
Non-Government Organizations (NGO)Non-Government Organizations (NGO) State and Local Government Press Corps
Government AgenciesGovernment Agencies FBI, CIA, FEMA, CDC, etc. Military
DCP-8
CSE333
Supporting Advanced ApplicationsSupporting Advanced ApplicationsDCP Objectives for CrisisDCP Objectives for Crisis
Federate Users Quickly and DynamicallyFederate Users Quickly and Dynamically Bring Together Resources (Legacy, COTs, GOTs, Bring Together Resources (Legacy, COTs, GOTs,
DBs, etc.) Without ModificationDBs, etc.) Without Modification Dynamically Realize/Manage Simultaneous CrisesDynamically Realize/Manage Simultaneous Crises Identify Users by Roles to Finely Tune Access Identify Users by Roles to Finely Tune Access Authorize, Authenticate, and Enforce a Scalable Authorize, Authenticate, and Enforce a Scalable
Security Policy that is Flexible in Response to Security Policy that is Flexible in Response to Collation NeedsCollation Needs
Provide a Security Solution that is Portable, Provide a Security Solution that is Portable, Extensible, and Redundant for SurvivabilityExtensible, and Redundant for Survivability
Include Management/Introspection Capabilities to Include Management/Introspection Capabilities to Track and Monitor System Behavior Track and Monitor System Behavior
DCP-9
CSE333
DCP: Coalition ArchitectureDCP: Coalition Architecture
Resources Provide ServicesClients Using Services
French Air Force
Client
U.S. NavyClient
U.S. ArmyClient
GermanCOTSClient
NATODatabase
Client
U.S. LegacySystem
COTS
GCCS (US)NGO/PVOResource
LFCS(Canada)
SICF (France)
HEROS (Germany)
SIACCON (Italy)
Federal Agencies(FEMA, FBI, CIA, etc.)
Client
NGO/PVO(Red Cross, NYPD, etc.)
Client
NATO SYS
DCP-10
CSE333
DCPDCPJoint and Combined Information FlowJoint and Combined Information Flow
GCCS-N
JMCIS
GCCS-AF
TBMCS
Common Operating Environment
GCCSGCCS-A
MCS
BN
COFBCB2
BDE
MCSBSA TOC
CORPS
MCSABCS
MCS
ASAS
CSSCS
FAADC2I
AFATDS
DIV
MCS
BN
XX
X
| | | |
| |
AdjacentJoint Task Force
X X
TCO
GCCS-M
NATOSystemsCoalitionSystems
ARMY
Marines Navy
Air ForceCoalitionPartners
Joint - Marines, Navy, Air Force, Army
Combined: Many Countries
DCP-11
CSE333
DCP: Combined Information FlowDCP: Combined Information Flow
Logistics
Air Defense/Air OperationsFire Support
Network and Resource Management
Intelligence
GCCS - Joint/Coalition -Maneuver
Combined Database
DCP-12
CSE333
DCP: Coalition Artifacts and Information DCP: Coalition Artifacts and Information Flow – Military EngagementFlow – Military Engagement
Marine Corps
NavyAir Force
Army
GCCS
FADDAFATDS
GCCS-A
MCS
ASAS
CSSCS
Other
ABCS
Battle Management
System
JointCommand
System
Army Battle Command
System
CombatOperations
System
U.N.
U.S.A
NGO/PVO
NATO
GOAL: Leverage information in a fluid, dynamic environment
Dynamic Coalition
U.S. Global C2 Systems
Army C2
DCP-13
CSE333
DCP: Coalition Artifacts and Information DCP: Coalition Artifacts and Information Flow – Civilian EngagementFlow – Civilian Engagement
Govt.
TransportationMilitaryMedics
LocalHealthCare
CDC
ISSUES: Privacy vs. Availability in Medical RecordsSupport Life-Threatening Situations via Availability of Patient Data on Demand
Pharma.Companies
Govt.MDs w/oBorders
RedCross
RNsEMTs
MDsState
HealthOther
DCP-14
CSE333
DCP: Global Command and Control System
Client/Server
Client/Server
INTELSUPPORT
MISSION PLANNING
TOPO ARTY AIR DEFENCE
AIR DEFENCE
ARTY
MOBILE SUBSCRIBER EQUIPMENTDATA RADIO
X
X X
Situational AwarenessMOBILE SUBSCRIBER EQUIPMENT
ARTY
SUPPORT
TOPO
SUPPORT
MISSION PLANNINGMET
GCCS Provides:- Horizontal and Vertical Integrationof Information to Produce a Common Picture of the Battlefield- 20 separate automated systems- 625 locations worldwide- private network
SATCOM
SATCOM
SATCOM
MET
Company
Platoon
Squad
FBCB2/EBC
BATTLEFIELD C2 SYSTEMEMBEDDED BATTLE COMMAND
FBCB2/EBC
TacticalInternet
Client/Server
GLOBAL C2 SYSTEMSGLOBAL C2 SYSTEMS
MANEUVERCONTROL
SATELLITE
AIR DEFENCE
INTEL
INTEL
MANEUVERCONTROL
MANEUVERCONTROL
DCP-15
CSE333
DCP:DCP:Global Command and Control SystemGlobal Command and Control System
Joint Services: a.k.a Weather METOC Video Teleconference TLCF Joint Operations Planning and Execution System JOPES Common Operational Picture COP Transportation Flow Analysis JFAST Logistics Planning Tool LOGSAFE Defense Message System DMS NATO Message System CRONOS
Component Services: Army Battle Command System ABCS Air Force Battle Management System TBMCS Marine Combat Operations System TCO Navy Command System JMCIS
DCP-16
CSE333
DCP:DCP:Global Command and Control SystemGlobal Command and Control System
Common PictureCommon Picture
Common Operational PictureCommon Operational Picture
DCP-17
CSE333
DCP: Critical RequirementsDCP: Critical Requirements
Difficult to Establish RolesDifficult to Establish Roles Requires Host Administrator Not Separate Roles
No Time Controllable AccessNo Time Controllable Access Time Limits on Users Time Limits on Resource Availability Time Limits on Roles
No Value ConstraintsNo Value Constraints Unlimited Common Operational Picture Unlimited Access to Movement Information
Difficult to Federate Users and ResourcesDifficult to Federate Users and Resources U.S. Only system Private Network (Not Multi-Level Secure)
DCP-18
CSE333
GCCS Shortfalls: User RolesGCCS Shortfalls: User Roles
Currently, GCCS Users have Static Profile Based Currently, GCCS Users have Static Profile Based on Position/Supervisor/Clearance Levelon Position/Supervisor/Clearance Level
Granularity Gives “Too Much Access”Granularity Gives “Too Much Access” Profile Changes are Difficult to Make - Changes Profile Changes are Difficult to Make - Changes
Done by System Admin. Not Security OfficerDone by System Admin. Not Security Officer What Can User Roles Offer to GCCS?What Can User Roles Offer to GCCS?
User Roles are Valuable Since They Allow Privileges to be Based on Responsibilities
Security Officer Controls Requirements Support for Dynamic Changes in Privileges Towards Least Privilege
DCP-19
CSE333
Non-Military Crisis: User RolesNon-Military Crisis: User Roles
Emergent Crisis (Katrina) Requires a Response Emergent Crisis (Katrina) Requires a Response Some Critical IssuesSome Critical Issues
Who’s in Charge? Who is Allowed to do What? Who can Mobilize Governmental Resources?
Roles can Help:Roles can Help: Role for Crisis Commander Roles for Crisis Participants Roles Dictate Control over Resources
For Katrina: Lack of Leadership & Defined RolesFor Katrina: Lack of Leadership & Defined Roles Army Corps of Engineers Only Allowed to
Repair Levees – Not Upgrade and Change
DCP-20
CSE333
GCCS Shortfalls: Time Controlled AccessGCCS Shortfalls: Time Controlled Access
Currently, in GCCS, User Profiles are Indefinite Currently, in GCCS, User Profiles are Indefinite with Respect to Timewith Respect to Time Longer than a Single Crisis Difficult to Distinguish in Multiple Crises No Time Controllable Access on Users or
GCCS Resources What can Time Constrained Access offer GCCS?What can Time Constrained Access offer GCCS?
Junior Planners - Air Movements of Equipment Weeks before Deployment
Senior Planners - Adjustment in Air Movements Near and During Deployment
Similar Actions are Constrained by Time Based on Role
DCP-21
CSE333
Non-Military Crisis:Non-Military Crisis: Time Controlled Access Time Controlled Access
Multiple Crisis Require Ability to Distinguish Multiple Crisis Require Ability to Distinguish Between Roles Based on Time and CrisisBetween Roles Based on Time and Crisis
Occurrence of Rita (one Crisis) Impacted the Occurrence of Rita (one Crisis) Impacted the Ongoing Crisis (Katrina)Ongoing Crisis (Katrina)
Need to Manage Simultaneous Crisis w.r.t. TimeNeed to Manage Simultaneous Crisis w.r.t. Time Different Roles Available at Different Times
within Different Crises Role Might be “Finishing” in one Crisis (e.g.,
First Response Role) and “Starting” in Another Individual May Play Different Roles in
Different Crisis Individual May Play Same Role with Different
Duration in Time w.r.t. its Activation
DCP-22
CSE333
GCCS Shortfalls: Value Based AccessGCCS Shortfalls: Value Based Access
Currently, in GCCS, Controlled Access Based on Currently, in GCCS, Controlled Access Based on Information Values Difficult to AchieveInformation Values Difficult to Achieve Unlimited Viewing of Common Operational
Picture (COP) Unlimited Access to Movement Information Attempts to Constrain would have to be
Programmatic - which is Problematic! What can Value-Based Access Offer to GCCS?What can Value-Based Access Offer to GCCS?
In COP Constrain Display of Friendly and Enemy Positions Limit Map Coordinates Displayed Limit Tier of Display (Deployment, Weather, etc.)
DCP-23
CSE333
Non-Military Crisis: Value Based AccessNon-Military Crisis: Value Based Access
In Katrina/Rita, What People can See and Do May In Katrina/Rita, What People can See and Do May be Limited Based on Rolebe Limited Based on Role Katrina Responders Limited to Katrina Data Rita Responders Limited to Rita Data Some Responders (Army Corps Engineers)
May Need Both to Coordinate Activities Within Each Crisis, Information Also LimitedWithin Each Crisis, Information Also Limited
Some Katrina Roles (Commander, Emergency Responders, etc.) see All Data
Other Katrina Roles Limited (Security Deployment Plans Not Available to All
Again – Customization is Critical
DCP-24
CSE333
GCCS Shortfalls: Federation NeedsGCCS Shortfalls: Federation Needs
Currently, GCCS is Difficult to Use for DCPCurrently, GCCS is Difficult to Use for DCP Difficult to Federate Users and Resources U.S. Only system Incompatibility in Joint and Common Contexts Private Network (Not Multi-Level Secure)
What are Security/Federation Needs for GCCS?What are Security/Federation Needs for GCCS? Quick Admin. While Still Constraining US and
Non-US Access Employ Middleware for Flexibility/Robustness Security Definition/Enforcement Framework Extend GCCS for Coalition Compatibility that
Respects Coalition and US Security Policies
DCP-25
CSE333
Non-Military Crisis: Federation NeedsNon-Military Crisis: Federation Needs
Crisis May Dictate Federation CapabilitiesCrisis May Dictate Federation Capabilities KatrinaKatrina
Devastated Basic Communication at All Levels There was No Need to Federate Computing
Systems at Crisis Location with No Power, etc. RitaRita
Crisis Known Well in Advance However, Didn’t Prevent
Disorganized Evacuation 10+ Hour Highway Waits Running out of Fuel
Federation Myst Coordinate Critical Resources
DCP-26
CSE333
Information Sharing and SecurityInformation Sharing and SecurityFederated ResourcesFederated Resources
JSTARS
Unmanned Aerial Vehicle
Satellites
Bradley / EBCEmbedded Battle Command
ABCS
Fwd Support ElementAmmo/FuelRefit
AIR DEFENCE Embedded Battle Command
INTEL FUSION
Embedded Battle Command
MANEUVER CONTROL Embedded Battle Command
PERSONNEL AND LOGISTICS Embedded Battle Command
FIELD ARTILLERY Embedded Battle Command
Common Picture
RESOURCESCommand&Control VehiclesArmy Airborne Command & Control System
Army Battle Command System Embedded Command System
DCP-27
CSE333
Information Sharing and SecurityInformation Sharing and SecuritySyntactic ConsiderationsSyntactic Considerations
Syntax is Structure and Format of the Information Syntax is Structure and Format of the Information That is Needed to Support a CoalitionThat is Needed to Support a Coalition
Incorrect Structure or Format Could Result in Incorrect Structure or Format Could Result in Simple Error Message to Catastrophic EventSimple Error Message to Catastrophic Event
For Sharing, Strict Formats Need to be MaintainedFor Sharing, Strict Formats Need to be Maintained In US Military, Message Formats IncludeIn US Military, Message Formats Include
Heading and Ending Section United States Message Text Formats (USMTF) 128 Different Message Formats
Text Body of Actual Message Problem: Formats Non-Standard Across Different Problem: Formats Non-Standard Across Different
Branches of Military and CountriesBranches of Military and Countries
DCP-28
CSE333
Information Sharing and SecurityInformation Sharing and SecuritySemantics ConcernsSemantics Concerns
Semantics (Meaning and Interpretation)Semantics (Meaning and Interpretation) USMTF - Different Format, Different Meaning
Each of 128 Messages has Semantic Interpretation Communicate Logistical, Intelligence, and
Operational Information Semantic ProblemsSemantic Problems
NATO and US - Different Message Formats Different Interpretation of Values
Distances (Miles vs. Kilometers) Grid Coordinates (Mils, Degrees) Maps (Grid, True, and Magnetic North)
DCP-29
CSE333
Information Sharing and SecurityInformation Sharing and SecuritySyntactic & Semantic ConsiderationsSyntactic & Semantic Considerations
What’s Available to Support Information Sharing?What’s Available to Support Information Sharing? How do we Insure that Information can be How do we Insure that Information can be
Accurately and Precisely Exchanged?Accurately and Precisely Exchanged? How do we Associate Semantics with the How do we Associate Semantics with the
Information to be Exchanged?Information to be Exchanged? What Can we Do to Verify the Syntactic Exchange What Can we Do to Verify the Syntactic Exchange
and that Semantics are Maintained?and that Semantics are Maintained? Can Information Exchange Facilitate Federation? Can Information Exchange Facilitate Federation? How do we Deal with Exchange to/from Legacy How do we Deal with Exchange to/from Legacy
Applications?Applications? Can this be Handled Dynamically?Can this be Handled Dynamically? Or, Must we Statically Solve Information Sharing Or, Must we Statically Solve Information Sharing
in Advance?in Advance?
DCP-30
CSE333
Information Sharing and SecurityInformation Sharing and SecurityPragmatics IssuesPragmatics Issues
Pragmatics Require that we Totally Understand Pragmatics Require that we Totally Understand Information Usage and Information MeaningInformation Usage and Information Meaning
Key Questions Include:Key Questions Include: What are the Critical Information Sources? How will Information Flow Among Them? What Systems Need Access to these Sources? How will that Access be Delivered? Who (People/Roles) will Need to See What
When? How will What a Person Sees Impact Other
Sources?
DCP-31
CSE333
Information Sharing and SecurityInformation Sharing and SecurityPragmatics IssuesPragmatics Issues
Pragmatics - Way that Information is Utilized and Pragmatics - Way that Information is Utilized and Understood in its Specific ContextUnderstood in its Specific Context
For Example, in GCCSFor Example, in GCCS
Intra-TOC•ACDB DBSynchronization(RPC-based SR)
Intra-TOC•ACDB DBSynchronization(RPC-based SR)
•Messaging•VMF•USMTF•Situation Awareness•BFA unique
•Files and DB Snapshots•Unicast FTP•Multicast FTP•E-mail•Global Broadcast Satellite(GBS)
•Database Replication
Inter-TOC
M-1068 M-1068
M-1068 M-1068
TOC 2/A-Cell
TOC 2/B-Cell
M-1068 M-1068
M-1068 M-1068
TOC-1
Mixture of clients andservers
OperationalChallenges•Autonomy•Jump TOCs•Split TOCs•Survivability•BandwidthContention•Scalability
OperationalChallenges•Autonomy•Jump TOCs•Split TOCs•Survivability•BandwidthContention•Scalability
TacticalWAN
DCP-32
CSE333
Information Sharing and SecurityInformation Sharing and Security Pragmatics Issues Pragmatics Issues
Pragmatics in GCCSPragmatics in GCCS
X
XXX
X
XX
XX
XX
XX
X
DSCS
A2C2SDIV CDR
C2VDIV CDR
SINCGARS (FS)EPLRS (AD)
Info/Intel/Plans
DIV REARVTel
SINCGARS (FS)EPLRS (AD)
Sustainment
Mobility
TGT/Fires
BVTC
DMAINBVTC
SINCGARS (FS)EPLRS (AD)
BVTC
BVTC
BVTC
Relay
DR
SINCGARS (FS)EPLRS (AD)
Division Slice
404 ASB
Theater Injection Point
(TIP)
HCLOS
HCLOS
Note: 3rd BDE not part of 1DD in Sep 2000.
DR
Relay
SEN
Relay
DR
CMDR
BCVGBS DR
TAC
DR
MVR BNGBS
DR DR
MVR BNGBS
DR DR
MVR BNGBS
DR DR
4ENG
DR DR
GBS
DRGBS DR
3rd BDE BVTC
SEN GBS
64 FSB
DR
DR DRGBS
3-29FA
1/10CAV
CMDR
BCV
DR
1/10 CAV Sqdn
DRGBSSEN
SEN
CMDR
BCV
GBS DR
TAC
DR
MVR BNGBS
DR DR
MVR BNGBS
DR DR
MVR BNGBS
DR DR
588ENG
DR DR
GBS
DRGBS DR
2nd BDE BVTC
SEN GBS
4 FSB
DR
DR DRGBS
3-16FA
SEN
CMDR
BCV
GBS DR
TAC
DR
MVR BNGBS
DR DR
MVR BNGBS
DR DR
MVR BNGBS
DR DR
299ENG
DR DR
GBS
DRGBS DR
1st BDE BVTC
SEN GBS
204FSB
DR
DR DRGBS
4-42FA
SEN DRGBS DR
DTAC 1 BVTC
DR DRGBS
9-1FA
DRGBS
2/4 AVN BN
SEN DRGBS DR
4th BDE BVTC
DRGBS
1/4 AVN BN
SEN GBS
SEN SENGBS GBS
DR
VTel
DRGBS
GBS DR
124th SIG BN
GBS DR
SINCGARS (FS)EPLRS (AD)
SEN GBS DR
DISCOM BVTC
SEN GBS DR
704MSBSEN LEN
GBS
GBS
GBS
GBS
SEN GBS DR
DIVARTY BVTC
SINCGARS (FS)EPLRS (AD)
GBS
Node Estimate
Current FDD laydown has 53 autonomous Command Post/TOCs (i.e., nodes)
For a full Corps >200 nodes
Node Estimate
Current FDD laydown has 53 autonomous Command Post/TOCs (i.e., nodes)
For a full Corps >200 nodes
Basic Distribution Requirement• Distribution Polices• Automation & Notification• User Controls • Transport Mechanisms• System and Process Monitors• Security, Logs, and Archives
Basic Distribution Requirement• Distribution Polices• Automation & Notification• User Controls • Transport Mechanisms• System and Process Monitors• Security, Logs, and Archives
• How - Prioritized- Encrypted- Network
Distribution Policy
• What • When• Where
DCP-33
CSE333
Information Sharing and SecurityInformation Sharing and SecurityData IntegrityData Integrity
Concerns: Consistency, Accuracy, ReliabilityConcerns: Consistency, Accuracy, Reliability Accidental ErrorsAccidental Errors
Crashes, Concurrent Access, Logical Errors Actions:
Integrity Constraints GUIs Redundancy
Malicious ErrorsMalicious Errors Not Totally Preventable Actions:
Authorization, Authentication, Enforcement Policy Concurrent Updates to Backup DBs Dual Homing
DCP-34
CSE333
Information Sharing and SecurityInformation Sharing and Security Discretionary Access Control Discretionary Access Control
What is Discretionary Access Control (DAC)?What is Discretionary Access Control (DAC)? Restricts Access to Objects Based on the
Identity of Group and /or Subject Discretion with Access Permissions Supports
the Ability to “Pass-on” Permissions DAC and DCPDAC and DCP
Pass on from Subject to Subject is a Problem Information Could be Passed from Subject (Owner)
to Subject to Party Who Should be Restricted For Example,
Local Commanders Can’t Release Information Rely on Discretion by Foreign Disclosure Officer
Pass on of DAC Must be Carefully Controlled!
DCP-35
CSE333
Information Sharing and SecurityInformation Sharing and Security Role Based Access Control Role Based Access Control
What is Role Based Access Control (RBAC)?What is Role Based Access Control (RBAC)? Roles Provide Means for Permissions to
Objects, Resources, Based on Responsibilities Users May have Multiple Roles Each with
Different Set of Permissions Role-Based Security Policy Flexible in both
Management and Usage Issues for RBAC and DCPIssues for RBAC and DCP
Who Creates the Roles? Who Determines Permissions (Access)? Who Assigns Users to Roles? Are there Constraints Placed on Users Within
Those Roles?
DCP-36
CSE333
Information Sharing and SecurityInformation Sharing and Security Mandatory Access Control Mandatory Access Control
What is Mandatory Access Control (MAC)?What is Mandatory Access Control (MAC)? Restrict Access to Information, Resources,
Based on Sensitivity Level (Classification) Classified Information - MAC Required
If Clearance (of User) Dominates Classification, Access is Allowed
MAC and DCPMAC and DCP MAC will be Present in Coalition Assets Need to Support MAC of US and Partners Partners have Different Levels/Labels Need to Reconcile Levels/Labels of Coalition
Partners (which Include Past Adversaries!)
DCP-37
CSE333
Information Sharing and SecurityInformation Sharing and SecurityOther IssuesOther Issues
Intrusion DetectionIntrusion Detection Not Prevention Intrusion Types:
Trojan Horse, Data Manipulation, Snooping Defense:
Tracking and Accountability SurvivabilitySurvivability
Reliability and Accessibility Defense:
Redundancy CryptographyCryptography
Fundamental to Security Implementation Details (key distribution)
DCP-38
CSE333
A Service-Based Security ArchitectureA Service-Based Security Architecture
DCP-39
CSE333
Required Security ChecksRequired Security Checks
DCP-40
CSE333
Stepping BackStepping BackSecurity for Distributed EnvironmentsSecurity for Distributed Environments
Background and MotivationBackground and Motivation What are Key Distributed Security Issues? What are Major/Underlying Security
Concepts? What are Available Security Approaches?
Identifying Key Distributed Security RequirementsIdentifying Key Distributed Security Requirements Frame the Solution ApproachFrame the Solution Approach Outline UConn Research Emphasis:Outline UConn Research Emphasis:
Secure Software Design (UML and AOSD) Middleware-Based Realization (CORBA/JINI) Information Exchange via XML
DCP-41
CSE333
Security for Distributed ApplicationsSecurity for Distributed Applications
Legacy
Legacy
Legacy
COTS
COTS
COTS
Database
Database
NETWORK
JavaClient
JavaClient
How is Security Handled How is Security Handled for Individual Systems?for Individual Systems?
What about Distributed What about Distributed Security?Security?
Security Issues for New Clients?Security Issues for New Clients?New Servers? Across Network?New Servers? Across Network?
What if Security Never Available What if Security Never Available for Legacy/COTS/Database?for Legacy/COTS/Database?
Security Policy, Model, Security Policy, Model, and Enforcement?and Enforcement?
DCP-42
CSE333
FADDAFATDS
GCCS-A
MCS
ASAS
CSSCS
Other
ABCS
U.N.
U.S.A
NGO/PVO
NATOMarine Corps
NavyAir Force
Army
GCCS
Battle Management
System
JointCommand
System
Army Battle Command
System
CombatOperations
System
U.S. Global C2 Systems
DC for Military Deployment/EngagementDC for Military Deployment/Engagement
LFCSCanada
SICF France
HEROS Germany
SIACCON Italy
OBJECTIVES: Securely Leverage Information in a
Fluid EnvironmentProtect Information While Simultaneously
Promoting the CoalitionSecurity Infrastructure in Support of DCP
DCP-43
CSE333
DC for Medical EmergencyDC for Medical Emergency
Govt.
TransportationMilitaryMedics
LocalHealthCare
CDC
ISSUES: Privacy vs. Availability in Medical RecordsSupport Life-Threatening Situations via Availability of Patient Data on Demand
Pharma.Companies
Govt.MDs w/oBorders
RedCross
RNsEMTs
MDsState
HealthOther
DCP-44
CSE333
Security Issues: Confidence in SecuritySecurity Issues: Confidence in Security
AssuranceAssurance Do Security Privileges for Each User Support
their Needs? What Guarantees are Given by the Security
Infrastructure in Order to Attain: Safety: Nothing Bad Happens During Execution Liveness: All Good Things can Happen During
Execution ConsistencyConsistency
Are the Defined Security Privileges for Each User Internally Consistent? Least-Privilege Principle
Are the Defined Security Privileges for Related Users Globally Consistent? Mutual-Exclusion
DCP-45
CSE333
Security for CoalitionsSecurity for Coalitions
Dynamic Coalitions will play a Critical Role in Dynamic Coalitions will play a Critical Role in Homeland Security during Crisis SituationsHomeland Security during Crisis Situations
Critical to Understand the Security Issues for Critical to Understand the Security Issues for Users and System of Dynamic CoalitionsUsers and System of Dynamic Coalitions
Multi-Faceted Approach to SecurityMulti-Faceted Approach to Security Attaining Consistency and Assurance at Policy
Definition and Enforcement Capturing Security Requirements at Early
Stages via UML Enhancements/Extensions Providing a Security Infrastructure that Unifies
RBAC and MAC for Distributed Setting
DCP-46
CSE333
Four Categories of QuestionsFour Categories of Questions
Questions on Software Development ProcessQuestions on Software Development Process Security Integration with Software Design Transition from Design to Development
Questions on Information Access and FlowQuestions on Information Access and Flow User Privileges key to Security Policy Information for Users and Between Users
Questions on Security Handlers and ProcessorsQuestions on Security Handlers and Processors Manage/Enforce Runtime Security Policy Coordination Across EC Nodes
Questions on Needs of Legacy/COTS Appls.Questions on Needs of Legacy/COTS Appls. Integrated, Interoperative Distributed
Application will have New Apps., Legacy/COTS, Future COTS
DCP-47
CSE333
Software Development Process QuestionsSoftware Development Process Questions
What is the Challenge of Security for Software What is the Challenge of Security for Software Design?Design? How do we Integrate Security with the Software
Design Process? What Types of Security Must be Available?
How do we Integrate Security into OO/Component How do we Integrate Security into OO/Component Based Design?Based Design? Integration into OO Design? Integration into UML Design?
What Guarantees Must be Available in Process?What Guarantees Must be Available in Process? Assurance Guarantees re. Consistent Security
Privileges? Can we Support Security for Round-Trip and
Reverse Engineering?
DCP-48
CSE333
Software Development Process QuestionsSoftware Development Process Questions
What Techniques are Available for Security What Techniques are Available for Security Assurance and Analysis?Assurance and Analysis? Can we Automatically Generate Formal Security
Requirements? Can we Analyze Requirements for Inconsistency
and Transition Corrections Back to Design? How do we Handle Transition from Design to How do we Handle Transition from Design to
Development?Development? Can we Leverage Programming Languages in Can we Leverage Programming Languages in
Support of Security for Development?Support of Security for Development? Subject-Oriented Programming? Aspect-Oriented Programming? Other Techniques?
DCP-49
CSE333
Information Access and Flow QuestionsInformation Access and Flow Questions
Who Can See What Information at What Time? Who Can See What Information at What Time? What Are the Security Requirements for Each
User Against Individual Legacy/cots Systems and for the Distributed Application?
What Information Needs to Be Sent to Which What Information Needs to Be Sent to Which Users at What Time? Users at What Time? What Information Should Be “Pushed” in an
Automated Fashion to Different Users at Regular Intervals?
DCP-50
CSE333
Information Access and Flow QuestionsInformation Access and Flow Questions
What Information Needs to Be Available to Which What Information Needs to Be Available to Which Users at What Time? Users at What Time? What Information Needs to Be “Pulled” On-
demand to Satisfy Different User Needs in Time-critical Situations
How Are Changing User Requirements Addressed How Are Changing User Requirements Addressed Within the Distributed Computing Application? Within the Distributed Computing Application? Are User Privileges Static for the Distributed
Computing Application? Can User Privileges Change Based on the
“Context” and “State” of Application?
DCP-51
CSE333
Security Handlers/Processing Questions Security Handlers/Processing Questions
What Security Techniques Are What Security Techniques Are Needed to Insure That the Correct Information
Is Sent to the Appropriate Users at Right Time? Necessary to Insure That Exactly Enough
Information and No More Is Available to Appropriate Users at Optimal Times?
Required to Allow As Much Information As Possible to Be Available on Demand to Authorized Users?
DCP-52
CSE333
Security Handlers/Processing QuestionsSecurity Handlers/Processing Questions
How Does the Design by Composition of a How Does the Design by Composition of a Distributed Computing Application Impact on Distributed Computing Application Impact on Both the Security and Delivery of Information? Both the Security and Delivery of Information? Is the Composition of Its “Secure”
Components Also Secure, Thereby Allowing the Delivery of Information?
Can We Design Reusable Security Components Can We Design Reusable Security Components That Can Be Composed on Demand to Support That Can Be Composed on Demand to Support Dynamic Security Needs in a Distributed Setting?Dynamic Security Needs in a Distributed Setting?
What Is the Impact of Legacy/cots Applications on What Is the Impact of Legacy/cots Applications on Delivering the Information?Delivering the Information?
DCP-53
CSE333
Security Handlers/Processing QuestionsSecurity Handlers/Processing Questions
How Does Distribution Affect Security Policy How Does Distribution Affect Security Policy Definition and Enforcement?Definition and Enforcement?
Are Security Handlers/enforcement Mechanisms Are Security Handlers/enforcement Mechanisms Centralized And/or Distributed to Support Centralized And/or Distributed to Support Multiple, Diverse Security Policies?Multiple, Diverse Security Policies?
Are There Customized Security Are There Customized Security Handlers/enforcement Mechanisms at Different Handlers/enforcement Mechanisms at Different Levels of Organizational Hierarchy? Levels of Organizational Hierarchy? Does the Organizational Hierarchy Dictate the
Interactions of the Security Handlers for a Unified Enforcement Mechanism for Entire Distributed System?
DCP-54
CSE333
Legacy/COTS Applications Questions Legacy/COTS Applications Questions
When Legacy/COTS Applications are Placed into When Legacy/COTS Applications are Placed into Distributed, Interoperable Environment: Distributed, Interoperable Environment: At What Level, If Any, is Secure Access
Available? Does the Application Require That Secure
Access Be Addressed? How is Security Added if it is Not Present?
What Techniques Are Needed to Control Access to Legacy/COTS?
What is the Impact of New Programming Languages (Procedural, Object-oriented, Etc.) And Paradigms?
DCP-55
CSE333
Focusing on MAC, DAC and RBACFocusing on MAC, DAC and RBAC
For OO Systems/Applications, Focus on Potential For OO Systems/Applications, Focus on Potential Public Methods on All ClassesPublic Methods on All Classes
Role-Based Approach: Role-Based Approach: Role Determines which Potential Public
Methods are Available Automatically Generate Mechanism to Enforce
the Security Policy at Runtime Allow Software Tools to Look-and-Feel
Different Dynamically Based on Role Extend in Support of MAC (Method and Data Extend in Support of MAC (Method and Data
Levels) and DAC (Delegation of Authority)Levels) and DAC (Delegation of Authority)
DCP-56
CSE333
Legacy/COTS ApplicationsLegacy/COTS Applications
Interoperability of Legacy/COTS in a Distributed Interoperability of Legacy/COTS in a Distributed EnvironmentEnvironment
Security Issues in Interoperative, Distributed Security Issues in Interoperative, Distributed EnvironmentEnvironment Can MAC/DAC/RBAC be Exploited? How are OO Legacy/COTS Handled? How are Non-OO Legacy/COTS Handled? How are New Java/C++ Appls. Incorporated? Can Java Security Capabilities be Utilized? What Does CORBA/ORBs have to Offer? What about other Middleware (e.g. JINI)?
Explore Some Preliminary Ideas on Select IssuesExplore Some Preliminary Ideas on Select Issues
DCP-57
CSE333
A Distributed Security FrameworkA Distributed Security Framework
What is Needed for the Definition and Realization What is Needed for the Definition and Realization of Security for a Distributed Application?of Security for a Distributed Application?
How can we Dynamically Construct and Maintain How can we Dynamically Construct and Maintain Security for a Distributed Application?Security for a Distributed Application? Application Requirements Change Over Time Seamless Transition for Changes Transparency from both User and Distributed
Application Perspectives Support MAC, RBAC and DAC (Delegation)Support MAC, RBAC and DAC (Delegation) Cradle to Grave ApproachCradle to Grave Approach
From Design (UML) to Programming(Aspects) Information Exchange (XML) Middleware: Interoperating Artifacts & Clients
DCP-58
CSE333
A Distributed Security FrameworkA Distributed Security Framework
Distributed Security Policy Definition, Planning, Distributed Security Policy Definition, Planning, and Managementand Management Integrated with Software Development:
Design (UML) and Programming (Aspects) Include Documents of Exchange (XML)
Formal Security Model with ComponentsFormal Security Model with Components Formal Realization of Security Policy Identifiable “Security” Components
Security Handlers & Enforcement MechanismSecurity Handlers & Enforcement Mechanism Run-time Techniques and Processes Allows Dynamic Changes to Policy to be
Seamless and Transparently Made
DCP-59
CSE333
Distributed Security Policy
L + SH DB + SH
JavaClient
JavaClient
LegacyClient DB Client
COTSClient
L + SH CO+ SHDB + SH Server + SH
L + SHCO+ SH Server + SHDB + SH
Formal Security Model
Security Components
Enforcement Mechanism Collection of SHs
L: Legacy CO: COTS DB: Database SH: Security Handler
Interactions and DependenciesInteractions and Dependencies
DCP-60
CSE333
Policy Definition, Planning, ManagementPolicy Definition, Planning, Management
Interplay of Security Requirements, Security Interplay of Security Requirements, Security Officers, Users, Components and Overall SystemOfficers, Users, Components and Overall System
Minimal Effort in Distributed Setting - CORBA Minimal Effort in Distributed Setting - CORBA Has Services forHas Services for Confidentiality, Integrity, Accountability, and
Availability But, No Cohesive CORBA Service Ties Them
with Authorization, Authentication, and Privacy
Difficult to Accomplish in Distributed SettingDifficult to Accomplish in Distributed Setting Must Understand All Constituent Systems Interplay of Stakeholders, Users, Sec. Officers
DCP-61
CSE333
Three-Pronged Security EmphasisThree-Pronged Security Emphasis
Secure Software Designvia
UMLwith MAC/RBAC
Secure Information Exchangevia XML
with MAC/RBAC
Secure MAC/RBAC Interactions via Middleware in
Distributed Setting
AssuranceRBAC, DelegationMAC Properties: Simple Integrity, Simple Security,
etc.Safety
Liveness
DCP-62
CSE333
Other Possibilities: Reverse Engineer Existing Policy to
Logic Based DefinitionUML Model with Security
Capture all Security Requirements!
Extending UML for the Designand Definition of Security Requirements
Address Security in Use-Case Diagrams, Class Diagrams, Sequence Diagrams, etc.
Formal Security Policy Definition usingExisting Approach (Logic Based Policy Language)
Iterate, Revise
Bi-Directional Translation - Prove thatall UML Security Definitions in UML in Logic-Based Policy Language and vice-versa
Security Model Generation
RBAC99GMU
RBAC/MACUConn
OracleSecurity
Must Prove GenerationCaptures all Security
Requirements
Secure Software Design - T. DoanSecure Software Design - T. Doan
DCP-63
CSE333
RBAC/MAC at Design LevelRBAC/MAC at Design Level
Poll Topic Archived System
JuniorOperator- C
Senior Staff - S
Poll Topic Admin - TS
Enter PollTopic - S
Activate PollTopic - TS Deactivate Poll
Topic - TS
Enter Question - C Verify Topic - S
EnterOrdinaryQuestion - C
EnterSpecialQuestion - S
CategorizeQuestion - C
Enter Category - S
Supervisor - TS
<<extend>>
<<extend>><<extend>>
<<include>>
<<extend>>
<<include>>
<<include>>
<<include>>
Security as Security as First Class First Class Citizen in the Citizen in the Design Design ProcessProcess
Use Cases Use Cases and Actors and Actors (Roles) (Roles) Marked with Marked with Security Security LevelsLevels
Dynamic Dynamic Assurance Assurance Checks to Checks to Insure that Insure that Connections Connections Do Not Do Not ViolateViolateMAC RulesMAC Rules
DCP-64
CSE333
Secure Software Design - J. PavlichSecure Software Design - J. Pavlich
What are Aspects?What are Aspects? System Properties that Apply Across an Entire
Application Samples: Security, Performance, etc.
What is Aspect Oriented Programming?What is Aspect Oriented Programming? Separation of Components and Aspects from
One Another with Mechanisms to Support Abstraction and Composition for System Design
What is Aspect Oriented Software Design?What is Aspect Oriented Software Design? Focus on Identifying Components, Aspects,
Compositions, etc. Emphasis on Design Process and Decisions
DCP-65
CSE333
Aspects for Security in UMLAspects for Security in UML
Consider the Class Diagram below that Captures Consider the Class Diagram below that Captures Courses, Documents, and Grade RecordsCourses, Documents, and Grade Records What are Possible Roles? How can we Define Limitations of Role
Against Classes?
DCP-66
CSE333
A Role-Slice for ProfessorsA Role-Slice for Professors
DCP-67
CSE333
A Role Slide for StudentsA Role Slide for Students
DCP-68
CSE333 Legacy
COTS
GOTS
Database
NETWORKJava
Client
LegacyClientDatabase
Client
COTSClient
Middleware-Based Security - C. PhillipsMiddleware-Based Security - C. Phillips
Artifacts: DB, Legacy, Artifacts: DB, Legacy, COTS, GOTS, with APIsCOTS, GOTS, with APIs
New/Existing Clients use New/Existing Clients use APIsAPIs
Can we Control Access to Can we Control Access to APIs (Methods) by … APIs (Methods) by … Role (who) Classification (MAC) Time (when) Data (what) Delegation
Security AuthorizationClient (SAC)
Security Policy Client (SPC)
SecurityRegistration
Services
Unified Security Resource (USR)Security Policy
Services
Security DelegationClient (SDC)
SecurityAnalysis and
Tracking (SAT)
SecurityAuthorization
Services
Working Prototype Available
usingCORBA,
JINI, Java,Oracle
DCP-69
CSE333
Process-Oriented ViewProcess-Oriented View
Analyses of RBAC/MACModel/Framework Against SSE-CMM
Evaluation of RBAC/MAC Model
Using DCP
UnifiedRBAC/MAC
Security Model
RBAC/MACEnforcementFramework
SecurityMiddleware
Security Administrative
and Management Tools
Security Policy Definition
Run TimeSecurity
Assurance
Design Time Security
Assurance
DCP-70
CSE333
Security for XML DocumentsSecurity for XML Documents
Emergence of XML for Emergence of XML for Document/Information Document/Information ExchangeExchange
Extend RBAC/MAC to XMLExtend RBAC/MAC to XML Collection of Security
DTDs DTDs for Roles, Users, and
Constraints Capture RBAC and MAC
Apply Security DTDs to XML Documents An XML Document Appears
Differently Based on Role, MAC, Time, Value
Security DTD Filters Document
Security DTDsRole DTDUser DTDConstraint DTD
Application
Application DTDs
Application XML Files
Appl_Role.xmlAppl _User.xmlAppl_Constraint.xml
Security Officer Generates Security XML files for the Application
ApplicationDTDs and XML
User’s Role Determines
the Scope of Access
to Each XML Document
DCP-71
CSE333
Concluding RemarksConcluding Remarks
Objective is for Everyone to Think about the Objective is for Everyone to Think about the Range, Scope, and Impact of SecurityRange, Scope, and Impact of Security
Question-Based Approach Intended to Frame the Question-Based Approach Intended to Frame the DiscussionDiscussion
Proposed Solution for Distributed EnvironmentProposed Solution for Distributed Environment Current UConn FociCurrent UConn Foci
Secure Software Design Middleware Realization XML Document Customization
Consider these and Other Issues for DCPConsider these and Other Issues for DCP
