Beyond the Moat
NET-CENTRIC WARFARE REQUIRES A FUNDAMENTAL CHANGE IN THE PERIMETER-BASED APPROACH TO INFORMATION ASSURANCE.
As the Department of Defense continues to move toward an environment promoting Net- Centric nterprise Services (NCES) and the use of information operations as a force multiplier, the limitations of current methods of protecting critical data and information technology assets are becoming increasingly obvious. DoD needs effective yet flexible information assurance solutions capable of supporting ubiquitous access to critical information. We must position DoD to apply innovative solutions that make information assurance (IA) an enabler rather than an inhibitor.
Using IA as an enabler to securely push trusted information to the edge, providing the right access at the right time to the warfighter, is a critical element of the strategic IT vision for DoD. If the department is going to realize this vision, we must promote the IA practices, policies and technologies that will support the transition to an IA-enabled NCES environment. If we achieve this goal, the right information will be available to the right people anytime, anywhere.
This transition requires a fundamental change in the traditional, perimeter-based approach to implementing IA across the enterprise.
Since the days of the castle and moat, we have patterned our approaches to security around a two-dimensional defense-in-depth (DiD) model relying on a limited number of controlled, easily discernible access points. The more valuable the items to be protected, the greater the number of DiD layers we applied. First we built the outer wall, then the moat and the drawbridge, then the inner walls, then the bank, then the vault inside the bank, and so on. At each layer in the DiD model, the greater the restrictions on who could get access and what checks were applied before granting that access.
Since the days of the earliest fortresses, little has changed in this DiD model. With the advent of the computer age, the castle-and-moat DiD model was simply adapted to the network environment, with network segments and distinct subnets taking the place of moats; firewalls taking the place of mortar and brick walls; and gateways, access control lists and firewall rule sets taking the place of drawbridges.
As technologies advanced and the threats adapted, we continued to follow the castle-and-moat model, creating inner walls inside the outer walls through the use of demilitarized zones to separate Web servers from database servers or creating internal networks connected by intranets transiting the Internet. The castle-andmoat DiD paradigm, while tried and true, has remained virtually unchanged.
NEW PARADIGM
If data is to move freely outside the castle walls while threats persist, a new IA paradigm must emerge. If DoD is to push data to the edge so it is truly accessible to the right users anytime, anywhere, then the data must protect itself. We must evolve beyond the current construct of data packets to a concept of self-protecting “data packages” that roam freely outside the confining walls of the old castle- and-moat model, bringing their own individual entourage of advanced security features with them wherever they go.
In this brave new world, data cannot exist solely within an isolated DoD Global Information Grid (GIG). To deliver the kind of anytime, anywhere data access that DoD requires, every network node everywhere must become a virtual extension of the GIG, from an Internet café in Baghdad to an ISP in Beijing.
The new IA paradigm must rely on trusted, self-sufficient data packages that provide the data consumer high degrees of assurance that the information is genuine, unaltered, and completely trustworthy while ensuring that only the right people get access to the right information at the right time. These data packages must carry with them all the attributes and mechanisms to enable this two-way trust relationship between the data and its consumers, so that the network environment is essentially taken out of the trust model altogether.
In this new IA paradigm, data packages are fully self-contained, relying on the network only for a means of transit from one place to another. Data can safely travel virtually anywhere to support the warfighter in any environment.
In the open IT landscape of the future, data is not hidden behind walls for protection, but transacts business with data consumers on a one-to-one basis. Both data packages and data consumers carry with them a set of trusted attributes that permit both to securely transact business with the other anytime, anywhere. Based on the attributes of the data consumer, the data package either grants or denies access to the data payload. Based on the attributes of the data package, the data consumer either accepts or rejects the data as trusted.
In this Mutually Verified Attribute Model, attribute-based trust mechanisms and role-based access control mechanisms coexist to form a two-way bond of trust between data package and data consumer. The data package and the data consumer must continually travel with a set of attributes that can be irrefutably proven by the other as being genuine, unaltered and verified by a known and trusted third party. The data package and the data consumer must also travel with a set of trusted mechanisms that each can rely on to accurately validate and verify the attributes of the other. Finally, the data package and the data consumer must travel with their own protection mechanisms that can be relied upon to furnish the full set of security services each needs.
DATA BROKERS
To efficiently bring data consumers and data packages together in this new environment, one more element may be required—data brokers. Dispatched by data consumers, data brokers would scour the multitude of network environments, assisting in locating the data packages containing the desired information that are most convenient to the data consumer’s situation.
The data broker paradigm could take many forms. Data brokers could simply wander the networks much like taxicabs drive the streets of New York City, either occupied with a request from a data consumer or free to “pick up” a new request. They could reside at key locations around the globe, much like today’s Web servers do, awaiting the next data consumer’s request.
Regardless of the model chosen, the data broker would use the same Mutually Verified Attribute Model to interact securely with data packages and data consumers.
Since the data brokers will be more implementation-dependent, having to interact effectively with whatever implementation is chosen for the data package and data consumer elements of the model, the data broker function could take a variety of forms and could conceivably be a part of the data consumer rather than a discrete entity.
NETWORK VALIDATION
One final factor in this new paradigm may be the need to verify the nature of the network environment inhabited by data packages. The nature of the network might be characterized as friendly, benign or hostile, or could simply be characterized in terms of trusted or untrusted. Certain data packages, based on their attributes, might be permitted to traverse only friendly or benign networks, while others containing less sensitive data might be permitted on all networks regardless of their nature.
This network validation would require an additional set of mechanisms to either validate a network based on its credentials or treat a network as untrusted when it cannot supply the required, proven credentials. This verification would also require new technologies and would, in essence, serve as the corollary to emerging Network Access Control models embodied in 802.1x technology, with the data deciding whether to permit itself to enter the network based on the degree to which the network can be trusted.
LOOKING TO INDUSTRY
The development of supporting technologies that will ultimately enable a Mutually Verified Attribute Model also requires a new paradigm. Outreach to industry must continue to be an integral part of realizing this IA vision if a more cost-effective COTS approach is to be used. DoD must do far more than just reach out to industry; they must actively drive industry and standards bodies to develop the enabling security technologies.
With these technologies, security must be built in at the most fundamental levels rather than bolted on after the fact. We must be able to make the data package and data consumer objects so airtight that defenses such as antivirus, intrusion detection systems/intrusion prevention systems (IDS/IPS) and firewalls will no longer be a necessity at the data object level. Security- enhanced protocols developed to internationally accepted standards must provide the foundation upon which technologies and products are constructed.
DoD has at one time or another exerted some influence over selected elements of these areas, but creating these enabling technologies and standards will require a coordinated effort that simultaneously drives all these elements toward implementation of the new IA paradigm.
Using the paradigm of self-protecting data packages, data can reside anywhere on almost any network and be completely accessible to any authorized user anywhere at any time. Data will no longer be anchored to specific servers in specific, protected bastions, which are often not easily accessible to remote users in different environments. Data repositories will no longer need such elaborate, centralized protections against remote users.
Authorized data brokers will seek out desired information for data consumers and return the identification/location information for the corresponding data packages. Multiple instantiations of selfprotecting data packages will facilitate rapid access to information when it is needed, where it is needed. The end result will be data that truly is accessible to authorized users anytime, anywhere.
BUILDING ON THE PAST
This does not mean that we must abandon the perimeter-based, DiD approach to securing our networks. DiD will continue to have a place in our approach to securing the DoD IT environment for some time to come. Trusted data generated and stored in our most fortified environments will continue to play a vital role in this new IA model.
At a minimum, secure data repositories, interfaced with equally protected yet segregated data packaging facilities, will still rely upon strong perimeter security controls modeled after the proven DiD castle-and-moat model. Firewalls, IPS/IDS and a host of future technologies not yet in existence will likely continue to protect critical infrastructure elements, providing the foundations upon which mutual data package and data consumer attribute verification is based.
Malware screening tools embodying the future versions of today’s anti-virus/ anti-spyware products will be an integral part of the data package production and verification process. But data will no longer be constrained by the perimeterbased, DiD approach and can finally go securely wherever it is needed, whenever it is needed, to meet the needs of data consumers worldwide. ♦
