Bringing it all together

SOA design plays a key role in paring down secret data-sharing links

At the 2007 JavaOne conference, John Weeks, senior software engineer at Sun Microsystems Federal, showed how to set up a multilevel security system that could share information across networks of different classification security levels using an application server, standard Web services and a set of experimental label-aware Java classes.

The goal in setting up information exchange that accommodates multiple security levels is to allow individuals in the higher security settings to look at information tagged with lower ratings, and yet not allow individuals operating in these lower security networks to use that connection to access more sensitive material.

In this case, Weeks showed a single computer running four Trusted Java Desktop System workspaces, each at a different security level: public, internal, need-to-know and restricted.

Each workspace ran a copy of the Firefox browser. For demonstration purposes, Weeks ran all four copies of the browser within a single workspace, though the actions of each remained restricted to its own security level thanks to the labeling capability of the Solaris operating system.

In this scenario, the public information would be available to anyone with access to the network. Information encoded as internal would be restricted to a smaller set of individuals, need-to-know information would be even more restrictive, and restricted would provide the highest sensitivity level of all. Each browser window represented what the user of its security level would see.

For this demonstration, Weeks created a sample document with each paragraph tagged with one of these four security levels. In the intelligence world, this approach is often called creating tearlines.

In this system, the document would appear differently depending on what level of access the requester of that document had. The document from a public access level would only show a few permitted sentences. Someone with internal privileges would see more material than was presented to the public user, though not as much as the person with need-to-know access would see. Those with restricted access would see the entire document.

How did this setup work? Who sees what is decided by the combination of an application server and a credential checker that sits between the user and the document. An authentication agent using the Extensible Access Control Markup Language checks the credentials of the requester of the document and passes the approval on to the application server. The application server then parses the requested document and passes along only information the requester is allowed to see.

'I was using the label from the browser connection to determine the level of access,' Weeks said later. 'This was done to simplify the demo environment. In a real deployment, user credentials would be included with the level of the network connection to determine access.'

This approach isn't limited to text documents, either. Weeks offered a second example using a photograph. The public viewer saw a very small photograph of what appeared to be an almost completely submerged submarine. The Internal tab offered a slightly larger rendition with some annotation, need-to-know access provided some additional resolution and annotation, and restricted access provided the largest version with the highest resolution and most complete annotation.

The source was a single photograph which was scaled and annotated according to the requester's security level.

Of course, in a working system, all the information would need to be tagged, either by hand or through an automated method of some sort. Multilevel-security systems such as Solaris 10 with Trusted Extensions can recognize sensitivity labels such as the hypothetical ones Weeks developed and apply the appropriate mandatory access control rules. Weeks also developed a set of experimental Java classes that would allow external Java programs to recognize such labeling.

For more information on Weeks' setup, along with links to the Java interfaces and (eventually) some sample servlet code, see GCN GCN.com/778.

' Joab Jackson

'The technology is probably here today, but putting it all through C&A is probably a long pole in the tent.' ' Bill Vass, Sun Microsystems Federal

Rick Steele

For decades, the Defense Department and intelligence agencies cultivated a garden of specialized technologies that shifted classified data ' typically files, text chat and e-mail ' across security classifications and network domains.

As a result, there are now more than 800 of these cross-domain interfaces, most of them customized. They range from simple sneakernet arrangements, where data is carried by hand from one machine to another, to network interface cards with dedicated 'high side' and 'low side' connections that bridge highly sensitive and less sensitive networks.

To simplify matters, the intelligence community, the Pentagon and their information technology vendors are whittling this unruly rabble of cross-domain interfaces ' many based on proprietary hardware ' down to a cadre of some two dozen software-based, platform-independent entities.

'We see it as a very, very good step,' said Michael Ryan, senior vice president of sales and marketing at Crossflo Systems, maker of DataExchange cross-
domain middleware. 'It's more effective for us to be able to standardize on a smaller set of technologies.'

Getting to a simpler set of technologies, however, may require some work, given the wide range of what is offered now.

Get in line

Simplification of the cross-domain offerings has been in the works for at least a year.

The chief intelligence officers of the Pentagon and the Office of the Director of National Intelligence (ODNI) created the Cross Domain Management Office (CDMO) in March 2006 to choose a baseline group of the cross-domain entities and mandate their exclusive use. The tentative result is a baseline set of about 15 cross-domain interfaces and 10 exceptions covering special cases.

More than 750 cross-domain interface projects won't make the cut. The Pentagon and the intelligence community plan to eliminate funding for the interfaces that don't graduate to the baseline list and send that money to the remaining projects, officials said.

Several interface vendors interviewed recently sounded unsure of the role of the CDMO in setting standards, yet most agreed that the sharp reduction in approved interfaces will simplify agencies' choices.

Still, consolidation is not standardization. The vendors noted that several of the interfaces on the baseline list are still government off-the-shelf systems developed in-house, some others are the commercial variety, and some are hybrids.

That's not to say there is no cross-vendor interoperability, or at least 'seamless co-existence,' said Ed Hammersla, chief operating officer at Trusted Computer Solutions, a maker of fat- and thin-client desktop systems and other products used in several systems that have already been approved for inclusion in the baseline list.

'A government buyer could purchase three or four solutions from the approved list, and they would interoperate to solve his problem,' Hammersla said.

Special needs

Hammersla said three technologies dominate the cross-domain arena.

Data transfer devices move data between domains with different security levels, such as various levels and flavors of the top-secret collection of information, which are grouped as the top-secret fabric. Comparable fabrics of classified domains operate at the secret and sensitive-but-unclassified levels.

Some domains include foreign agencies and military units, and some cross-domain interfaces exchange data among several such communities of interest.

But the CDMO does not include direct representation from any foreign government, officials said. CDMO leaders decided that if they allowed even one foreign intelligence service to participate in its deliberations, excluding others would become too difficult.

The data transfer devices include high-assurance guards, which shift data only in one direction ' for example, from sensitive-but-unclassified or controlled-unclassified information to the secret or top-secret levels and higher.

Data transfer devices often specialize in a particular data type, such as text messages and chat, or graphics files containing, say, digital photos of sensitive sites. The specialized guards often cannot handle other types of intelligence data, such as radar tracks, officials said.

Data diodes are another type of data transfer devices. They are fiber-optic network entities that sit between two servers.

'The idea is that you have enforcement of the one-way policy at both endpoints, rather than a firewall box in the middle,' said Ron Mraz, president and chief technology office at OWL Computing Technology, who said the company's Dual-Diode technology is the only point-to-point system on the baseline list.

The second category of cross-domain interfaces, access devices, consolidates data from different secure networks onto a single screen. Access devices can take the form of a fat client, such as a desktop PC with several network interface cards, or a thin client displaying data from a central server.

The third and final category of the interfaces covers multilevel security systems. MLS entities attempt to segregate security levels primarily through specialized software running on servers and desktops.

Cross domain for the masses

In recent years, federal computer users increasingly have replaced proprietary, hardware-intensive systems with software that runs on a wider variety of dedicated platforms, and subsequently on generic desktop PCs and servers.

Not surprisingly, trusted versions of three enterprise operating systems form the core of today's CDMO-approved cross-domain interfaces. The three operating systems also underpin emerging, more broadly distributed entities for sharing classified information.

The three operating systems already approved for such use, Hammersla said, are Sun Microsystems' Trusted Solaris; Security-Enhanced Linux (SELinux) supported by vendors such as Red Hat; and BAE Systems' Secure Trusted Operating Program (STOP).

Two types of trusted

Bill Vass, president and chief operating officer at Sun Federal, said trusted OSes take two main approaches to security: trusted extensions and labeling, and type enforcement. He said Sun has placed its initial bet on the latter, and Solaris 10 with Trusted Extensions is undergoing testing for Common Criteria certification, a required security approval.

Trusted Extensions allow as many as 8,000 security 'zones' or containers, each with its own IP address and security level, in a single instance of Solaris. 'You can have on the same server an unclassified domain, a classified domain and a top-secret domain,' Vass said.

Sun executives are considering adding type enforcement, a more granular approach used in SELinux, to their OS, but Vass added that his company is also considering adding it to its Java language because it sees merit in both. 'The issue is implementing them in a cross-domain system,' Vass said.

Widely available commercial software, such as virtual private networks, is increasingly part of the cross-domain equation. Mraz said he has seen DOD and intelligence prototypes of encrypted 'tunnels' that talk with top-secret networks.

The VPN approach also figures in systems built by Verizon Business Federal. The Ma Bell descendent, which claims security-conscious three-letter agencies among its customers, now uses federated user-rights directories, firewalls at each endpoint and an assortment of standard encryption technologies including public-key encryption to manage access to domains that share closed private networks.

Bill Edwards, Verizon's chief scientist, said one military customer uses his company's service to process digital photos of military installations through third-generation cellular and satellite-radio networks. 'That picture would have an authentication, its own digital signature,' Edwards said.

Software-only and commercial solutions, however, might never completely meet the needs of top-secret agencies, some specialists in the field say.

'The problem is, when you get into [Common Criteria Evaluation Assurance Level] 4 and higher, then often the hardware has to get pulled into the evaluation,' said Andrew Earle, manager of solutions development at BAE Systems, which makes several cross-domain interfaces, including a guard on the baseline list.

There are a total of seven EALs, but foreign governments recognize only the lowest four, specialists in the field say.

But a new federal commercial offering from three prominent players seeks to upend that notion. The Secure Information Sharing Architecture is a joint venture of Cisco Systems, Microsoft, EMC and two smaller vendors. SISA combines Cisco network infrastructure, EMC storage and Microsoft OS and collaboration software to manage not only secure physical access but also Extensible Markup Language data and applications on familiar desktop and mobile devices.

'Any technology that does authentication will work with this architecture,' said Chris Shenefiel, Cisco's federal government industry solutions manager. With SISA, communities of interest could communicate over their own dedicated virtual local-area networks, Shenefiel said.

SISA's proponents have high hopes, claiming it could eventually replace the specialized cross-domain interfaces. 'In the near term, there will be a niche market for the high-assurance guards, especially at the high-security level,' said Eric Rosenkranz, Microsoft's public-sector industry manager.

Microsoft's Active Directory lies at the heart of SISA. For example, Cisco uses it to centralize authentication.

But the initial version of SISA, which customers are beta-testing now, works only in a single environment. 'This is not multilevel security,' Rosenkranz said. 'I would call it a significant improvement to role-based collaboration security, at a single classification level.' A federated version should be announced this summer, he said.

Although CDMO's consolidation project is gradually steering agencies to interoperable commercial systems, 'there has been no policy-setting body that has said, 'Here's all the attributes we're looking for,' ' said Dave Graham, OWL's vice president. He added that his company's Dual-Diode interface can carry any kind of data because it operates at the asynchronous transfer mode level. In addition, hardware-based enforcement lets it work with several operating systems, Graham said.

'There really has been no vendor who has stepped [in] to put together the true, commercial cross-domain solution that covers all the attributes necessary,' Graham added.

The CDMO's role aside, the industry is using standards that could aid cross-vendor interoperability. For high-assurance guards, which can do their job of passing data from one domain to another unassisted, interoperability is a nonissue. 'Usually there's one guard, and you don't want to mess around with putting another one in,' Earle said.

Vass named a specialized form of service-oriented architectures, trusted SOAs, as the holy grail that most agencies seek. The building blocks of such systems are available today, with Sun claiming numerous technology demonstrations, Vass said.

He cited an example of a visual Web service for imagery that requires high security clearances. 'These visual Web services are available to you based on how strongly you authenticate,' Vass said, adding that the trust goes both ways.
'You have to be able to trust the service, too,' Vass continued. 'Let's say I created a service called GetTarget. Would that be available to all levels [of security] and they only see information based on that, or would it only be available to top-secret people? All of these concepts are in the SOA definitions that we've put together.'

Sun technologists hold that SOAs could handle current security needs. 'You would publish the services based on the risk of the services and the role of who should get it,' Vass said. Users 'would use their identities to log on to all the domains they have access to, and people would publish services at the different
levels.'

But the migration to SOA creates additional security concerns. 'It's no longer just that single box,' said Mark Morrison, chief information assurance officer at the Defense Intelligence Agency.

'As we move to an SOA type of arrangement, we don't have a standard set of processes,' he continued. 'The certification and accreditation and risk assessment process to effectively address that is [still] evolving.'

The ODNI technology leadership recently announced the results of a months-long process to reform C&A requirements and related intelligence security criteria, officials said.

Certification involves confirming that a cross-domain interface, or any system handling classified data, meets Common Criteria requirements under testing authorized by the National Information Assurance Partnership. Accreditation is a primarily legal and policy evaluation of whether a system meets the standards in a specific environment.

Vass agreed with Morrison's viewpoint. 'The technology to do all that is probably here today, but putting it all through C&A is probably a long pole in the tent.
The low-hanging fruit while we're doing all that is to have a trusted desktop that gives you access to all these domains.'

DNI's chief information officer organization recently orchestrated a wide-ranging reform of the C&A process that began with an open call for advice on the topic from the general public worldwide and concluded with the release of several changes to federal IT security rules. The policy reform generated a consolidated definition of the protection levels (PLs) that regulate the handling of various forms of classified data across federal agencies, as well as the C&A changes.
The PL reform was greeted enthusiastically by vendors who previously had struggled with incompatible rules used by the Pentagon, the intelligence community and civilian agencies that are required to follow procedures mandated by the National Institute of Standards and Technology.

But the recently adopted C&A reforms are just now gaining traction across the dozens of agencies that will have to put them into effect, officials said.

In XML we trust

Industry-specific variants of XML are becoming the common language that allows cross-domain information sharing across agencies, specialists in the field say.
Earle said XML, through its tagging capabilities, can also handle the security requirements. He added that BAE sells an XML-compliant guard. In addition, the Security Assertion Markup Language is emerging as a cross-domain authentication standard for Web services.

'In the intelligence community, we've gone forward with XML, and we set up XML standards,' Morrison said. 'We've never had XML cross-domain solutions before [that can handle XML tagging and filter based on that standard],' Morrison said. 'We're seeing the shift into the marketplace.'

For example, intelligence data exchange in the law enforcement and counterterrorism arena has benefited from the increasing adoption of the Global Justice XML Data Model (GJXDM), a framework developed in recent years under Justice Department auspices.

Justice's data exchange standard plays a critical role in systems such as the FBI-sponsored Law Enforcement Online network that is deployed nationwide to link interagency Joint Terrorism Task Forces and state and local police forces. The GJXDM also governs the Regional Information Sharing System Network, a law enforcement system funded largely by Justice and controlled by six regional coalitions of police agencies.

In one implementation of the Justice-sponsored data model, the New Jersey State Police are using it with Crossflo CDX to standardize law enforcement terms in a master name index shared among counties, municipalities and the state ' more than 600 agencies in all.

Without GJXDM, 'we would still be arguing about fields and whose definition are we going to use,' said Chris Rein, a state police special investigator and IT program manager. 'Now we have a standard that we can all look at.'

Rein said the state is building a Java-based SOA that handles role-based access control and user credentialing over a private network. He added that GJXDM has allowed the state to share gang-related data with another state, and several counties to pilot links to the National Information Exchange Model and the FBI's NIEM-based National Data Exchange.

The SOA and XML models embedded in those law enforcement systems figure prominently in the technological work of the Information Sharing Environment, an agency that reports to the ODNI. ISE systems architects have defined architecture requirements that apply to new systems in about 20 agencies with primary responsibilities for counterterrorism work.

OMB enforces the ISE technology requirements, including their SOA features, via the Form 300 submissions that federal agencies must provide before receiving funding for new systems.

Despite such progress, cross-domain interfaces remain an esoteric technology struggling to go mainstream. 'We're, at best, at the 20-yard line,' Hammersla said.

David Essex is a freelance technology writer based in Antrim, N.H. GCN deputy news editor Wilson P. Dizard III contributed to this article.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above