• HOME
• NEWS & EVENTS

THE CHALLENGES OF INFORMATION ASSURANCE

By Miriam Moss, DISA Corporate Communications

Department of Defense experts in information assurance are diligently seeking ways to provide wireless, mobile capabilities, including voice and e-mail, for classified and unclassified networks without compromising the essential elements of information assurance: authentication (ensures users and information are genuine), confidentiality (preventing disclosure of information to unauthorized users), integrity (data cannot be altered by unauthorized users), availability (information, computing systems, and security controls are available when needed), and non-repudiation (a control ensuring that the sender cannot deny having sent a transaction, and the receiver cannot deny having received it).

Security of the Networks
The need for information assurance increases every day for the Department of Defense. To foster faster development of a more secure Global Information Grid, the Defense Information Systems Agency is collaborating with other DoD, federal, and industry partners to improve information security for the DoD.

An important initiative to DISA is to strengthen the control of devices which are allowed to connect to the SIPRNet [the classified Secret Internet Protocol Router Network]. DISA is working with the military services to deploy a technology called network admission control, or NAC, as a means of authenticating devices, not just people. "We will combine this with an upgrade to the DoD public key infrastructure (PKI) which will issue identification credentials for devices," said Mark Orndorff, DISA's program executive officer for Information Assurance and Network Operations. Admission control is another layer of protection on the SIPRNet and leverages existing relationships and technologies.
A related effort is to strengthen the cyber identity credentials DISA issues to people who use the SIPRNet. DISA has teamed with the National Security Agency to upgrade the SIPRNet PKI from a software-only credential to issue PKI credentials on a hardware token, much like those on a common access card which is currently used to authenticate people on the unclassified network.

"We're working another effort to improve the individual authentication controls on the SIPRNet. Taking the capabilities we have with PKI and mirroring that on SIPRNet," Orndorff said. Basically we are strengthening the way we make sure that our SIPRNet is allowing only connections to things that we want — that we've authorized — to connect to, according to Orndorff.

Configuration Standards
Configuring every device in the information infrastructure is essential. DISA is a part of a large-scale, federal initiative to define configuration standards. Along with NSA and NIST, DISA publishes configuration guides for many technologies used by DoD and other agencies.

"We're focusing a lot of attention on improving the configuration standards throughout DoD. That's basically a fundamental principle; we have to have clearly defined security configurations that we consistently apply across all of DoD," said Orndorff.

"There are about 7 million devices with Internet protocol addresses on the unclassified network. Getting them configured correctly, keeping them configured correctly and measuring them is an enormous challenge given the incredible diversity of DoD's mission and the incredible mobility of DoD. We are far more mobile than any other large organization in the world," said Hale.

"To help our DoD customers deal with this complexity, we are trying to drive as much automation as possible into the configuration process. As part of this, we're also trying to drive toward standardization of the data involved in the business of configuring correctly, keeping things configured correctly, and measuring that they are configured correctly," said Richard Hale, DISA's chief information assurance executive.

"We're participants in a government/industry effort led by the National Institute of Standards and Technology called the Security Content Automation Protocol, which is defining standards for describing a configuration, defining measurements of the configuration, naming and describing vulnerabilities and the like," said Hale. In order to be successful this government/industry team must also work the challenge of how to maintain a configuration as technology advances.

"This is one of the reasons why we are participating in these major standardization efforts — to try to improve the automation," he said, which in turn increases the overall security.

Wireless Sensor Grid
The convenience of home wireless technology is an incentive for employees to connect to the enterprise unclassified network from home using a Small Office/Home Office-grade access point to connect to a local access network. Whether unintentional or intentional, this act punches a hole in the enterprise security system, exposing critical data to those who would ordinarily not have access to the enterprise and compromising the network.

In an effort to thwart the consequences of rogue access points, DISA has traditionally attacked the issue two-fold — the scanning of hardware and software and remediation. Scanning involves checking everything from the local enclave level to the entire architecture for vulnerability. Remediation deals with pushing out patches on the server and workspaces.

Recent work conducted by the Computer Network Defense Enterprise Solutions Steering Group has yielded results that will be the footprints towards a wireless sensor grid that will be a more holistic approach to detecting these connections. These results, upon scrutiny, will provide insight into the maturity of current technology to determine whether it has matured to such a level that funds can be dedicated to this initiative.

"This is where I think we want to go in the long run," said Orndorff. "We don't have firm specific plans right now. We've gathered the plans from industry; now we're going to take a look at it and decide whether we put money there or not."

Growing Pains
Over the past several years we've worked to put capabilities in the hands of systems administrators. "We provide tools to help to harden the operating systems — to harden the hosts. We have host-based intrusion detection, host-based intrusion prevention, vulnerability scanning, and vulnerability remediation as products we directly acquire and provide for the military services," Orndorff said. Putting these tools in the hands of the systems administrators and security professionals has helped, but we need to make them easier to use and manage.

Hale's focus is on easier ways to work with these capabilities on a daily basis. "Part of that is understanding what's required, but another part is getting industry to help us in that by coming up with ideas that make some of these capabilities easier to implement and easier to operate," Hale said.

"Wireless detection, I think, is one of the ones that falls exactly into that category, where we must make sure that we aren't coming up with a solution that our soldiers, sailors, and airmen aren't going to be able to manage with day in, day out," said Hale.

Protecting the Global Information Grid
DISA's goal is to protect and ensure the security of the GIG through information assurance. With continual collaboration with NSA, NIST, and other partners, DISA has rapidly improved the security of the network. However, protection starts at the entry point to the GIG.
"You can't build anything, you can't protect the data, you can't protect access, you can't protect all of the other things we are trying to accomplish [without] a standard secure configuration," said Orndorff.