Military Communications and Information Technology: A Trusted ...
Military Communications and Information Technology: A Trusted ... Military Communications and Information Technology: A Trusted ...
374 Military Communications and Information Technology... it is recommended for NATO to address the following categories of the federation standardization aspects: • Federated authentication standards, to provide an input on which standards should be used for authentication among federated domains; • Attribute exchange standards, to provide an input on which standards should be used to conduct and control attribute exchange among federated domains; • Security standards, to provide an input on the coherent protection mechanisms to be applied in order to achieve the same protection level in the whole federation; • Federation-specific profiles, to provide an input on what a federation profile should specify; Depending on which NATO scenario is considered (NATO Enterprise vs. Alliance), the specific decisions in all the four identified areas may vary. Under the ACT Program of Work, several service interface profiles (SIP) have been proposed that should be utilized in the NATO federated identity and access service architecture specification. IV. Conclusions Achieving a successful implementation of the federation capability is strongly dependent on the IdM governance, currently missing in NATO, so that centralized administration of I&AM will be capable to overcome a lot of ad hoc solutions on the present. The IdM governance must include rigidly defined processes, supported by appropriate regulations in the NATO policy. The approach for cross-organizational authentication and authorization solution, proposed in this paper, provides foundations for a technical implementation of federation capabilities in NATO NII. It is not meant to replace the main authentication mechanism, based on Kerberos, being in use in NATO systems currently. Federation solutions are only meant to enhance a local authentication mechanism in user’s governance realm in support of information sharing capability across network and organizational boundaries. This enhancement aspect (instead of replacement) is very important to properly understand how the federation capability should be utilized in NATO. In this context, it should be also noted that the authentication method used in a user “local” environment does not have any impact on the overall approach presented in this paper. Therefore, there is no contradiction between having the federation capability built-in the NATO systems core functionality package and for example the strong authentication capability required by the IA community through the Cyber Defence Action Plan [9]. It should be noted that the strong authentication capability in the NATO Enterprise is desired but insufficient to meet collaboration requirements in com-
Chapter 4: Information Assurance & Cyber Defence 375 plex user and information assets environment. The federation capability adds user authentication provisioning functionality, utilizing component-to-component authentication with the use of asymmetric cryptography techniques (X.509 certificates) and therefore it should be considered as an integral part of the future NATO I&AM framework. Finally, there are two sides of the “information asset protection coin”, i.e. information asset “Access” and “Release”. Both are equally important in more challenging scenarios, like operations across security domains. In this paper, providing the full capability to address the “Access” to an information asset is addressed. This is what is expected from the colloquially understood Identity Management. At the moment the “Access” capability is in place, however, it becomes apparent that it is insufficient to support the conduct of operations in a complex collaboration environment, as the “Release” aspect of information assets has to be also covered. Therefore, research should also be directed into the challenges of information object tagging, normally provided through labelling mechanisms. References [1] NC3B, “The NATO Identity Management Framework”, EAPC(AC/322-SC/4) N(2009)0002, March 2009. [2] NC3B, “NATO Identity Management Strategic Plan”, AC/322-D(2010)0054, December 2010. [3] NC3B, “Information Assurance Technical and Implementation Directive on Security Management Infrastructure (SMI)”, AC/322-D(2010)0055-AS1, January 2011. [4] ACO, “Alliance Operations and Missions (AOM) Federated Identity and Access Management (AIDAM) Capability Strategy”, 3800/SPTCIS/CFOISM/2011/94 – TT280649, June 2011. [5] R. Malewicz, M. Lehmann, “A Coherent Approach Towards NATO-Wide Identity and Access Management Concept”, NC3A RD 3266, July, 2011. [6] R.B. Arkis, M.J. Diepstraten, “Operational View and System View for an Alliance Information Infrastructure at NATO Restricted Classification Level”, NC3A RD 2659, July 2008. [7] M. Lehmann, R. Malewicz, “Concept And Architecture For Identity Management Test Campaign”, NC3A RD 2909, December 2009. [8] Burton Group, “Federated Identity – Reference Architecture Decision Point”, G00206782, December 2010. [9] NATO Security Committee, “NATO Cyber Defence Action Plan”, AC/35-N(2011)0003, August 2011. [10] OASIS, “eXtensible Access Control Markup Language (XACML) Version 2.0”, February 2005. [11] TSCP, “Identity Federation Assertion Profile v.1.2”, 27 March 2012.
- Page 323 and 324: Chapter 3: Information Technology f
- Page 325 and 326: Chapter 3: Information Technology f
- Page 327 and 328: Chapter 3: Information Technology f
- Page 329 and 330: Chapter 3: Information Technology f
- Page 331 and 332: Managing Lessons Learnt from Daily
- Page 333 and 334: Chapter 3: Information Technology f
- Page 335 and 336: Chapter 3: Information Technology f
- Page 337 and 338: Chapter 3: Information Technology f
- Page 339 and 340: Chapter 3: Information Technology f
- Page 341 and 342: Chapter 3: Information Technology f
- Page 343: Chapter 3: Information Technology f
- Page 347 and 348: Federated Cyber Defence System - Ap
- Page 349 and 350: Chapter 4: Information Assurance &
- Page 351 and 352: Chapter 4: Information Assurance &
- Page 353 and 354: Chapter 4: Information Assurance &
- Page 355 and 356: Chapter 4: Information Assurance &
- Page 357: Chapter 4: Information Assurance &
- Page 360 and 361: 360 Military Communications and Inf
- Page 362 and 363: 362 Military Communications and Inf
- Page 364 and 365: 364 Military Communications and Inf
- Page 366 and 367: 366 Military Communications and Inf
- Page 368 and 369: 368 Military Communications and Inf
- Page 370 and 371: 370 Military Communications and Inf
- Page 372 and 373: 372 Military Communications and Inf
- Page 377 and 378: Development of High Assurance Guard
- Page 379 and 380: Chapter 4: Information Assurance &
- Page 381 and 382: Chapter 4: Information Assurance &
- Page 383 and 384: Chapter 4: Information Assurance &
- Page 385 and 386: Chapter 4: Information Assurance &
- Page 387 and 388: Chapter 4: Information Assurance &
- Page 389 and 390: Chapter 4: Information Assurance &
- Page 391 and 392: Chapter 4: Information Assurance &
- Page 393 and 394: Chapter 4: Information Assurance &
- Page 395 and 396: Network Traffic Characteristics for
- Page 397 and 398: Chapter 4: Information Assurance &
- Page 399 and 400: Chapter 4: Information Assurance &
- Page 401 and 402: Chapter 4: Information Assurance &
- Page 403 and 404: Chapter 4: Information Assurance &
- Page 405 and 406: Chapter 4: Information Assurance &
- Page 407 and 408: Chapter 4: Information Assurance &
- Page 409 and 410: Chapter 4: Information Assurance &
- Page 411 and 412: Chapter 4: Information Assurance &
- Page 413 and 414: Chapter 4: Information Assurance &
- Page 415 and 416: Methodology for Gathering Data Conc
- Page 417 and 418: Chapter 4: Information Assurance &
- Page 419 and 420: Chapter 4: Information Assurance &
- Page 421 and 422: Chapter 4: Information Assurance &
- Page 423 and 424: Chapter 4: Information Assurance &
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
375<br />
plex user <strong>and</strong> information assets environment. The federation capability adds user<br />
authentication provisioning functionality, utilizing component-to-component<br />
authentication with the use of asymmetric cryptography techniques (X.509 certificates)<br />
<strong>and</strong> therefore it should be considered as an integral part of the future NATO<br />
I&AM framework.<br />
Finally, there are two sides of the “information asset protection coin”, i.e. information<br />
asset “Access” <strong>and</strong> “Release”. Both are equally important in more challenging<br />
scenarios, like operations across security domains. In this paper, providing<br />
the full capability to address the “Access” to an information asset is addressed.<br />
This is what is expected from the colloquially understood Identity Management.<br />
At the moment the “Access” capability is in place, however, it becomes apparent that<br />
it is insufficient to support the conduct of operations in a complex collaboration<br />
environment, as the “Release” aspect of information assets has to be also covered.<br />
Therefore, research should also be directed into the challenges of information object<br />
tagging, normally provided through labelling mechanisms.<br />
References<br />
[1] NC3B, “The NATO Identity Management Framework”, EAPC(AC/322-SC/4)<br />
N(2009)0002, March 2009.<br />
[2] NC3B, “NATO Identity Management Strategic Plan”, AC/322-D(2010)0054, December<br />
2010.<br />
[3] NC3B, “<strong>Information</strong> Assurance Technical <strong>and</strong> Implementation Directive on Security<br />
Management Infrastructure (SMI)”, AC/322-D(2010)0055-AS1, January 2011.<br />
[4] ACO, “Alliance Operations <strong>and</strong> Missions (AOM) Federated Identity <strong>and</strong> Access<br />
Management (AIDAM) Capability Strategy”, 3800/SPTCIS/CFOISM/2011/94<br />
– TT280649, June 2011.<br />
[5] R. Malewicz, M. Lehmann, “A Coherent Approach Towards NATO-Wide Identity<br />
<strong>and</strong> Access Management Concept”, NC3A RD 3266, July, 2011.<br />
[6] R.B. Arkis, M.J. Diepstraten, “Operational View <strong>and</strong> System View for an Alliance<br />
<strong>Information</strong> Infrastructure at NATO Restricted Classification Level”, NC3A RD 2659,<br />
July 2008.<br />
[7] M. Lehmann, R. Malewicz, “Concept And Architecture For Identity Management<br />
Test Campaign”, NC3A RD 2909, December 2009.<br />
[8] Burton Group, “Federated Identity – Reference Architecture Decision Point”,<br />
G00206782, December 2010.<br />
[9] NATO Security Committee, “NATO Cyber Defence Action Plan”, AC/35-N(2011)0003,<br />
August 2011.<br />
[10] OASIS, “eXtensible Access Control Markup Language (XACML) Version 2.0”, February<br />
2005.<br />
[11] TSCP, “Identity Federation Assertion Profile v.1.2”, 27 March 2012.