Information Assurance for Map Servicesproceedings.ndia.org/jsem2007/4054_Tudan.pdf · • DIACAP...
Transcript of Information Assurance for Map Servicesproceedings.ndia.org/jsem2007/4054_Tudan.pdf · • DIACAP...
Information Assurance for Information Assurance for Map Services Map Services
JSEM 2007May 23rd, 2007
Contact:Costi Tudan
ODUSD(I&E) BEI DISDI
2
AgendaAgenda
• Policy and Background
• Review Geospatial IA requirements
• Available IA Enterprise Services
3
Policy Drivers
• DoDD 8320.2 – “DoD will be net-centric”
• DoDI 8510.bb - DIACAP - “DoD Information Assurance Certification and Accreditation Process”
• DoDI 8500.2 – Information Assurance (IA) Implementation (DoDD 8500.1, DoDD 5025.1-M)
4
DODI 5210.52Security Classification of Airborne Sensor Imagery and Imaging Systems
Imagery and Imagery-Derived ProductFunctional Classes
Class 1Intelligence
Class 2Mapping, Charting
& Geodesy
Class 3Official
Government Use
Class 4Unclassified Use
Imagery and Imagery-Derived
ProductGeographicCategories
US, territories & possessions
A
US legal interests overseas
B
Sovereign foreign lands
C
Non-sovereignforeign lands
D
I n t
e l l
I g
e n
c e
I n t
e l l
I g
e n
c e
Map
ping
, Cha
rtin
g &
Geo
desy
Map
ping
, Cha
rtin
g &
Geo
desy
Offi
cial
Gov
ernm
ent U
seO
ffici
al G
over
nmen
t Use
Any
Unc
lass
ified
Use
Any
Unc
lass
ified
Use
NGANGA
DISDIDISDI
5
What is IA?
• Information Assurance – “information assurance solutions that will keep our information systems safe from harm” – NSA Information Assurance Directorate (IAD)
A definition: IA is the set of measures intended to protect and defend information and information systems by ensuring their availability, integrity,
authentication, confidentiality, and non-repudiation.
6
IA vs. OPSEC?
•• BOTH!BOTH!
• Must have both sound IA and OPSEC strategies
• OPSEC supplements IA
• OPSEC – analytic process
Operations Security (OPSEC) is an analytic process used to deny an adversary information - generally unclassified -concerning our intentions and capabilities by identifying, controlling, and protecting indicators associated with our planning processes or operations. OPSEC does not replace other security disciplines - it supplements them.
- Interagency OPSEC Support Staff
7
Organizational Strategies
• ASD/HD Homeland Defense– Critical Infrastructure Program
• NGA National Geospatial-Intelligence Agency– Project Homeland
• ADUSD/ESOH– Range Sustainment– Natural Resources– Environmental Restoration
All use geospatial All use geospatial data in a netdata in a net--centric centric
environment.environment.
8
Geospatial Data IA/OPSEC Requirements
• Technically not different than other web services
• Complex OPSEC
• Data exchanges– GML data elements require rendering to be
understood in context– Tabular data associates with feature geometry
• Important to control access and use– Digital Rights Management and Identity Management
– emerging technologies
9
DISDI IA Coordination
ASD (NII) CIOASD (NII) CIO USD/IntelligenceUSD/Intelligence
National Security AgencyNational Security AgencyInformation Assurance DivisionInformation Assurance Division
• Portal Content• Strategic Installation Picture• Architecture strategy
10
Web Map Services
• Securing standards based (WMS, WFS, WCS) map web services – similar to securing any web service
• Net-Centric Enterprise: Services Oriented Architecture (SOA)A framework for Integrating GIS and Enterprise Systems . . . Open, Flexible and Standards Based Web Services & Messaging
• Net-Centric Enterprise Services
11
Web Map Services - Issues
• Appropriate use– Intended use of the data (consider OPSEC issues)– Emerging: GeoDRM
• Access Rights– Control who can access the data (establish “need to know”)– Identity Management, Role Based Access Control, GeoDRM
• Metadata– Information on all of the above to accompany each data set– Discover and understand
• Data maintenance– Keeping the data up-to-date and accurate
• Service levels– Level of availability that a user/subscriber can expect– Minimal guaranteed content
Very Important Very Important for future of SOAfor future of SOA
12
Security Layers and Mechanisms
phys
ical
sec
urity
phys
ical
sec
urityApplicationApplication
DataData
Host/DeviceHost/Device
Network/DeviceNetwork/Device
• Content Filters• Validation Checks• Secure Stored Procedures
• Authentication• Security Policy• Encryption• Audit• Access Control
• OS Security• Web Server Hardening• Host Intrusion Detection
• Device Access Control Lists• IP Sec Encryption• Firewalls• Network Intrusion Detection
• Physically control access• Secure facilities
• Site location
Security Layers
Security Mechanisms
13
DoD Global Enterprise Services Portal Framework
14
IA Enterprise Capabilities
• Policy Decision Service (PDS)
• Policy Retrieval Service (PRS)
• Policy Administration Service (PoAS)
• Certificate Validation Service (CVS)
• Principal Attribute Service (PrAS)
• Role Based Access Control (RBAC)
• Attribute Based Access Control (ABAC)
15
Enterprise Security
• DITSCAP now DIACAP
• CAC/PKI
• Identity Management
• Machine-to-machine messaging
• Service Security
16
What else can we use?
• COTS middleware (for securing map services at the application level)
• “home-grown” layer level security – role based access
• Access Control Lists
• Authentication using LDAP, Active Directory
• HTTPS 128-bit SSL
• Anti-Virus and Firewalls
17
What can we do now?
• Transition DITSCAP to DIACAP accreditation
• Implement all commonly used IA measures
• Implement PKI access control– Machine-to-machine and User CAC– Very important IA measure
• Review additional access control options– Establish need-to-know – register CAC with application
18
NSDI(GOS)
Metadata Harvesting
DoD Applications and Systems
OGC WMS, WFS, KML, File Download
Producing Geospatial Services
USAPortal
GIS-R
USNPortal
GeoReadinessRepository
USMCPortal
GeoFidelis
USAFPortalGeoBase
Consuming Geospatial Services
Metadata Harvesting:Z39.50, WAF, OAI
TEC IOImagery
Data Services: OGC WMS, WFS, Data Caching
Internet Web Services
DISDI Implementation
DISDIPortal
DISDIPortalViewer Metadata
PortalWeb
Se
rvic
e In
terf
ace,
SO
A
SOAP,WSDL
DoD Metadata Registry
DoD Discovery Catalogs
DoD Service (UDDI) Registry
Global Information Grid (GIG) Connectivity
User CAC/PKIMachine-to-machine PKI
19
DIACAP Workflow
• Step-by-step guidance• Simpler Implementation• Single Certification Authority• Life-cycle driven not schedule driven
Interim DIACAP Instruction, KS, and theDITSCAP to DIACAP transition questions:
The DIACAP Program Technical InquiriesPhone: (703)377-0001email: [email protected]
20
DITSCAP vs. DIACAP
Security requirements and standards uniquely determined by each system
All systems inherit enterprise standardsand requirements
DAA and Certifier selected by/for each system
Certification Authority is a qualified, resourced, and permanent member of CIO
staff
Policy advocated tailoring, but process was hard-coded to phases
No pre-defined phases. Each system works to a plan that aligns to the system life cycle
Accreditation status communicated via letter and status code (ATO, IATO) in SSAA
Accreditation status communicated by assigned IA Controls’ compliance ratings and letter and status code (ATO, IATO, IATT, DATO) in DIACAP Scorecard
Inaccurate association of ATO with perfect and unchanging security
ATO means security risk is at an acceptable level to support mission and live data
No process improvement Automated tools, enterprise managed KS, requirements tied to architecture
“Fire and forget” accreditation; 3 year “white glove inspection” reaccredidation
Continuous, asynchronous monitoring; reviewed not less than annually; FISMA
reporting
DITSCAP DIACAP
21
Information Assurance Strategy
DoD has developed a new DoD C&A instruction and two DoD-owned Web-based services based on COTS applications to transform the DoD C&A process in support of the
Net-Centric, GIG-based environment
• DIACAP (“DoD Information Assurance Certification and Accreditation Process” - DoDI 8510.bb)– Supersedes DoDI 5200.40, “DoD Information Technology Security
Certification and Accreditation Process (DITSCAP)”– Adjudication of Formal SD 106 comments is near-completion
• eMASS - Enterprise Mission Assurance Support Service– Implementation and management web services toolset
• DIACAP Knowledge Service (KS)– Web-based resource for DIACAP implementation;
https://diacap.iaportal.navy.mil/CAC/PKI required
22
Questions
Costi Tudan – DISDI ArchitectODUSD(I&E) BEI DISDI
Phone: 703-604-4616Email: [email protected]