Bassam S. Farroha

Cyber security components for pervasive Enterprise Security Management and the virtualization aspects

This research addresses Enterprise Security Management (ESM) as the enabling component of building reliable, secure and interoperable enterprise components that allows users of various needs and trusts to access required information. The ESM functions are broken down into constituent parts and analyzed in terms of components and architecture. To make this research relevant to a wider audience and to include the latest approaches, we examine virtualization and cloud computing to understand the affects of these enterprise building methodologies on the security of multi-level security information residing within the enterprise either locally or through a Cross Domain system.

Challenges and alternatives in building a Secure Information Sharing Environment through a community-driven Cross Domain infrastructure

The challenges of building a Secure Information Sharing Environment are based on increased need to share data across agencies and security domains. The need has grown to also include sharing secure data with allied and coalition forces while protecting specific key parts of the information due to legal and ethical issues. There is an increasing need to automate the process where data is sanitized and shared in a seamless manner to empower our warfighters and commercial entities to increase the security and enhance services to the community. The obstacle is that information is generally stored flat files in multiple security domains and there are laws that prohibits sharing the whole data, but allows access to the majority of items. The task of architecting systems that enables Cross Domain (CD) capabilities is a significant undertaking that requires an understanding of data systems, technologies, governance, and cultures. The UCDMO is charged with analyzing the DoD/IC community needs, the current technologies and the future technologies that are at various phases of development to facilitate Assured Information Sharing (AIS) goals. The long term goal is to build a SOA based Enterprise that enables the community to use the diverse resources across various domains to deliver the information to the intended destination.

A Framework for Managing Mission Needs, Compliance, and Trust in the DevOps Environment

The expanding pace of business competitiveness and increasing demand velocity for developing and deploying updated Operational and Security capabilities has created an environment where development and operations needed to work even closer together. The need was further enhanced due to the fact that all capabilities are being developed in a shared platform with no formal requirement processes, and no analysis of the overall enterprise capabilities and architecture. On the surface, the process lacks the usual discipline that most engineers are used to, but operationally it has the potential of bringing capabilities to operations at a quicker rate. The goal of providing continuously updated services should make sure that the overall enterprise performance and security posture are not compromised while the quick turnaround capability deployment is achieved. The proposed framework focuses on ensuring the continuity of strategic posturing while allowing maximum flexibility to tactical enhancements to meet emerging demands.

Enabling net-centricity through cross domain information sharing

This paper presents the approach to accommodate the secure information sharing initiative via the development of the community enterprise architectures. The effort was initiated by the DoD CIO and the DNI CIO where they jointly established the Unified Cross Domain Office (UCDMO) to develop a roadmap for the community and facilitate the development of a Cross Domain vision that includes all the stakeholders and their stated mission. The UCDMO took the lead in working with the different commands and agencies to collect the needs and summarize them into 31 main needs. The most important capabilities that have the highest impact to the community were then determined. Ultimately, the overall mission needs led the UCDMO to determine the need to develop a Secure Information Sharing Environment that can accommodate real-time information access and transfer between different agencies. It was concluded that an enterprise architecture that is based on SOA principles is best suited to achieve this mission.

Agile development for system of systems: Cyber security integration into information repositories architecture

In order to meet the mission needs of today and keep up with the pace of technological advances, adapting the Enterprise Systems Engineering (ESE) process in a time constrained mission-centric environment is critical to leverage the efficient delivery of new capabilities in a Net Centric environment. Agility (contemporary) versus rigidity (traditional) are approaches that have their trade-offs but to meet the demands and needs of our war-fighters, we must have an ESE process that allows us to deliver quality capabilities to the tactical edge. Governance plays a significant role and testing services needs to be addressed different from the traditional T&E of stovepiped systems. The traditional approach of building systems to deliver a specific function is being changed to an approach of architecting services. ESE utilizes defined processes that use managerial and technical tools to analyze problems and provide structure to the overall process of planning, procuring, designing, implementing and testing an enterprise system. Adding agility and assurance to the traditional and ESE is the process by which we build quality into complex systems while delivering functionality and security of contents in a manageable timeframe and stay flexible to meet emerging requirements. This study is based on architecting the GIG which is the ultimate complex system. Utilizing the DoDs framework to facilitate information sharing; which starts with data discovery and access, we analyzed several concepts to achieve agility and higher level of security in Information Sharing Systems. The concept of the GIG also ensures that systems are not only robust but also incorporate the flexibility needed to satisfy needs that evolve during the systems life.

SOA as a catalyst to empower the warfighter through improved enterprise data access over the GIG

As private industry and the Department of Defense (DoD) move toward Enterprise Architectures (EA), CIOs have been lauding Service Oriented Architecture (SOA) as the approach to meet enterprise needs. It is clear that SOA addresses many challenges that face the DoD from information sharing to the fiscal issues of maintaining an IT infrastructure (networks, routers, desktops, peripherals, technology refresh, etc). Many large enterprises have investigated SOA, and have or will embrace it as a strategic course, no matter what underlying technology is used. However, SOA cannot be realized without the application of tried and true Systems Engineering principles with a balance between process and agility. The bottom line is that SOA must deliver a solution that crosses organizational, political and cultural boundaries as well as address the issues of information sharing regardless of where that information is actually stored. When the DoD reaches a SOA solution that supports the enterprise, the IT investments decisions should be much easier and affordable. The overall affect to programs should be easier to share, easier to enhance, easier to upgrade, easier to extend and ubiquitous data access across the enterprise. This paper explores SOA as the means to provide an Enterprise Architecture to enable information access through the implementation of data services for our strategic war-planners to our tactical war-fighters.

Implications of Precedence and Preemption Requirements on Packet Based Transport Architectures

Over the last several years there have been various attempts to extend traditional Precedence enabled transport services to support all Command and Control (C2) applications. Traditional experience with Precedence based transport services support either circuit-switched, voice-based transport, e.g., the Defense Switched Network (DSN), or message-switched transport, e.g., the Defense Message System (DMS) and the Automated Message Handling System (AMHS). We believe these attempts to extend and define new Precedence enabled transport services have failed because of a lack of well defined requirements and an understanding of their implications. In this paper, we offer a core set of ten requirements for Precedence and Preemption enabled transport services which aim to support all C2 applications. We make no claim as to the originality of these requirements; others have proposed subsets of these in the past. Based upon these ten requirements, we then discuss and identify their implications on network architectures for packet-based transport services. In the process we hope to better clarify the implications of the requirements and the network mechanisms to be designed and developed for future military Precedence enabled communications networks. We conclude by identifying areas for future research and development in order to bring packet-based Precedence-enabled transport services to all C2 applications.

An investigative analysis of information assurance issues associated with the GIG's P&P architecture

The Global Information Grid (GIG) is a collection of systems, programs and initiatives aimed at building a secure network and set of information capabilities modeled after the Internet. The GIG is expected to facilitate DoDs transformation by allowing warfighters, policy makers and support personnel to engage in rapid decision making. The roadmap is designed to take advantage of converged services of voice, data, video, and imagery over common data links. The vision is to have commanders identify threats more effectively, make informed decisions, and respond with greater precision and lethality. The information advantage gained through the GIG and network-centric warfare (NCW) allows a warfighting force to achieve dramatically improved information positions, in the form of common operational pictures that provide the basis for shared situational awareness and knowledge, and a resulting increase in combat power. The GIG Precedence and Preemption (P&P) requirements stem from the need to utilize scarce resources at critical times in the most effective way in support of national security, the intelligence community and the war-fighter. Information Assurance (IA) enables all information and data to be available end-to-end to support any mission without delay in accordance to the sensitivity of the task. Together, P&P and IA ensure data availability integrity, authentication, confidentiality, and non-repudiation. This study addresses and analyzes the QoS and P & P requirements and architecture for the GIG. Threat scenarios are presented and used to evaluate the reference architectures. The goal of the study is to assess the Information Assurance concerns associated with implementing Precedence and Preemption within the GIG and to guarantee an acceptable minimum level of security and protection for DoD networks.

An investigative analysis into security in the clouds and the impact of virtualization on the security architecture

The new trend to increasing efficiency in Information Systems (IS) investments is to migrate data processing and storage to external service-centers and vendors that provide a commodity computing platforms that are called Cloud Computing. The approach advocates minimizing the local capabilities to utilize thin clients while providing data manipulation and/or storage services by the service provider over time-shared resources. The concept is not new, however the implementation approach presents a strategic shift in the way organizations provision and manage their IT resources. The systems that process and fuse such data would have to be capable of classifying the resulting information and clearing the computing resources prior to allowing new application to be executed. Processing various levels of sensitive information and fusing results might require the development of a multi-level security system that can send the output to a protected network and systems in order not to have data spill or contaminated resources. The paper discusses these security requirements and potential impact on the cloud architecture. Additionally, the paper discusses the unexpected advantages of the cloud framework providing a sophisticated environment for information sharing and data mining. Finally, the paper introduces emerging issues that need to be addressed including providence, data tagging, and governance.

A novel approach to implementing digital policy management as an enabler for a dynamic secure information sharing in a cloud environment

The traditional way of approaching the management and enforcement of information systems Policy in enterprise environments is to manually translate laws and regulations into a form that can be interpreted and enforced by enterprise devices. In other words we create system commands for routers, bridges, and firewalls to force data transfers and system access to comply with the current policies and approved rules in order to control access and protect private, sensitive, and classified information. As operational needs and threat levels change, the rules are modified to accommodate the required response. It then falls on System Administrators to manually change the configuration of the devices they manage to adapt their operations accordingly. As our user communities continue to rely more heavily on mission information, and the enterprise systems and networks that provide it, our enterprise needs to progress to more automated techniques that enable authorized managers to dynamically update and manage policies in digital formats. Automated management of access rules that control privileges for accessing secure information and enterprise resources, enabled by Digital Policy and other Enterprise Security Management (ESM) capabilities provides the means for system administrators to dynamically respond to changing user needs, threat postures and other environmental factors. With the increased popularity of virtual environments and advent of cloud enterprise services, IA management concepts need to be reexamined. Traditional ESM solutions may be subjected to new classes of threats as physical control of the assets that implement those services are relinquished to virtual environments. Additional operational factors such as invoking critical processing, controlling access to information during processing, ensuring adequate protection of transactions within virtual environments and executing ESM provisions are also affected. The paper describes the relationships among relevant ESM enterprise services as they impact the ability to share and protect enterprise information. Central to this is the ability to adopt and manage digital policies within the enterprise environment. It describes the management functions that have to be supported, and the challenges that have to be addressed to ensure an effective implementation. Since the adoption of cloud services is becoming an important consideration for the evolution of enterprise architectures, the paper also explores the implications of shifting from traditional to virtual enterprise environments.