Security Shift in Future Network Architectures

In current practice military communication infrastructures are deployed as stand-alone networked information systems. Network-Enabled Capabilities (NEC) and combined military operations lead to new requirements which current communication architectures cannot deliver. This paper informs IT architects, information architects and security specialists about the separation of network and information security, the consequences of this shift and our view on future communication infrastructures in deployed environments. The result of this paper is a proposal for a new architecture which addresses both security and flexibility requirements in deployed infrastructures as well as system management while retaining the “system high” mode of operation. 1.0 INTRODUCTION AND BACKGROUND The availability of all relevant and supporting information to get a complete Common Operational Picture (COP) on which decisions are based is crucial for the successful execution of a military operation. However, these Common Operational Pictures and decisions made during military operations are not solely based on the information that is provided by each nation’s own systems but increasingly depends on the information that is shared by others. The possibility to exchange information becomes increasingly important for the success of an operation. In this paper, we focus on the architecture for deployed military communication infrastructures. The aim of these infrastructures is to enable future interconnections of different communication infrastructures that belong to different nations and organisations. These interconnections support the exchange of information. However, the concept of controlled information exchange lies outside the scope of this paper. For more information about mechanisms to enable controlled information exchange see [1]. Nowadays military organisations, for example members in the NATO Response Force (NRF), have to react quickly to incidents worldwide. The ability to quickly deploy networked information systems suitable for the particular situation is therefore crucial to effectively fulfil their tasks. An important driver for future communication architectures is Network-Enabled Capabilities (NEC) which is based on an integrated and coordinated deployment of all capabilities, heavily leaning on controlled information sharing [2]. Controlled information sharing implies that the responsibility for sharing information lies by the owner of the information, who has to determine whether information is suitable to be shared with other members. Current practice is that each nation or organisation deploys its own stand-alone networked information systems. To participate in different operations, an organisation has to deploy multiple stand-alone networked information systems. This has a severe negative impact on: Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. 1. REPORT DATE NOV 2010 2. REPORT TYPE N/A 3. DATES COVERED 4. TITLE AND SUBTITLE Security Shift in Future Network Architectures 5a. CONTRACT NUMBER 5b. GRANT NUMBER 5c. PROGRAM ELEMENT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER 5e. TASK NUMBER 5f. WORK UNIT NUMBER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) Information Security Dept. TNO Information and Communication Technology Brassersplein 2, 2600 GB, Delft, The Netherland 8. PERFORMING ORGANIZATION REPORT NUMBER 9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S) 11. SPONSOR/MONITOR’S REPORT NUMBER(S) 12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release, distribution unlimited 13. SUPPLEMENTARY NOTES See also ADA564697. Information Assurance and Cyber Defence (Assurance de l’information et cyberdefense). RTO-MP-IST-091 14. ABSTRACT In current practice military communication infrastructures are deployed as stand-alone networked information systems. Network-Enabled Capabilities (NEC) and combined military operations lead to new requirements which current communication architectures cannot deliver. This paper informs IT architects, information architects and security specialists about the separation of network and information security, the consequences of this shift and our view on future communication infrastructures in deployed environments. The result of this paper is a proposal for a new architecture which addresses both security and flexibility requirements in deployed infrastructures as well as system management while retaining the system high mode of operation. 15. SUBJECT TERMS 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF ABSTRACT SAR 18. NUMBER OF PAGES 10 19a. NAME OF RESPONSIBLE PERSON a. REPORT unclassified b. ABSTRACT unclassified c. THIS PAGE unclassified Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18 Security Shift in Future Network Architectures 2 2 RTO-MP-IST-091 1. the ability to deploy them quickly, 2. the ability to exchange information using the communication infrastructure, 3. system management, 4. flexibility and adaptability, 5. costs. To overcome these challenges a shift to a different architecture of networked information systems is necessary. The capability to share infrastructural components with participating nations and organisations without a negative impact on the information security and network robustness may reduce the need to deploy stand-alone networked information systems. Sharing infrastructural network components does not imply that the information is also shared with the participating nations and organisations. This will lead to the principle of separation of a (shared) communication infrastructure and the information (systems) itself. The information system may still use the communication infrastructure but each having its own set of protection requirements. Developments such as Protected Core Networking (PCN) and Trusted Operating Systems may enable this shift toward a new architecture. These developments will not be without consequences, especially in the areas of protection of the shared infrastructure, protection of the information and cryptographic technology a lot of challenges have to be solved. This article highlights the most important of these technical challenges. 2.0 CURRENT INFRASTRUCTURES Current deployed infrastructures are mainly developed following national requirements, based on a generic deployment scenario. In case the deployed infrastructure participates in a coalition environment, coalition specific requirements are defined and must be implemented in the deployed infrastructure. Compared to the NATO Response Force, each member nation will have a six-month period for training and testing of their capabilities, including capabilities with respect to communication and information exchange. The whole infrastructure a nation or organisation brings to a coalition may comprise more than one domain. We distinguish four different types of domains: 1. The information domain This entails the means by which the C2 functions are performed for a predefined information classification. 2. The technical infrastructure This entails all hardware needed to enable communication. 3. The security domain This entails the security requirements which apply to an information domain. 4. The responsibility for these domains. This entails the collection of information domains and technical infrastructures for which an organisation is responsible. Traditionally a domain is bounded by its own type (classification) of information which is processed and the security requirements which apply, and consists of its own infrastructure. Hence the boundary of the infrastructure is effectively the same as the information and security boundary. This is a direct result of the system high mode of operation. These traditional domains are strictly separated. It is not uncommon to bring a Mission Secret, a National Secret, a National Restricted, and an Unclassified domain to the coalition. During a mission, each of the participating nations and organisations is the administrative owner (responsible) of one or more technical infrastructures. Security Shift in Future Network Architectures RTO-MP-IST-091 2 3 In the current system-high approach, with different infrastructures for each security domain, we see that different domains are delineated by the technical network boundaries. This means that the security requirements for a certain information classification level apply to the whole technical network which processes that classified (unencrypted) information. And because these domains (the information and security domain and the technical infrastructure) are combined, the security measures which protect the infrastructure and the security measures which protect the information are integrated and mutually dependent, and therefore hard to distinguish and separate. An improved situation would be where information can be exchanged over a shared, common infrastructure. Both the information domain and the communication infrastructure will have their own protection mechanisms to fulfil their own specific security requirements. For a communication infrastructure this may be the availability of communication between end-points, for information this may be to safeguard its confidentiality. This is a very important distinction. 2.1 Examples of current communication infrastructures Two examples of currently used communication infrastructures, TITAAN and a Navy Ship, are described below to clarify these disadvantages.