Military Communications and Information Technology: A Trusted ...
Military Communications and Information Technology: A Trusted ... Military Communications and Information Technology: A Trusted ...
362 Military Communications and Information Technology... • At the NU/NR level, the NATO NII is much more fragmented than NS. A concept of the NATO Enterprise Business Network (EBN) at the NR level is aimed to change this situation. The Public Access Network (PAN) network, currently operating on the NU level, will be promoted to the NR level, constituting the core of the future EBN. It will not be done overnight however. B. Two-dimensional NATO view Considering the governance realm aspect, which is particularly relevant when considering different federation scenarios, NATO can be seen in a twodimensional view [7]: • “NATO as an Enterprise” – consisting of NATO Headquarters (HQs), agencies, and other internal bodies, all together constituting a NATO enterprise; • “NATO as an Alliance” – understood as a federation of (currently) 28 NATO member nations, NATO partners (nations/international organizations/ industry), and the NATO enterprise itself. Depending on which NATO view is being considered, there are different requirements for the NATO identity and access services, having impact on the ultimate solution. III. Federated I&Am architecture decision points Taking into account the complex structure of the NATO NII in both the NU/NR and NS environments, it is proposed to use a Web-based federated approach for development of the NATO I&AM architecture. Typically, there are eight decision filters that are followed to decide how to implement federation in a way that meets the organization’s requirements [8]. These decision points are: • Identity Production and Consumption, • Federation Topology, • User Identification, • Operational Security, • Trust Relationships, • Attributes, • Compliance, • Standards. A. Identity production and consumption As in [8], after the federation scenario applicability validation, two key identity roles can be identified in the federated identity environment, and requires at least one of them to be applied to the domain:
Chapter 4: Information Assurance & Cyber Defence 363 • Identity Producer, known as an Identity Provider (IdP) – if domain’s user identities must be asserted to other domains for access to “foreign” resources; • Identity Consumer, known as a Relying Party (RP) – if applications in a domain must identify users from other domains. The NATO Bi-SC AIS domains in both, NU/NR and NS, security zones will act as both an IdP and RP simultaneously. The decision about roles of other domains, federated with Bi‐SC AIS, will be determined at the implementation stage, after a thorough analysis of the business model of the domain joining the federation. B. Federation topology There are three basic topology models, applicable for a Web-based federation [8]: • Point-to-point, • Hub, • Network topology (shared federation services). The federation topology has a significant impact on the overall governance posture of the identity and access services. Therefore the options have to be analysed very thoroughly. Federation between NS and NU/NR is not achievable nowadays whilst policy restrictions limit the possible interconnection between those security domains to data-diode based solutions (Figure 1). Therefore, NS federation with NU/NR networks is not considered as a valid scenario in this study. However, the tendency can be currently observed to launch integration processes at all levels of the NII. It is an indication of the evolution path in long term, giving solid foundations to anticipate federation scenarios including enhanced forms of interactions between NS and NU/NR environments as well. 1) Federation Topology for NS Bi-SC AIS: a Two (+One) “trust broker topology” is the recommended approach (Figure 2). Normally, it is applied in scenarios with a more centralized infrastructure, such as the one that can be found in the Secret environment. For a federation within the NATO as an Alliance” scenario, it is not recommended to directly federate the NATO Trust Broker with components from domains that operate under a governance realm different from NATO, as it might raise security issues. In such a case a federation should be established through a component located in the NATO Enterprise NS Gateway Zone. From the NATO as an Enterprise point of view, this component would operate as • NS Federation Shadow for scenarios including direct interactions of the NA- TO-external partners (e.g. national, mission domains) with NATO enterprise NS domains;
- Page 311 and 312: Chapter 3: Information Technology f
- Page 313 and 314: Chapter 3: Information Technology f
- Page 315 and 316: Chapter 3: Information Technology f
- Page 317 and 318: Application of CID Server in Decisi
- Page 319 and 320: Chapter 3: Information Technology f
- Page 321 and 322: Chapter 3: Information Technology f
- Page 323 and 324: Chapter 3: Information Technology f
- Page 325 and 326: Chapter 3: Information Technology f
- Page 327 and 328: Chapter 3: Information Technology f
- Page 329 and 330: Chapter 3: Information Technology f
- Page 331 and 332: Managing Lessons Learnt from Daily
- Page 333 and 334: Chapter 3: Information Technology f
- Page 335 and 336: Chapter 3: Information Technology f
- Page 337 and 338: Chapter 3: Information Technology f
- Page 339 and 340: Chapter 3: Information Technology f
- Page 341 and 342: Chapter 3: Information Technology f
- Page 343: Chapter 3: Information Technology f
- Page 347 and 348: Federated Cyber Defence System - Ap
- Page 349 and 350: Chapter 4: Information Assurance &
- Page 351 and 352: Chapter 4: Information Assurance &
- Page 353 and 354: Chapter 4: Information Assurance &
- Page 355 and 356: Chapter 4: Information Assurance &
- Page 357: Chapter 4: Information Assurance &
- Page 360 and 361: 360 Military Communications and Inf
- Page 364 and 365: 364 Military Communications and Inf
- Page 366 and 367: 366 Military Communications and Inf
- Page 368 and 369: 368 Military Communications and Inf
- Page 370 and 371: 370 Military Communications and Inf
- Page 372 and 373: 372 Military Communications and Inf
- Page 374 and 375: 374 Military Communications and Inf
- Page 377 and 378: Development of High Assurance Guard
- Page 379 and 380: Chapter 4: Information Assurance &
- Page 381 and 382: Chapter 4: Information Assurance &
- Page 383 and 384: Chapter 4: Information Assurance &
- Page 385 and 386: Chapter 4: Information Assurance &
- Page 387 and 388: Chapter 4: Information Assurance &
- Page 389 and 390: Chapter 4: Information Assurance &
- Page 391 and 392: Chapter 4: Information Assurance &
- Page 393 and 394: Chapter 4: Information Assurance &
- Page 395 and 396: Network Traffic Characteristics for
- Page 397 and 398: Chapter 4: Information Assurance &
- Page 399 and 400: Chapter 4: Information Assurance &
- Page 401 and 402: Chapter 4: Information Assurance &
- Page 403 and 404: Chapter 4: Information Assurance &
- Page 405 and 406: Chapter 4: Information Assurance &
- Page 407 and 408: Chapter 4: Information Assurance &
- Page 409 and 410: Chapter 4: Information Assurance &
- Page 411 and 412: Chapter 4: Information Assurance &
362 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
• At the NU/NR level, the NATO NII is much more fragmented than NS.<br />
A concept of the NATO Enterprise Business Network (EBN) at the NR<br />
level is aimed to change this situation. The Public Access Network (PAN)<br />
network, currently operating on the NU level, will be promoted to the NR<br />
level, constituting the core of the future EBN. It will not be done overnight<br />
however.<br />
B. Two-dimensional NATO view<br />
Considering the governance realm aspect, which is particularly relevant<br />
when considering different federation scenarios, NATO can be seen in a twodimensional<br />
view [7]:<br />
• “NATO as an Enterprise” – consisting of NATO Headquarters (HQs), agencies,<br />
<strong>and</strong> other internal bodies, all together constituting a NATO enterprise;<br />
• “NATO as an Alliance” – understood as a federation of (currently) 28 NATO<br />
member nations, NATO partners (nations/international organizations/<br />
industry), <strong>and</strong> the NATO enterprise itself.<br />
Depending on which NATO view is being considered, there are different<br />
requirements for the NATO identity <strong>and</strong> access services, having impact on the ultimate<br />
solution.<br />
III. Federated I&Am architecture decision points<br />
Taking into account the complex structure of the NATO NII in both the NU/NR<br />
<strong>and</strong> NS environments, it is proposed to use a Web-based federated approach for<br />
development of the NATO I&AM architecture. Typically, there are eight decision<br />
filters that are followed to decide how to implement federation in a way that meets<br />
the organization’s requirements [8]. These decision points are:<br />
• Identity Production <strong>and</strong> Consumption,<br />
• Federation Topology,<br />
• User Identification,<br />
• Operational Security,<br />
• Trust Relationships,<br />
• Attributes,<br />
• Compliance,<br />
• St<strong>and</strong>ards.<br />
A. Identity production <strong>and</strong> consumption<br />
As in [8], after the federation scenario applicability validation, two key identity<br />
roles can be identified in the federated identity environment, <strong>and</strong> requires at least<br />
one of them to be applied to the domain: