The Best Partners
A Perspective on Commercial
Cybersecurity Technology William Shakespeare once wrote, “Better three hours too soon than a
minute too late." [2] Timing is everything with respect to securing the enterprise. Far too
many organizations have suffered by taking a reactive approach toward security
threats and risks, instead of being proactive in establishing a solid security
infrastructure from the ground up. The evidence speaks for itself: Consider the
breaches at the Office of Personnel Management, the Federal Communications
Commission, and Target Corporation, to name a few. We live in a complex
technological ecosystem that is characterized by phones, tablets, and of course,
the Internet of Things. It is impossible to manage the growing number of
devices in the world through older access control models like Role Based Access
Control (RBAC), which is why many large enterprise environments are suffering
from role explosion. [3] This is the time to transform conventional security paradigms. In the world
we live in, being one minute too late may cost your brand, your reputation, and
your job. The military’s Global Information Grid (GIG) is no different, except that the
stakes are higher with respect to national security. Access Control in the Federal Government Access control mechanisms have evolved over the years. Older security models like Access Control Lists (ACLs) and RBAC have proven insufficient for securely handling information sharing, especially in federated environments and across organizational network domain boundaries and enclaves. These legacy security models do not scale to support today’s requirements in our interconnected world. Moreover, they are unresponsive to changes in attribute based environments that should dynamically result in a timely and accurate access control decision. Jericho Systems has been a pioneer in developing and deploying a next generation of access control, commonly known as “ABAC,” or Attribute Based Access Control. Jericho introduced its product suite EnterSpace® in 2004 and completed the first commercial ABAC deployment in history with Lockheed Martin. Although widespread adoption was slow, there were major success stories. For example, starting in 2010, the Department of the Army deployed Jericho’s EnterSpace® across the Distributed Common Ground System-Army (DCGS-A) program to enhance its Identity and Access Management (IdAM) portfolio. As a result, the Army has become a forerunner in cyberspace compared to the other branches, who are now expressing interest in next generation access control. Recently, ABAC was pronounced as the access control model of choice for the federal space: Its terms and definitions were published by the National Institute of Science and Technology Special Publication 800-162 in 2014. [4] Why ABAC? Identity vs. Entities ABAC enables large enterprises to reduce costs, increase efficiencies,
and reduce risk exposure by acting as a “smart” digital gatekeeper. Each
request for access is compared against organizational policies and relevant
data. Access decisions are based on relevant contextual data, or “attributes,”
that describe the requestor, environment, resource, and system. Auditing and
policy workflow functions give extra capabilities, allowing for easy policy
creation and customized logging using industry standard protocols. [5] The IT research firm Gartner predicts that by 2020, 70 percent of large businesses will implement ABAC. ABAC incorporates centrally managed digital policies, which shifts the
burden of access control from the software code to business leadership. Unlike
previous access control models, this allows business logic to define security
requirements. ABAC’s architecture was designed for cloud, federated, and
virtualized IT environments. This structure allows the rules-based decision
engine to dynamically draw from multiple databases for information
(attributes), including identity data from legacy sources,
environmental sources (time-of-day), and request metadata. With Jericho’s EnterSpace
for ABAC, separate access control mechanisms for each application are no longer
needed. Moreover, EnterSpace integrates well with any authentication mechanism,
including person and non-person entities (NPE), and supports PKI which meets
the requirements for augmenting existing authentication controls provided by an
Identity or Single SignOn (SSO). ABAC to Data Labeling and Data Segmentation In 2013, Jericho worked with the Department of Health and Human Services' Office of the
National Coordinator and spearheaded a pilot called Data Segmentation for Privacy
(DS4P). This pilot was aimed at keeping protected health information (PHI)
secure across multiple health information domains. DS4P’s success was due to a
key enhancement: Data Labeling and Data
Segmentation or “DLDS®.” It adds a layer of security and privacy protection to
traditional ABAC. For example, a user may have access to certain sensitive documents or files, but he or she may not need
to see certain classified or protected portions of the document. DLDS
technology gives an organization the ability to improve and enforce compliance,
legal, and corporate regulations. Jericho incorporated that DLDS component into the core
EnterSpace product, recognizing that the technology could extend
past Healthcare and support protected critical infrastructure information
(PCII) and personally identifiable information (PII). In 2014, the Department
of Homeland Security Science and Technology Directorate invested in the commercialization
and deployment of EnterSpace across their sensitive networks. This has facilitated the creation of solutions to critical information sharing problems in
multiple areas, including Law Enforcement, Healthcare, Emergency Response, and
Geospatial Tracking. Thinking Faster than the Enemy Napoleon used the “double time” to outmaneuver the enemy with great
success. [6] That same thinking applies today with information and intelligence. Commanders
at all levels have certain information requirements that are used to trigger
appropriate responses normally called “Commander’s Critical Information
Requirements,” or CCIRs. CCIRs concern scenarios that can be described as: “If X occurs, notify the commander immediately." Similarly, ABAC is
expressed in Boolean logic: “If, then... .” So, ABAC policies and rules
could digitize a Global Operational Command at the strategic level as well as
Battalion Tactical Operations center level for alerts and responses. This is
clearly a game changer for the commander’s situational awareness.
This same commercial
challenge was recognized and addressed nearly ten years ago by Michael Krieger,
the Director of Information Policy in the Defense Department's Office of the Chief Information Officer. Krieger
introduced a new way of thinking amongst the Combatant Commanders throughout
his tenure with the DOD: “The U.S. Defense Department is wrestling with a
multitude of issues to provide the right people with the means to access
different forms of data. Complicating potential solutions is the fact that the
types of potential users are as varied as the types of data, which makes access
and verification exponentially difficult.” [7] Accordingly, Mr. Krieger has been a longtime advocate of EnterSpace technology. Audaces Fortuna Duvat: COTS vs. GOTS Boldness is hard to come by in today’s IT world; this
may be one reason that ABAC+DLDS hasn’t been implemented across the entire
federal space. Some organizations can’t seem to move beyond legacy
authorization models like Access Control Lists (ACLs) and Role Based Access
Control (RBAC). They are comfortable with what has “worked” in the past, even
though the modern security landscape clearly calls for a newer form of access
control. Some, like the Defense Information Systems Agency (DISA), have turned
toward GOTS products. GOTS stands for "Government off-the-Shelf" and often
competes with Commercial off-the-Shelf (COTS) alternatives. On the surface, GOTS seems
appealing: The internally developed nature of the capability leads to cheaper maintenance, and easier oversight.
However, the allure of “cheaper” and “easier” proves to be mere illusion. DISA
adopted Open Source ABAC years ago in an effort to avoid vendor lock-in, but
they aren’t currently providing support to their “homegrown” Identity and
Access Management (IdAM) portfolio. As
of September 2016, the program is dead, which only further fuels the
growing debate between GOTS and COTS. As history proves, COTS wins from an innovation and relevancy standpoint, even if it requires the organization to take a bold step forward. If that leap isn’t made, there are severe consequences, such as lagging behind current technology trends, and massive costs incurred by U.S. taxpayers to “re-invent” authorization tools every fiscal year.
It's only fair to note that not all organizations have stuck to this counterproductive approach. The Army chose the COTS route with respect to DCGS-A in 2010, years before many of its peers followed suit. It selected EnterSpace, which is still deployed and operational today. It was a bold choice to lead the industry in a new IdAM strategy, but the results are undeniable. The Army has maintained EnterSpace, one of several COTS products in its portfolio, for a mere fraction of DISA’s total ABAC IdAM budget.
Former DISA Commander, General Charlie Croom, once said, “The ABCs of solutions: Adopt best of breed, Buy best of breed, or try to Create best of breed. But when the government tries to create a product, they normally get it WRONG!” Metrics for Success From Jericho’s perspective, the following risks and shortcomings must be mitigated in order to meet tomorrow’s information sharing challenges: • The binding of privilege with Identity (user access is privilege) through – Reliance on security clearance – Static Access Control List (ACL) • Unresponsive ability to adapt to changing cyber environments • Manpower Intensive integration of policies that can result in • Vulnerabilities of Human Error • Application-specific approaches that stifle innovation • A burden on Mission Tempo
Today’s Warfighter metrics of success for Identity and Access Management technology are:
DoD's "dictionary," Joint Publication 1-02, explicitly includes information in its definition of cybersecurity: “Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.” Today, silos have been created for information and intelligence resources in “Communities of Interest,” or COI’s. This can create security challenges, especially when dealing with cross domain sharing or protecting resources in separate silos. Cyberspace has become a galactic environment with tentacles reaching out to all ones and zeros, making access control an enormous task for any one enterprise. In order to alleviate that burden, the Department of Defense must continue to take proactive steps in implementing next generation solutions like ABAC. When the environment around you can change in milliseconds, your security solution should be able to adapt just as quickly. Otherwise, you might compromise the success of the mission and increase the risk of insider threats or denial of data. There must be multiple layers of protection in place to ensure defense in depth. We see EnterSpace ABAC with DLDS as the solution that solves information sharing problems without sacrificing operational speed of execution. Jericho Systems is supporting the Military Cyber Professionals Association at the 2016 AUSA annual meeting and exposition 3-5 October 2016 at the Walter E. Walker Convention Center in Washington, D.C. Attendees can see first-hand how Attribute Based Access Control and Data Segmentation and Data Labeling can support enterprise and tactical network applications. About Jericho Systems Headquartered in Texas, Jericho Systems Corporation provides enterprise data security solutions for IT security and business process automation within a Service Oriented Architecture (SOA). In the commercial and government sectors, Jericho's EnterSpace and professional services facilitate information security, regulatory compliance, quality and efficiency. EnterSpace improves collaboration and leverages the value of business data and SOA services by enabling them to be easily shared in a controlled manner -- not only among internal groups, but also with external partners or government agencies. Unlike competing identity and access management (IdAM) solutions or dedicated hardware appliances, EnterSpace is vendor and hardware-neutral for interoperability across multiple vendor IdAM stacks. As threats continue and business expands, it may be time to invest in a solution that can handle modern security demands. EnterSpace relieves those unnecessary burdens. Based on Jericho’s patented technology, EnterSpace delivers next-generation Attribute-Based Access Control (ABAC) and Data Labeling and Data Segmentation with distributed policy administration. End Notes [1] Pellerin, C. http://www.defense.gov/News/Article/Article/604513/carter-seeks-tech-sector-partnerships-for-innovation
[3] Evolvium Confluence. https://wiki.evolveum.com/display/midPoint/Role+Explosion
[4] NIST Special Publication 800-162. http://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf
[5] National
Cybersecurity Center of Excellence. https://nccoe.nist.gov/projects/building_blocks/attribute_based_access_control [6] Wikipedia. https://en.wikipedia.org/wiki/Napoleon
[7] Ackerman, R.K. Signal.
http://www.afcea.org/content/?q=defense-builds-teams-mine-data
[8] Defense
Information Systems Agency. http://www.disa.mil/enterprise-services/identity-and-access-management/os-abac
|
Stories >