Bringing it all together
SOA design plays a key role in paring down secret data-sharing links
- By David Essex
- May 27, 2007
'The technology is probably here today, but putting it all through C&A is probably a long pole in the tent.' ' Bill Vass, Sun Microsystems Federal
For decades, the Defense Department and intelligence agencies cultivated a garden of specialized technologies that shifted classified data ' typically files, text chat and e-mail ' across security classifications and network domains.
As a result, there are now more than 800 of these cross-domain interfaces, most of them customized. They range from simple sneakernet arrangements, where data is carried by hand from one machine to another, to network interface cards with dedicated 'high side' and 'low side' connections that bridge highly sensitive and less sensitive networks.
To simplify matters, the intelligence community, the Pentagon and their information technology vendors are whittling this unruly rabble of cross-domain interfaces ' many based on proprietary hardware ' down to a cadre of some two dozen software-based, platform-independent entities.
'We see it as a very, very good step,' said Michael Ryan, senior vice president of sales and marketing at Crossflo Systems, maker of DataExchange cross-
domain middleware. 'It's more effective for us to be able to standardize on a smaller set of technologies.'
Getting to a simpler set of technologies, however, may require some work, given the wide range of what is offered now.Get in line
Simplification of the cross-domain offerings has been in the works for at least a year.
The chief intelligence officers of the Pentagon and the Office of the Director of National Intelligence (ODNI) created the Cross Domain Management Office (CDMO) in March 2006 to choose a baseline group of the cross-domain entities and mandate their exclusive use. The tentative result is a baseline set of about 15 cross-domain interfaces and 10 exceptions covering special cases.
More than 750 cross-domain interface projects won't make the cut. The Pentagon and the intelligence community plan to eliminate funding for the interfaces that don't graduate to the baseline list and send that money to the remaining projects, officials said.
Several interface vendors interviewed recently sounded unsure of the role of the CDMO in setting standards, yet most agreed that the sharp reduction in approved interfaces will simplify agencies' choices.
Still, consolidation is not standardization. The vendors noted that several of the interfaces on the baseline list are still government off-the-shelf systems developed in-house, some others are the commercial variety, and some are hybrids.
That's not to say there is no cross-vendor interoperability, or at least 'seamless co-existence,' said Ed Hammersla, chief operating officer at Trusted Computer Solutions, a maker of fat- and thin-client desktop systems and other products used in several systems that have already been approved for inclusion in the baseline list.
'A government buyer could purchase three or four solutions from the approved list, and they would interoperate to solve his problem,' Hammersla said.Special needs
Hammersla said three technologies dominate the cross-domain arena.
Data transfer devices move data between domains with different security levels, such as various levels and flavors of the top-secret collection of information, which are grouped as the top-secret fabric. Comparable fabrics of classified domains operate at the secret and sensitive-but-unclassified levels.
Some domains include foreign agencies and military units, and some cross-domain interfaces exchange data among several such communities of interest.
But the CDMO does not include direct representation from any foreign government, officials said. CDMO leaders decided that if they allowed even one foreign intelligence service to participate in its deliberations, excluding others would become too difficult.
The data transfer devices include high-assurance guards, which shift data only in one direction ' for example, from sensitive-but-unclassified or controlled-unclassified information to the secret or top-secret levels and higher.
Data transfer devices often specialize in a particular data type, such as text messages and chat, or graphics files containing, say, digital photos of sensitive sites. The specialized guards often cannot handle other types of intelligence data, such as radar tracks, officials said.
Data diodes are another type of data transfer devices. They are fiber-optic network entities that sit between two servers.
'The idea is that you have enforcement of the one-way policy at both endpoints, rather than a firewall box in the middle,' said Ron Mraz, president and chief technology office at OWL Computing Technology, who said the company's Dual-Diode technology is the only point-to-point system on the baseline list.
The second category of cross-domain interfaces, access devices, consolidates data from different secure networks onto a single screen. Access devices can take the form of a fat client, such as a desktop PC with several network interface cards, or a thin client displaying data from a central server.
The third and final category of the interfaces covers multilevel security systems. MLS entities attempt to segregate security levels primarily through specialized software running on servers and desktops.Cross domain for the masses
In recent years, federal computer users increasingly have replaced proprietary, hardware-intensive systems with software that runs on a wider variety of dedicated platforms, and subsequently on generic desktop PCs and servers.
Not surprisingly, trusted versions of three enterprise operating systems form the core of today's CDMO-approved cross-domain interfaces. The three operating systems also underpin emerging, more broadly distributed entities for sharing classified information.
The three operating systems already approved for such use, Hammersla said, are Sun Microsystems' Trusted Solaris; Security-Enhanced Linux (SELinux) supported by vendors such as Red Hat; and BAE Systems' Secure Trusted Operating Program (STOP).Two types of trusted
Bill Vass, president and chief operating officer at Sun Federal, said trusted OSes take two main approaches to security: trusted extensions and labeling, and type enforcement. He said Sun has placed its initial bet on the latter, and Solaris 10 with Trusted Extensions is undergoing testing for Common Criteria certification, a required security approval.
Trusted Extensions allow as many as 8,000 security 'zones' or containers, each with its own IP address and security level, in a single instance of Solaris. 'You can have on the same server an unclassified domain, a classified domain and a top-secret domain,' Vass said.
Sun executives are considering adding type enforcement, a more granular approach used in SELinux, to their OS, but Vass added that his company is also considering adding it to its Java language because it sees merit in both. 'The issue is implementing them in a cross-domain system,' Vass said.
Widely available commercial software, such as virtual private networks, is increasingly part of the cross-domain equation. Mraz said he has seen DOD and intelligence prototypes of encrypted 'tunnels' that talk with top-secret networks.
The VPN approach also figures in systems built by Verizon Business Federal. The Ma Bell descendent, which claims security-conscious three-letter agencies among its customers, now uses federated user-rights directories, firewalls at each endpoint and an assortment of standard encryption technologies including public-key encryption to manage access to domains that share closed private networks.
Bill Edwards, Verizon's chief scientist, said one military customer uses his company's service to process digital photos of military installations through third-generation cellular and satellite-radio networks. 'That picture would have an authentication, its own digital signature,' Edwards said.
Software-only and commercial solutions, however, might never completely meet the needs of top-secret agencies, some specialists in the field say.
'The problem is, when you get into [Common Criteria Evaluation Assurance Level] 4 and higher, then often the hardware has to get pulled into the evaluation,' said Andrew Earle, manager of solutions development at BAE Systems, which makes several cross-domain interfaces, including a guard on the baseline list.
There are a total of seven EALs, but foreign governments recognize only the lowest four, specialists in the field say.
But a new federal commercial offering from three prominent players seeks to upend that notion. The Secure Information Sharing Architecture is a joint venture of Cisco Systems, Microsoft, EMC and two smaller vendors. SISA combines Cisco network infrastructure, EMC storage and Microsoft OS and collaboration software to manage not only secure physical access but also Extensible Markup Language data and applications on familiar desktop and mobile devices.
'Any technology that does authentication will work with this architecture,' said Chris Shenefiel, Cisco's federal government industry solutions manager. With SISA, communities of interest could communicate over their own dedicated virtual local-area networks, Shenefiel said.
SISA's proponents have high hopes, claiming it could eventually replace the specialized cross-domain interfaces. 'In the near term, there will be a niche market for the high-assurance guards, especially at the high-security level,' said Eric Rosenkranz, Microsoft's public-sector industry manager.
Microsoft's Active Directory lies at the heart of SISA. For example, Cisco uses it to centralize authentication.
But the initial version of SISA, which customers are beta-testing now, works only in a single environment. 'This is not multilevel security,' Rosenkranz said. 'I would call it a significant improvement to role-based collaboration security, at a single classification level.' A federated version should be announced this summer, he said.
Although CDMO's consolidation project is gradually steering agencies to interoperable commercial systems, 'there has been no policy-setting body that has said, 'Here's all the attributes we're looking for,' ' said Dave Graham, OWL's vice president. He added that his company's Dual-Diode interface can carry any kind of data because it operates at the asynchronous transfer mode level. In addition, hardware-based enforcement lets it work with several operating systems, Graham said.
'There really has been no vendor who has stepped [in] to put together the true, commercial cross-domain solution that covers all the attributes necessary,' Graham added.
The CDMO's role aside, the industry is using standards that could aid cross-vendor interoperability. For high-assurance guards, which can do their job of passing data from one domain to another unassisted, interoperability is a nonissue. 'Usually there's one guard, and you don't want to mess around with putting another one in,' Earle said.
Vass named a specialized form of service-oriented architectures, trusted SOAs, as the holy grail that most agencies seek. The building blocks of such systems are available today, with Sun claiming numerous technology demonstrations, Vass said.
He cited an example of a visual Web service for imagery that requires high security clearances. 'These visual Web services are available to you based on how strongly you authenticate,' Vass said, adding that the trust goes both ways.
'You have to be able to trust the service, too,' Vass continued. 'Let's say I created a service called GetTarget. Would that be available to all levels [of security] and they only see information based on that, or would it only be available to top-secret people? All of these concepts are in the SOA definitions that we've put together.'
Sun technologists hold that SOAs could handle current security needs. 'You would publish the services based on the risk of the services and the role of who should get it,' Vass said. Users 'would use their identities to log on to all the domains they have access to, and people would publish services at the different
But the migration to SOA creates additional security concerns. 'It's no longer just that single box,' said Mark Morrison, chief information assurance officer at the Defense Intelligence Agency.
'As we move to an SOA type of arrangement, we don't have a standard set of processes,' he continued. 'The certification and accreditation and risk assessment process to effectively address that is [still] evolving.'
The ODNI technology leadership recently announced the results of a months-long process to reform C&A requirements and related intelligence security criteria, officials said.
Certification involves confirming that a cross-domain interface, or any system handling classified data, meets Common Criteria requirements under testing authorized by the National Information Assurance Partnership. Accreditation is a primarily legal and policy evaluation of whether a system meets the standards in a specific environment.
Vass agreed with Morrison's viewpoint. 'The technology to do all that is probably here today, but putting it all through C&A is probably a long pole in the tent.
The low-hanging fruit while we're doing all that is to have a trusted desktop that gives you access to all these domains.'
DNI's chief information officer organization recently orchestrated a wide-ranging reform of the C&A process that began with an open call for advice on the topic from the general public worldwide and concluded with the release of several changes to federal IT security rules. The policy reform generated a consolidated definition of the protection levels (PLs) that regulate the handling of various forms of classified data across federal agencies, as well as the C&A changes.
The PL reform was greeted enthusiastically by vendors who previously had struggled with incompatible rules used by the Pentagon, the intelligence community and civilian agencies that are required to follow procedures mandated by the National Institute of Standards and Technology.
But the recently adopted C&A reforms are just now gaining traction across the dozens of agencies that will have to put them into effect, officials said.In XML we trust
Industry-specific variants of XML are becoming the common language that allows cross-domain information sharing across agencies, specialists in the field say.
Earle said XML, through its tagging capabilities, can also handle the security requirements. He added that BAE sells an XML-compliant guard. In addition, the Security Assertion Markup Language is emerging as a cross-domain authentication standard for Web services.
'In the intelligence community, we've gone forward with XML, and we set up XML standards,' Morrison said. 'We've never had XML cross-domain solutions before [that can handle XML tagging and filter based on that standard],' Morrison said. 'We're seeing the shift into the marketplace.'
For example, intelligence data exchange in the law enforcement and counterterrorism arena has benefited from the increasing adoption of the Global Justice XML Data Model (GJXDM), a framework developed in recent years under Justice Department auspices.
Justice's data exchange standard plays a critical role in systems such as the FBI-sponsored Law Enforcement Online network that is deployed nationwide to link interagency Joint Terrorism Task Forces and state and local police forces. The GJXDM also governs the Regional Information Sharing System Network, a law enforcement system funded largely by Justice and controlled by six regional coalitions of police agencies.
In one implementation of the Justice-sponsored data model, the New Jersey State Police are using it with Crossflo CDX to standardize law enforcement terms in a master name index shared among counties, municipalities and the state ' more than 600 agencies in all.
Without GJXDM, 'we would still be arguing about fields and whose definition are we going to use,' said Chris Rein, a state police special investigator and IT program manager. 'Now we have a standard that we can all look at.'
Rein said the state is building a Java-based SOA that handles role-based access control and user credentialing over a private network. He added that GJXDM has allowed the state to share gang-related data with another state, and several counties to pilot links to the National Information Exchange Model and the FBI's NIEM-based National Data Exchange.
The SOA and XML models embedded in those law enforcement systems figure prominently in the technological work of the Information Sharing Environment, an agency that reports to the ODNI. ISE systems architects have defined architecture requirements that apply to new systems in about 20 agencies with primary responsibilities for counterterrorism work.
OMB enforces the ISE technology requirements, including their SOA features, via the Form 300 submissions that federal agencies must provide before receiving funding for new systems.
Despite such progress, cross-domain interfaces remain an esoteric technology struggling to go mainstream. 'We're, at best, at the 20-yard line,' Hammersla said.David Essex is a freelance technology writer based in Antrim, N.H. GCN deputy news editor Wilson P. Dizard III contributed to this article.