Architecture for Information Security
Starting from proximity restricted trust model
Before 2004, the FINDEF had followed very typical information security architecture based on trusted physical sites and encrypted communications between them. The trust model was extended containing more logical levels as forces were deployed over to several bases and shared information assets. The approach was outstretching the physical perimeter control as logical domains extended over several physical sites and risks were increasing. Encryption between sites was approached as the only means to build “fortification” in logical dimension. No major attempt was taken to control what was happening within the physically controlled and logically encrypted cyber fortress even though the environment was flat from a security viewpoint.
The domain based trust model was divided into the following security levels:
- Open or public level was considered typically featuring The Internet, poster, publication and postcard.
- The unrestricted level was filtered from open level but did not possess any additional hardening or encryption. Military Internet access and service domain was a typical example of this level domain. It was connected to The Internet via Firewalls that were to filter the traffic and protect from malevolent logical outsiders.
- Basic level was capable of handling restricted and confidential content since the connections were encrypted at Layer 2 level between physically controlled sites. The basic level domains remained physically separated from The Internet and unrestricted level domains. Air Gap featured this separation. Those Services or Branches in Military that wanted their information being separated from others at a basic level applied additional Virtual Private Network encryption in their communications.
- The extended level was physically isolated from all other levels except one way “diodes” that provided one-way transactional gateways to transfer lower level information to higher level domains. The extended level was providing information management domain for secret digital content. Major features in differentiating this domain from lower levels were additional layer three encryption and constrained amount of people having access to the sites that provided workstations for this domain. Of course, some Services and Branches took their systems to be more secret than the rest in extended level and isolated them at least with a firewall if not physically.
The physically featured trusted domain structure killed all flexibility and mobility intentions and ended up building several parallel systems and domains. One operations centre did have five parallel workstations for each operator with separate access to Internet, Admin, Land, Navy, Air and Intelligence services. The concept of information security architecture of the FINDEF 2004 situation is illustrated in Figure 22.
Figure 22: The concept of information security architecture of the Finnish Defence Forces 2004
The As-Is Information Security Architecture led Defence Forces into situations where:
- Information flow was unofficially “sneaked” between levels and domains by using transferable mediums like CD-ROM’s and USB-sticks.
- Headquarters typically downgraded their staff work to manual as official information systems were slow in following them to field exercises and operations.
- Much secret information was travelling in possession of personnel unauthorised and led to occasions that it was stolen along with suitcases, laptops or memory sticks.
- Audio communications were not following the information security architecture. It resulted in many cases that confidential information was shared via less secure communications by voice since digital sharing was constrained.
- One staff officer told after an intensive exercise when chief information security officer did a hot wash up of detected security issues: “It seems that when I am trying to support the troops on the ground, I end up always violating some security controls!”
Security was not aligned with military affairs but become an art itself , and that was not raised by many since confidentiality also was supporting their independence. It was although clear that following existing security architecture would keep the FINDEF from reaching mobility, situational awareness, information sharing, survivability, process integration and other network enabled capabilities. The list of constraints was long enough to the commanders of FINDEF to call the change.
Vision of content-based security
As early as 2002 the US Joint Forces Command (US JFCOM) had a Content Based Information Security (CBIS) demonstrated as part of their Advanced Concept Technology Demonstration programmes. The CBIS was based on entire different trust base than the previous physical site and network partitioning oriented. There was three new bases of trust introduced:
- Information being labelled based on content and then encrypted accordingly
- Strong identification, authentication and authorization mechanism based on something that user has, knows and is.
- Sharing information based on a match between the content label and user’s security attributes.
The approach was called information-centric partitioning and trust base was shifted entirely from physical level to logical level. The logical level would be able to provide a road map leading from separate terminals and connections gradually to one terminal with multiple connections and finally to one terminal with one connection as pictured in Figure 23.
Figure 23: Content Based Information Security Roadmap from End User View
There were the following roles and responsibilities defined in process to suppress the opposition from “need to know” representatives:
- Author provides the content to be reviewed
- Publisher reviews and approves content to be published and defines this with labelling and encryption
- The reader can access content only defined for his role by the publisher.
There was a strong hope that if US JFCOM can proceed with this approach, they could be the support for FINDEF in the struggle against legacy security policies in NATO.
Unfortunately, the reality overrode the good initiative. U.S. and NATO did not proceed with these ideas until 2009 when it was called after from ISAF operation and then implemented partially in Afghanistan Mission Network. The other threshold on this road was immature content management in FINDEF at a time. The unstructured documents were labelled as files rather than per content. The structured content was labelled only as systems or domains. Analysis of the situation provided a recommendation that content based labelling culture would take too much time to build.
Reality pulls down blue sky intentions
The real solution needed to be found mitigating the maturity of existing content management. It was also constrained by NATO’s legacy trust base. Some system owners, trying to sustain their independence behind “confidentiality” screens, were also to provide a win-win solution.
The security architecture for realistic TO-BE was defined with following principles:
- Simplifying security level by cutting them into two: 1. Basic level providing confidentiality from unrestricted to confidential. 2. Extended level providing confidentiality from unrestricted to secret.
- Getting rid of isolated domains and systems by providing all services through similar Identity and Access Management process based on strong two-factor authentication
- Mitigating the risk of extended areas of vulnerability by isolating all workstations from server domains
- Providing lower security level services by virtual desktop constructions
- Having each domain supervised by security monitoring and controlling function.
The concept view for Information Security architecture of the FINDEF end state was defined as pictured in Figure 24.
Figure 24: A View to the security architecture of FINDEF end state
The workstations at a basic level were isolated from servers and databases by a firewall and access control. The only session-based virtual private connections were allowed to enter access point. All information was consolidated to databases and hard disks in data centres. Internet services were provided to basic level workstations via remote access to virtual desktops running on the Internet side.
The laptops at the extended level provided mobility of terminals and together with a connection access up to secret level applications and information. The terminal was stripped to as lean as possible and disabled from all unnecessary features. The browser and Virtual Private Network client were the only fat applications in the terminal, all other were provided from Portal or systems beyond it. Authentication provided access to role manager and role defined the screens and services available. All legacy systems were isolated and accessed only via remote sessions to virtual desktops. Several parallel access networks provided assured mobility to extended level terminals together with IP roaming feature. A more technical view of extended level information security architecture is presented in Figure 25.
Figure 25: A technical view of Information Security Architecture from access viewpoint
Above mentioned architecture provided the mobility, flexibility and multilevel security required by new strategy but it also sustained legacy services in isolation sufficient for the purpose, kept apart full Internet connections and enabled digital transfer of content between domains in a controlled manner. The “sneaker network” vanished itself since digital sharing and storing was made so much easier within computing “cloud”. The solution did not require labeling maturity of full content based security but got rid of all but two workstation on the same desk.
Next part will explain the ICT Service management and operations transformation
