Information Assurance For Map Services - IIS7

Transcription

Information Assurance forMap ServicesJSEM 2007May 23rd, 2007Contact:Costi TudanODUSD(I&E) BEI DISDI

Agenda Policy and Background Review Geospatial IA requirements Available IA Enterprise Services2

Policy Drivers DoDD 8320.2 – “DoD will be net-centric” DoDI 8510.bb - DIACAP - “DoD InformationAssurance Certification and AccreditationProcess” DoDI 8500.2 – Information Assurance (IA)Implementation (DoDD 8500.1, DoDD 5025.1-M)3

DODI 5210.52Imagery andImagery-DerivedProductBGeographic SovereignCategories foreignClandsNon-sovereignforeign landsDAny Unclassified UseUS legal interestsoverseasClass 1Class 2Class 3Class 4IntelligenceMapping, Charting& GeodesyOfficialGovernment UseUnclassified UseIntellIgenceAOfficial Government UseUS, territories &possessionsMapping, Charting & GeodesySecurity Classification of Airborne Sensor Imagery and Imaging SystemsNGADISDIImagery and Imagery-Derived ProductFunctional Classes4

What is IA? Information Assurance – “information assurancesolutions that will keep our information systems safefrom harm” – NSA Information Assurance Directorate(IAD)A definition: IA is the set of measures intended toprotect and defend information and informationsystems by ensuring their availability, integrity,authentication, confidentiality, and non-repudiation.5

IA vs. OPSEC? BOTH! Must have both sound IA and OPSEC strategies OPSEC supplements IA OPSEC – analytic processOperations Security (OPSEC) is an analytic process used todeny an adversary information - generally unclassified concerning our intentions and capabilities by identifying,controlling, and protecting indicators associated with ourplanning processes or operations. OPSEC does not replaceother security disciplines - it supplements them.- Interagency OPSEC Support Staff6

Organizational Strategies ASD/HD Homeland Defense– Critical Infrastructure Program NGA National Geospatial-Intelligence Agency– Project Homeland ADUSD/ESOH– Range Sustainment– Natural Resources– Environmental RestorationAll use geospatialdata in a net-centricenvironment.7

Geospatial Data IA/OPSEC Requirements Technically not different than other web services Complex OPSEC Data exchanges– GML data elements require rendering to beunderstood in context– Tabular data associates with feature geometry Important to control access and use– Digital Rights Management and Identity Management– emerging technologies8

DISDI IA CoordinationUSD/IntelligenceASD (NII) CIONational Security AgencyInformation Assurance Division Portal Content Strategic Installation Picture Architecture strategy9

Web Map Services Securing standards based (WMS, WFS, WCS)map web services – similar to securing any webservice Net-Centric Enterprise: Services OrientedArchitecture (SOA)A framework for Integrating GIS and Enterprise Systems . . . Open,Flexible and Standards Based Web Services & Messaging Net-Centric Enterprise Services10

Web Map Services - Issues Appropriate use– Intended use of the data (consider OPSEC issues)– Emerging: GeoDRM Access Rights– Control who can access the data (establish “need to know”)– Identity Management, Role Based Access Control, GeoDRM Metadata– Information on all of the above to accompany each data set– Discover and understand Data maintenance– Keeping the data up-to-date and accurate Service levels– Level of availability that a user/subscriber can expect– Minimal guaranteed contentVery Importantfor future of SOA11

Security Layers and MechanismsSecurity MechanismsSecurity Layers Content Filters Validation Checks Secure Stored Procedures Physically control access Secure facilities Site locationphysical securityApplicationDataHost/DeviceNetwork/Device Authentication Security Policy Encryption Audit Access Control OS Security Web Server Hardening Host Intrusion Detection Device Access Control Lists IP Sec Encryption Firewalls Network Intrusion Detection12

DoD Global Enterprise ServicesPortal Framework13

IA Enterprise Capabilities Policy Decision Service (PDS) Policy Retrieval Service (PRS) Policy Administration Service (PoAS) Certificate Validation Service (CVS) Principal Attribute Service (PrAS) Role Based Access Control (RBAC) Attribute Based Access Control (ABAC)14

Enterprise Security DITSCAP now DIACAP CAC/PKI Identity Management Machine-to-machine messaging Service Security15

What else can we use? COTS middleware (for securing map services at theapplication level) “home-grown” layer level security – role based access Access Control Lists Authentication using LDAP, Active Directory HTTPS 128-bit SSL Anti-Virus and Firewalls16

What can we do now? Transition DITSCAP to DIACAP accreditation Implement all commonly used IA measures Implement PKI access control– Machine-to-machine and User CAC– Very important IA measure Review additional access control options– Establish need-to-know – register CAC with application17

DISDI ImplementationUser CAC/PKIMachine-to-machine PKIGlobal Information Grid (GIG) ConnectivityDoD Applicationsand SystemsNSDI(GOS)OGC WMS, WFS, KML, File DownloadDoD Service(UDDI) RegistrySOAP,WSDLProducing Geospatial ServicesWebServiceInterface,SOADoD DiscoveryCatalogsMetadata alConsuming Geospatial ServicesData Services: OGC WMS,WFS, Data CachingDoD MetadataRegistryInternet WebServicesTEC toryMetadata Harvesting:Z39.50, WAF, OAIUSMCPortalUSAFPortalGeoFidelisGeoBase18

DIACAP Workflow Step-by-step guidance Simpler Implementation Single Certification Authority Life-cycle driven not schedule drivenInterim DIACAP Instruction, KS, and theDITSCAP to DIACAP transition questions:The DIACAP Program Technical InquiriesPhone: (703)377-0001email: support@diacap-knowledgeservice.org19

DITSCAP vs. DIACAPDITSCAPSecurity requirements and standardsuniquely determined by each systemDAA and Certifier selectedby/for each systemPolicy advocated tailoring, butprocess was hard-coded to phasesAccreditation status communicatedvia letter and status code(ATO, IATO) in SSAADIACAPAll systems inherit enterprise standardsand requirementsCertification Authority is a qualified,resourced, and permanent member of CIOstaffNo pre-defined phases. Each system worksto a plan that aligns to the system life cycleAccreditation status communicated byassigned IA Controls’ compliance ratingsand letter and status code (ATO, IATO,IATT, DATO) in DIACAP ScorecardNo process improvementAutomated tools, enterprise managed KS,requirements tied to architectureInaccurate association of ATO withperfect and unchanging securityATO means security risk is at an acceptable levelto support mission and live data“Fire and forget” accreditation; 3 year“white glove inspection” reaccredidationContinuous, asynchronous monitoring;reviewed not less than annually; FISMAreporting20

Information Assurance StrategyDoD has developed a new DoD C&A instruction and two DoD-ownedWeb-based services based on COTS applications to transform the DoD C&A process in support of theNet-Centric, GIG-based environment DIACAP (“DoD Information Assurance Certification andAccreditation Process” - DoDI 8510.bb)– Supersedes DoDI 5200.40, “DoD Information Technology SecurityCertification and Accreditation Process (DITSCAP)”– Adjudication of Formal SD 106 comments is near-completion eMASS - Enterprise Mission Assurance Support Service– Implementation and management web services toolset DIACAP Knowledge Service (KS)– Web-based resource for DIACAP C/PKI required21

QuestionsCosti Tudan – DISDI ArchitectODUSD(I&E) BEI DISDIPhone: 703-604-4616Email: constantin.tudan.ctr@osd.mil22

Certification and Accreditation Process (DITSCAP)" - Adjudication of Formal SD 106 comments is near-completion eMASS - Enterprise Mission Assurance Support Service - Implementation and management web services toolset DIACAP Knowledge Service (KS) - Web-based resource for DIACAP implementation; https://diacap.iaportal.navy.mil/