Information Assurance for Information Assurance for Map Services Map Services

JSEM 2007May 23rd, 2007

Contact:Costi Tudan

ODUSD(I&E) BEI DISDI

2

AgendaAgenda

• Policy and Background

• Review Geospatial IA requirements

• Available IA Enterprise Services

3

Policy Drivers

• DoDD 8320.2 – “DoD will be net-centric”

• DoDI 8510.bb - DIACAP - “DoD Information Assurance Certification and Accreditation Process”

• DoDI 8500.2 – Information Assurance (IA) Implementation (DoDD 8500.1, DoDD 5025.1-M)

4

DODI 5210.52Security Classification of Airborne Sensor Imagery and Imaging Systems

Imagery and Imagery-Derived ProductFunctional Classes

Class 1Intelligence

Class 2Mapping, Charting

& Geodesy

Class 3Official

Government Use

Class 4Unclassified Use

Imagery and Imagery-Derived

ProductGeographicCategories

US, territories & possessions

A

US legal interests overseas

B

Sovereign foreign lands

C

Non-sovereignforeign lands

D

I n t

e l l

I g

e n

c e

I n t

e l l

I g

e n

c e

Map

ping

, Cha

rtin

g &

Geo

desy

Map

ping

, Cha

rtin

g &

Geo

desy

Offi

cial

Gov

ernm

ent U

seO

ffici

al G

over

nmen

t Use

Any

Unc

lass

ified

Use

Any

Unc

lass

ified

Use

NGANGA

DISDIDISDI

5

What is IA?

• Information Assurance – “information assurance solutions that will keep our information systems safe from harm” – NSA Information Assurance Directorate (IAD)

A definition: IA is the set of measures intended to protect and defend information and information systems by ensuring their availability, integrity,

authentication, confidentiality, and non-repudiation.

6

IA vs. OPSEC?

•• BOTH!BOTH!

• Must have both sound IA and OPSEC strategies

• OPSEC supplements IA

• OPSEC – analytic process

Operations Security (OPSEC) is an analytic process used to deny an adversary information - generally unclassified -concerning our intentions and capabilities by identifying, controlling, and protecting indicators associated with our planning processes or operations. OPSEC does not replace other security disciplines - it supplements them.

- Interagency OPSEC Support Staff

7

Organizational Strategies

• ASD/HD Homeland Defense– Critical Infrastructure Program

• NGA National Geospatial-Intelligence Agency– Project Homeland

• ADUSD/ESOH– Range Sustainment– Natural Resources– Environmental Restoration

All use geospatial All use geospatial data in a netdata in a net--centric centric

environment.environment.

8

Geospatial Data IA/OPSEC Requirements

• Technically not different than other web services

• Complex OPSEC

• Data exchanges– GML data elements require rendering to be

understood in context– Tabular data associates with feature geometry

• Important to control access and use– Digital Rights Management and Identity Management

– emerging technologies

9

DISDI IA Coordination

ASD (NII) CIOASD (NII) CIO USD/IntelligenceUSD/Intelligence

National Security AgencyNational Security AgencyInformation Assurance DivisionInformation Assurance Division

• Portal Content• Strategic Installation Picture• Architecture strategy

10

Web Map Services

• Securing standards based (WMS, WFS, WCS) map web services – similar to securing any web service

• Net-Centric Enterprise: Services Oriented Architecture (SOA)A framework for Integrating GIS and Enterprise Systems . . . Open, Flexible and Standards Based Web Services & Messaging

• Net-Centric Enterprise Services

11

Web Map Services - Issues

• Appropriate use– Intended use of the data (consider OPSEC issues)– Emerging: GeoDRM

• Access Rights– Control who can access the data (establish “need to know”)– Identity Management, Role Based Access Control, GeoDRM

• Metadata– Information on all of the above to accompany each data set– Discover and understand

• Data maintenance– Keeping the data up-to-date and accurate

• Service levels– Level of availability that a user/subscriber can expect– Minimal guaranteed content

Very Important Very Important for future of SOAfor future of SOA

12

Security Layers and Mechanisms

phys

ical

sec

urity

phys

ical

sec

urityApplicationApplication

DataData

Host/DeviceHost/Device

Network/DeviceNetwork/Device

• Content Filters• Validation Checks• Secure Stored Procedures

• Authentication• Security Policy• Encryption• Audit• Access Control

• OS Security• Web Server Hardening• Host Intrusion Detection

• Device Access Control Lists• IP Sec Encryption• Firewalls• Network Intrusion Detection

• Physically control access• Secure facilities

• Site location

Security Layers

Security Mechanisms

13

DoD Global Enterprise Services Portal Framework

14

IA Enterprise Capabilities

• Policy Decision Service (PDS)

• Policy Retrieval Service (PRS)

• Policy Administration Service (PoAS)

• Certificate Validation Service (CVS)

• Principal Attribute Service (PrAS)

• Role Based Access Control (RBAC)

• Attribute Based Access Control (ABAC)

15

Enterprise Security

• DITSCAP now DIACAP

• CAC/PKI

• Identity Management

• Machine-to-machine messaging

• Service Security

16

What else can we use?

• COTS middleware (for securing map services at the application level)

• “home-grown” layer level security – role based access

• Access Control Lists

• Authentication using LDAP, Active Directory

• HTTPS 128-bit SSL

• Anti-Virus and Firewalls

17

What can we do now?

• Transition DITSCAP to DIACAP accreditation

• Implement all commonly used IA measures

• Implement PKI access control– Machine-to-machine and User CAC– Very important IA measure

• Review additional access control options– Establish need-to-know – register CAC with application

18

NSDI(GOS)

Metadata Harvesting

DoD Applications and Systems

OGC WMS, WFS, KML, File Download

Producing Geospatial Services

USAPortal

GIS-R

USNPortal

GeoReadinessRepository

USMCPortal

GeoFidelis

USAFPortalGeoBase

Consuming Geospatial Services

Metadata Harvesting:Z39.50, WAF, OAI

TEC IOImagery

Data Services: OGC WMS, WFS, Data Caching

Internet Web Services

DISDI Implementation

DISDIPortal

DISDIPortalViewer Metadata

PortalWeb

Se

rvic

e In

terf

ace,

SO

A

SOAP,WSDL

DoD Metadata Registry

DoD Discovery Catalogs

DoD Service (UDDI) Registry

Global Information Grid (GIG) Connectivity

User CAC/PKIMachine-to-machine PKI

19

DIACAP Workflow

• Step-by-step guidance• Simpler Implementation• Single Certification Authority• Life-cycle driven not schedule driven

Interim DIACAP Instruction, KS, and theDITSCAP to DIACAP transition questions:

The DIACAP Program Technical InquiriesPhone: (703)377-0001email: support@diacap-knowledgeservice.org

20

DITSCAP vs. DIACAP

Security requirements and standards uniquely determined by each system

All systems inherit enterprise standardsand requirements

DAA and Certifier selected by/for each system

Certification Authority is a qualified, resourced, and permanent member of CIO

staff

Policy advocated tailoring, but process was hard-coded to phases

No pre-defined phases. Each system works to a plan that aligns to the system life cycle

Accreditation status communicated via letter and status code (ATO, IATO) in SSAA

Accreditation status communicated by assigned IA Controls’ compliance ratings and letter and status code (ATO, IATO, IATT, DATO) in DIACAP Scorecard

Inaccurate association of ATO with perfect and unchanging security

ATO means security risk is at an acceptable level to support mission and live data

No process improvement Automated tools, enterprise managed KS, requirements tied to architecture

“Fire and forget” accreditation; 3 year “white glove inspection” reaccredidation

Continuous, asynchronous monitoring; reviewed not less than annually; FISMA

reporting

DITSCAP DIACAP

21

Information Assurance Strategy

DoD has developed a new DoD C&A instruction and two DoD-owned Web-based services based on COTS applications to transform the DoD C&A process in support of the

Net-Centric, GIG-based environment

• DIACAP (“DoD Information Assurance Certification and Accreditation Process” - DoDI 8510.bb)– Supersedes DoDI 5200.40, “DoD Information Technology Security

Certification and Accreditation Process (DITSCAP)”– Adjudication of Formal SD 106 comments is near-completion

• eMASS - Enterprise Mission Assurance Support Service– Implementation and management web services toolset

• DIACAP Knowledge Service (KS)– Web-based resource for DIACAP implementation;

https://diacap.iaportal.navy.mil/CAC/PKI required

22

Questions

Costi Tudan – DISDI ArchitectODUSD(I&E) BEI DISDI

Phone: 703-604-4616Email: constantin.tudan.ctr@osd.mil