Content Based Information Security

1
(No Transcript)
2
Multinational C4ISR ConferenceInformation
Sharing Challenges in Multinational
Environments29 September 2009
Content Based Information Security
Advanced Concept Technology Demonstration
3
Information Sharing Challenge

• Current Situation
• US/NATO and Coalition forces cannot exchange
  information over networks
• Separate networks are built for each new member
• Very resource intensive
• Requires Sneaker Net
• Coalition operations require a new secure
  networking paradigm
• Must secure information not networks

Network Centric Security Solutions Prevent the
Seamless Sharing of Information among
Multinational Partners.
4
CBIS The Solution

• Integrate
• Marking/Labeling
• Information marked and labeled based on contents
• Labels bound to the information
• Information encrypted based on bound label using
  NSA approved key management
• IA A
• Strong identification, authentication, and
  authorization
• Identifies Users and their security attributes
• Requires something they have (Token), know (Pin)
  and are (Fingerprint)
• Access
• Share information based on a match between the
  content label and the users security attributes

Information encrypted based on its content not
the network.
5
So What?
Information sharing not restricted by separate
physical networks

• Operationally
• Single Network Infrastructure solution reducing
  manpower and complexity
• Provides commander flexibility to exchange
  information between US/NATO and other
  multinational members
• Information protected at the point of origination
  reducing inadvertent disclosures and compromises
• Controlled information access
• Read (decrypt) information at multiple
  sensitivity levels
• Write (encrypt) at a single sensitivity level
  from a single workstation using assured periods
  separation techniques, (partitioning, multiple
  CPUs, virtual drives, etc.)
• Technically
• NSA approved hardware (Type 1) encryption at the
  workstation
• Symmetric encryption providing a one-to-many
  capability with asymmetric header encryption for
  access control
• Provides NSA approved dynamic key management
  system
• Strong Identification, Authentication
  Authorization (IAA) based on a Token, PIN, and
  Biometrics

6
Warfighter Support
Allied Partners
UNCLASSIFIED
7
Unique CBIS Features

• Ability to share data with coalition partners
  using a rule-based access controlled system as a
  high assurance network overlay
• Ability to mark, label and encrypt
  files/documents at different security levels and
  partitions
• Ability to control publishing of data to
  coalition server
• Ability to use common (commercial) operating
  systems and applications (MS office, email, any
  standard network application)
• Ability to control access to workstations using
  an assured process that incorporates three
  factors
• Token something they have
• PIN something they know
• Biometrics something they are

8
CBIS Overview
A Network Encryption
US Author
Partner A Reader
CBIS Virtual Networks
US-only Network Encryption
B Network Encryption
US Publisher
Partner B Author
IPSec

• Files metadata are encrypted on the
  workstation, then unencrypted metadata is
  attached
• Data in transit between workstations and server
  is encrypted
• Foreign disclosure rules enforced via two-step
  author publisher process

CBIS Security Manager (CSM)
Network only encryption (data in transit)
9
Impact on Existing Networks

• CBIS requires an existing network infrastructure
  to provide OSI layer 1, 2 and 3
• There is no logical interface with existing
  network infrastructure
• CBIS virtual networks provide IP layer encryption
  using High Assurance IP Encryption (HAIPE)
  standards established with the NSA
• CBIS unique network components remain isolated
  using high assurance IP encryption
• Network traffic may increase during login phase
  to support cryptographic key exchanges
• Exact network traffic increases are TBD
• The following CBIS unique components will be
  physically attached to existing networks
• Security Manager
• Encrypted Object Server
• Encrypted Mail Server
• Security Component (in-line with existing NIC)

10
Impact on Existing Workstations

• CBIS unique hardware components
• CBIS Security Component (CSC)
• CBIS Authorization Terminal
• CSC and CAT will be certified to operate up to
  and including TS/SCI under the NSA Unified
  INFOSEC Criteria (UIC)
• Uses network interface between legacy workstation
  and CSC
• CBIS unique software components include
• File system interface to enforce encryption
  process
• Marking of MS Office products
• Labeling and metadata creation for all file
  objects
• Boot loader interface to control periods
  processing
• Graphic I A (GINA) interface for login control.
  (Login controlled through CSC and CAT)

11
Content Based Information Security
Advanced Concept Technology Demonstration

• Points of Contact

Operational Manager MAJ Scott Mitchell,
USJFCOM 757-836-0461 logsdon_at_jfcom.mil Technica
l Manager Ms. Gloria Mobery, V24 NSA Program
Manager 410-854-7262 gdmober_at_missi.ncsc.mil NS
A Technical Director Ronald A. Jeter,
V21 410-854-7991, rajeter_at_missi.ncsc.mil Prime
Contractor Richard Wade, ACS - Synetics,
858-560-6200 wade_at_sd.synetics.com Crypto
Component Bill Menter, ViaSat,
Inc. 760-476-2523 bmenter_at_viasat.com
http//cbis.sd.synetics.com
12
Discussions