Evaluation and Testbed Development Bhavani Thuraisingham The University of Texas at Dallas Jim Massaro and Ravi Sandhu The University of Texas at San Antonio Tim Finin University of Maryland, Baltimore County

2 Outline Project Tasks Accomplishments NCES/GIG Security AIS Questionaire Next Steps

3 Project Tasks Year 1: Determine Base-line, Gather requirements from AIS Community, Develop scenarios Year 2: Testbed architecture design and preliminary prototype addressing subset of the requirements Year 3: Enhanced prototype for evaluation by interested organizations Optional years: Continue with the development

4 Accomplishments Base-Line: NCES and GIG Security/Information Assurance Questionaire to be distributed to the Services to gather requirements Will work with Dr. Herklotz to identify people to send the questionaire to Two courses taught at AFCEA (Armed Forces Communications and Electronics Association) May 2008 with units on Assured Information Sharing

5 NCES Security: WS-* Security Standards framework

6 What is NCES? NCES enables information sharing by connecting people/systems who have information* with people/ systems who need information For people who have information, NCES provides global information advertising and delivery services For people who need information, NCES provides global services to find and receive information rview_ ppt * Information – data and services (web services)

7 What is the Global Information Grid (GIG)?* The GIG represents a globally interconnected, end-to-end set of information capabilities and processes for collecting, processing, and managing information on demand to warfighters, policymakers, and support personnel. The GIG provides a critical foundation for the DoD’s Network-Centric vision by: (1) supporting the posting of data to shared spaces as early as possible; (2) providing users with an enhanced capability to pull required data from wherever they are, whenever they need it; and (3) ensuring information assurance measures are applied effectively and across the enterprise. The enterprise services component of the GIG consists of a suite of reusable core enterprise services such as (1) discovery of potential new users or data sources, (2) mediation between various data formats, (3) discovery of data and applications to solve problems, and (4) provisioning of the appropriate security services and keys to allow access to the data required. *Source:

8 Portal Application Service Consumer Service Consumer Attribute ServicePolicy Decision Service Policy Admin Service Policy Retrieval Service Provider Certificate Validation Service Policy Enforcement Point Policy Enforcement Point Request / Response NCES Security Services NameProtocolFormatStandards Body Service Request / ResponseHTTP / SOAPSOAP, WS-Security, XML- DSIG, SAML, WS- Addressing OASIS / W3C Attribute ServiceSAML-PSAMLOASIS Policy Decision ServiceSAML-PSAMLOASIS Certificate Validation ServiceXKMSXKMS /W3C Policy Retrieval ServiceNCES-defined*XACMLOASIS Policy Administration ServiceNCES-defined*XACMLOASIS Security Services: Detail View User

9 Logical Component Overview Application Service Consumer Authentication NCES Service Security Attribute Service Policy Decision Service Policy Admin Service Policy Retrieval Service DOD PKI & LDAP Service Provider Certificate Validation Service Policy Store Identity Store Policy Enforcement Point Attribute Store User

10 Questionaire The purpose of the (Web-based) Questionaire is to gather requirementds from DoD and its partners for Assured Information Sharing to guide our research For each question, if you answer “yes”, please elaborate on your answer. For each question you answer “no”, please state your future plans with respect to that question

11 Questionaire: Basic questions Is your organization adopting DoD’s Information Sharing Strategy? If no, what information sharing strategy is your organization following? If there is no strategy, then are you planning to have one in the future? Is yes, are you planing to implement all five implementation strategies proposed by the DoD?

12 Questionaire: Policies What policies are important to your organization for AIS Confidentiality, Privacy, Trust, Integrity, Other Explain each type of policy Is multilevel security important to your organization for AIS? If so, how do you handle information flow from High to Low? Are you utilizing a trusted guard/filter for information sharing across security levels?

13 Questionaire: Partners and Trust Do you have to share information with partners at different trust levels? How do you handle partners of different trust levels? How are trust levels assigned in your environment? Are the trust levels changing with time for a partner?

14 Questionaire: Standards Is you organization adopting NCES and GIG strategies? What standards is your organization adopting? E.g., Web 2.0, SOA? Are you using XACML, SAML for policies? Are you preparing for Web 3.0? Is your organization adopting DODAF?

15 Questionaire: Technologies Do you belong to a federated environment? What knowledge management practices do you enforce? Will you adopot the DoD KM strategy (e.g., AKM)? Are their incentives for you to share data? Describe how social networking is gaining importance in your organization and what are the tools you are using? What information management strategies do you follow? Describe any other activities/scenarios related to AIS

16 Next Steps Send questionaire to government agencies; work with AFRL and other DoD Labs Present our research results to DoD agencies and get feedback Work with our partners (e.g., Raytheon) and discuss opportunities for technology transfer Scenario development