William R. Simpson

A Model for Delegation Based on Authentication and Authorization

Sharing information and maintaining privacy and security is a requirement in distributed environments. Mitigating threats in a distributed environment requires constant vigilance and defense-in-depth. Most systems lack a secure model that guarantees an end-to-end security. We devise a model that mitigates a number of threats to the distributed computing pervasive in enterprises. This authentication process is part of a larger information assurance systemic approach that requires that all active entities (users, machines and services) be named, and credentialed. Authentication is bi-lateral using PKI credentialing, and authorization is based upon Security Assertion Markup Language (SAML) attribution statements. Communication across domains is handled as a federation activity using WS-* protocols. We present the architectural model, elements of which are currently being tested in an operational environment. Elements of this architecture include real time computing, edge based distributed mashups, and dependable, reliable computing. The architecture is also applicable to a private cloud.

A Multi-tiered Approach to Enterprise Support Services

The Enterprise Support Desk (ESD) is the combination of people, hardware, deployed software agents, and software displays, which maintain the health of the enterprise service based operations. It is both pro-active and re-active. It is required to be integrated with hardware and software health monitoring systems deployed by the enterprise services provider. The objective of this paper is to provide the basic architecture being employed by the USAF enterprise system.

Enterprise Level Security with Homomorphic Encryption.

Enterprise Level Security (ELS) is an approach to enterprise information exchange that provides strong security guarantees. It incorporates measures for authentication, encryption, access controls, credential management, monitoring, and logging. ELS has been adapted for cloud hosting using the Virtual Application Data Center (VADC) approach. However, a key vulnerability in placing unprotected data in the cloud is the database that stores each web application’s data. ELS puts controls on the end-to-end connection from requester to application, but an exploit of the back-end database can allow direct access to data and bypass ELS controls at the application. In a public cloud environment the data and web application may be vulnerable to insider attacks using direct hardware access, misconfiguration, and redirection to extract data. Traditional encryption can be used to protect data in the cloud, but it must be transferred out of the cloud and decrypted to perform processing, and then re-encrypted and sent back to the cloud. Homomorphic encryption offers a way to not only store encrypted data, but also perform processing directly on the encrypted values. This paper examines the current state of homomorphic encryption and its applicability to ELS.

An authentication model for delegation, attribution and least privilege

The need to share information while maintaining privacy and security is a growing problem in health, finance, defense, and other distributed environments. Mitigating threats in a distributed computing environment is a difficult task and requires constant vigilance and defense-in-depth. Most systems lack a secure model that guarantees an end-to-end security. In this paper, we devise a model that mitigates a number of threats to the distributed computing pervasive in corporate and institutional information technology enterprises. This authentication process is part of a larger information assurance systemic approach that requires that all active entities (users, machines and services) are named, and credentialed. Authentication is bilateral using PKI credentialing, and authorization is based upon Security Assertion Markup Language (SAML) attribution statements. Communication across domains is handled as a federation activity using WS-* protocols. We present the architectural model, elements of which are currently being demonstrated and tested in a functional prototype in a boundary protected area processing center. The architecture is also applicable to a private cloud.

Insider Threat Veracity Issues

Enterprise Level security (ELS) has no accounts or passwords, and consequently identity is an important issue. All person and non-person entities in ELS are registered and known. PKI credentials are issued, and when necessary, multi-factor authentication is used to improve the assurance of the identity. Because the next step in ELS is claims-based access and privilege, many data owners are worried about the trustworthiness (sometimes called reputation) of the identified requesters (this applies to person and non-person entities within the enterprise). Individuals are vetted periodically, and a baseline is established by those instances; however, activities that occur between those vetting events may provide clues about the trustworthiness of the individuals. Similarly, pedigrees in software and hardware entities are established periodically. Because the terms trust and integrity are overloaded, we refer to these data as veracity. Further, when requested, the veracity that applies to certain categories will be provided as counter-claims along with the claims. These counter-claims may be used by the applications and services for increased levels of surveillance and logging and perhaps even limitation of privilege. The computation of veracity brings about security concerns and requires special handling. This paper reviews the data categories, data requirements, security issues, and data resources that apply to entity veracity, as well as the counter-claim structures and issues associated with their tracking and usage. The paper then presents findings and recommendations, along with the future work necessary to complete this evolution.

Extending CryptDB to Operate an ERP System on Encrypted Data.

Prior work demonstrated the feasibility of using partial homomorphic encryption as part of a database encryption scheme in which standard SQL queries are performed on encrypted data. However, this work involved only translating raw SQL queries to the database through the CryptDB proxy. Our work extends the prior work to an Oracle application. The goal for this work was to determine feasibility for a full-scale implementation on a real Oracle Enterprise Resource Planning (ERP) system. This requires accommodating extra features such as stored procedures, views, and multi-user access controls. Our work shows that these additional functionalities can be practically implemented using encrypted data, and they can be implemented in a way that requires no code changes to the ERP application code. The overall request latency and computational resource requirements for operating on encrypted data are under one order of magnitude and within a small factor of those for unencrypted data. These results demonstrate the feasibility of operating an Oracle ERP on encrypted data.

Identity and Enterprise Level Security

Intrusions to enterprise computing systems have led to a formulation that put in place steel gates to prevent hostile entities from entering the enterprise domain. The current complexity level has made the fortress approach to security implemented throughout the defense, banking, and other high-trust industries unworkable. The alternative security approach, called Enterprise Level Security (ELS), is the result of a concentrated 15-year program of pilots and research. The primary identity credential for ELS is the PKI certificate, issued to the individual who is provided with a Personal Identity Verification (PIV) card with a hardware chip for storing the private key. This process provides a high enough identity assurance to proceed. However, in some instances the PIV card is not available or in a compromised position and a compatible approach at a higher level of assurance is needed. This chapter discusses a multi-level authentication approach designed to satisfy the level of identity assurance specified by the data owner, add assurance to derived credentials, and to be compatible with the ELS approach for security.

Security Issues in Content Modification Processes

Entities that change the content at some point in the transmission process present assurance problems. These entities include optimizers, accelerators, and target display adapters, among others. Maintaining security when using these entities depends in detail on what the content-changing entity does, and the general problem has not been solved. By way of illustration, we have chosen to examine the assurance issues for a wide area network (WAN) Accelerator. Bandwidth continues to be a problem for the active enterprise, and one solution is the WAN Accelerator. The accelerator works by tokenizing blocks of information that are sent multiple times in network traffic. Because many such communications include previously transmitted material, the accelerator traffic quickly damps out to transmissions that include tokens instead of the original content. The tokens are reconstituted before delivery, and the receiver has a seamless connection and is unaware of the process. The acceleration is not without its drawbacks. The process does not work on encrypted traffic due to the random nature of encryption. For high assurance systems using an end-to-end paradigm, there are two main areas of concern. The first is how to handle confidentiality during the decryption and re-encryption process. The second is how to maintain end-to-end integrity with tokenization and de-tokenization. This chapter discusses the current approach to WAN acceleration and the changes that are required by a high assurance end-to-end approach.

Vulnerability and Remediation for a High-assurance Web-based Enterprise

A process for fielding vulnerability free software in the enterprise is discussed. This process involves testing for known vulnerabilities, generic penetration testing and threat specific testing coupled with a strong flaw remediation process. The testing may be done by the software developer or certified testing laboratories. The goal is to mitigate all known vulnerabilities and exploits, and to be responsive in mitigating new vulnerabilities and/or exploits as they are discovered. The analyses are reviewed when new or additional threats are reviewed and prioritized with mitigation through the flaw remediation process, changes to the operational environment or the addition of additional controls or products). This process is derived from The Common Criteria for Information Technology Security Evaluation, Common Evaluation Methodology which covers both discovery and remediation. The process has been modified for the USAF enterprise.

High Assurance Enterprise Scaling Issues

Many Organizations are moving to web-based approaches to computing. As the threat evolves to higher levels of sophistication, many governmental and commercial organizations are also moving toward high assurance. This chapter describes an approach that uses strong bi-lateral end-to-end authentication with end-point encryption and with SAML-based authorization using OASIS Security Standards. This service-based approach offers many of the advantages of the cloud-based approaches. Cloud-based approaches allow for more agile scale-up, while maintaining a low marginal cost of accommodating increased users. However, many of the applications require high assurance, attribution, formal access control processes, and a wide range of threat mitigation procedures for many of the industries (banking, credit, content distribution, etc.) that are considering conversion to cloud computing environments. Current implementations of cloud services do not meet these high assurance requirements. This high assurance requirement presents many challenges to normal computing and some rather precise requirements that have developed from high assurance issues for web service applications. Gearing up for a large number of users is often difficult without security issues. The most difficult part of scaling up to higher user levels is the maintenance of the security paradigms that provide mitigation of these generic and specific threats. Several issues relating to large scale use that are specific to high assurance and their solutions are discussed at length.