Moving to Information Assurance
Download
Report
Transcript Moving to Information Assurance
NATO Consultation, Command & Control Board
Information Assurance Sub-committee
NATO HQ
C3 Staff
Security and Protection of Information
“Moving to Information Assurance”
Brno (CZE) 2 - 4 May 07
Colonel Enrico Bologna
NHQC3S –UNCLASSIFIED
Infosec Branch Chief
1
Introduction
NATO HQ
C3 Staff
Aim:
To present the consolidated NATO processes in protecting information, but
also the ongoing initiatives and the challenges in implementing a coherent
and interoperable multinational and NATO Networking and Information
Infrastructure (NII)…
Outline:
Where INFOSEC / IA occurs in NATO … and some preliminary info
Transformational Summit at Riga (Latvia) Nov 06
Information Assurance … Complex mission
IA Subcommittee (SC/4)
NATO Public Key Infrastructure
Cyber Defence Programme
Others Areas of Interest
Summary
UNCLASSIFIED
2
NATO HQ
NATO INFOSEC / IA Authorities C3 Staff
Where INFOSEC / Information
Assurance occurs in NATO …
and some preliminary
information about NATO
organizational structures
UNCLASSIFIED
3
NATO HQ
NATO INFOSEC / IA Authorities C3 Staff
NAC
NATO Security
Committee
WG/1
CIS Security
(1)
NATO C3(1)
Board
Military
Committee
SC/4 - IA
Subcommittee
Consultation Command and Control
UNCLASSIFIED
4
Preliminary info
UNCLASSIFIED
NATO HQ
C3 Staff
5
Preliminary info
NATO HQ
(Cont’d)
C3 Staff
NATO Headquarters C3 Staff
UNCLASSIFIED
6
Preliminary info
NATO HQ
(Cont’d)
C3 Staff
INFOSEC Branch
Support to:
NATO C3 Board
- Information Assurance Sub-committee (IA SC)
- NATO PKI Management Authority (NPMA)
- NATO PKI Advisory Cell (PAC)
- NATO Computer Incident Response Capability (NCIRC)
Military Committee
- Cryptographic products security approval process
- Capability Packages development
- Advice on cryptographic aspects/solutions
UNCLASSIFIED
7
Senior Level Attention
NATO HQ
C3 Staff
NATO Transformation Summit
at Riga, Latvia Nov 06
UNCLASSIFIED
8
Transformational Summit
Riga (Latvia) Nov 06
NATO HQ
C3 Staff
CIS will make a major contribution in meeting the
new challenges;
Nations were invited to commit themselves to
NNEC based capabilities implementation;
Security or Information Assurance (IA) will serve
as an enabler for NNEC (pacing technology);
Avoid diverging national developments when
dealing with EU capability implementations and to
keep in close contact with the NHQC3S;
NC3B role in Governance on NNEC and in the
Defence Against Terrorism (DAT) which includes
Cyber Defence (CD) aspects.
UNCLASSIFIED
9
And Now
NATO HQ
C3 Staff
Information Assurance
Complex Mission
Agreed Description
IA Sub-committee
UNCLASSIFIED
10
Complexity of …
NATO HQ
C3 Staff
Protecting
Information
=
IA
UNCLASSIFIED
11
IA Description
NATO HQ
C3 Staff
Is it a kind of Insurance
like a full “casco/helmet”?
WHAT IS IA ?
INFOSEC:
Transmitted and/or Stored
information?
Risk Management
Information Management Aspects:
Labelling & Marking …
but also Handling
of Information
UNCLASSIFIED
12
IA description
NATO HQ
C3 Staff
Information shall be protected by applying the
principle of Information Assurance (IA), which
is described as the set of measures to achieve
a given level of confidence in the protection of
communication, information and other
electronic systems, non-electronic systems,
and the information that is stored, processed or
transmitted in these systems with respect to
confidentiality, integrity, availability, nonrepudiation and authentication
UNCLASSIFIED
13
NATO HQ
NATO INFOSEC / IA Authorities C3 Staff
NAC
NATO Security
Committee
WG/1
CIS Security
(1)
NATO C3(1)
Board
Military
Committee
SC/4 - IA
Subcommittee
Consultation Command and Control
UNCLASSIFIED
14
NATO HQ
NC3B Sub-Structure
C3 Staff
NAC
NATO
WG/1
C3 Staff
CI
S
NC3 REPS
GE
NCY
NC3B
NATO MILITARY
COMMITTEE
NCSA
NATO HQ
SE
A
NATO SECURITY
COMMITTEE
RVICES
NATO PKI
Management
Authority
PKI
Advisory
Cell
CICG
SC/1
C3 CC SC
SC/3
SC/3
SM
FMSC Civ/Mil
SC/5IIS
SC/5
IS SC
SC/6
SC/6
CNS
CNS SC
SC/7
IDENT SC
SC/8
NAV SC
SC/4
IA SC
Open to
Partners ¹
Sub-Committees
Meets with
Partners ¹
No meetings
currently
planned with
Partners
Provides INFOSEC Technical and Implementation Directives and Guidance
UNCLASSIFIED
SC/1 = C3 Capabilities
Coherence
SC/3 = Frequency
Management
SC/4 = Information
Assurance
SC/5 = Information Services
SC/6 = Communication and
Network Services
SC/7 = Identification
SC/8 = Navigation
15
Mission of IA SC (SC/4)
NATO HQ
C3 Staff
Support NC3B in achieving protection of NATO
information stored, processed or transmitted in
communication, information and other electronic
systems against loss of Confidentiality, Integrity and
Availability and to prevent loss of integrity or
availability
of
the
systems
themselves.
The
INFORMATION ASSURANCE SC also supports the
MC and the NATO Security Committee (NSC) by
responding to urgent matters of, respectively, an
operational or a security policy nature.
UNCLASSIFIED
16
SC/4 Composition
1.
C3 Staff
National representatives
2.
NATO HQ
BEL, BGR, CAN, CZE, DNK, EST, FRA, DEU, GRC,
HUN, ISL, ITA, LVA, LTU, LUX, NLD, NOR, POL, PRT,
ROU, SVK, SVN, ESP, TUR, GBR, USA;
Other representatives:
a.
b.
c.
d.
Strategic Commands (SCs);
NATO Office of Security (NOS);
Defence Investment (Infrastructure Committee);
NATO Agencies (e.g. NC3A, NCSA, NACMA, SECAN,
DACAN, EUSEC, EUDAC);
UNCLASSIFIED
17
NATO HQ
C3 Staff
UNCLASSIFIED
18
NATO HQ
Relationships
C3 Staff
Military
Committee
NATO C3 BOARD
SC/4
IA
NC3A
SHAPE / ACO
Requirements
NCSA
ACT
SECAN
DACAN
EUSEC
NACMA
EUDAC
Provides technical support, as needed
UNCLASSIFIED
19
Role of SC/4
NATO HQ
C3 Staff
Develop Technical and Implementation Directives and
Guidance in support of NATO Security Policy: C-M(2002)49
Assist in Identification and Formulation of INFOSEC/IA
Requirements
Promote Interoperability Between NATO and NATO Nations,
Non-NATO Nations and International Organizations
Advise the NATO Security Committee on Implications for
NATO Security Policy
Contribute to the Identification of Vulnerabilities
Provide a Forum for Exchange of Information and Ideas
Maintain Technological Awareness of Developments That
May Affect Security
Monitor and Assess the INFOSEC Projects Within the NC3A
UNCLASSIFIED
20
IA Sub-Committee SubStructure
Staff co-Chairman
Col. Enrico BOLOGNA
SCIP AHWG
(AHWG/6)
IA SC
AC/322 (SC/4)
NATO/NON-NATO
CO-OPERATION AHWG
(AHWG/11)
CSPTF TF
NATO HQ
C3 Staff
National Co-chairman
Mr. Stew Graf
CRYPTOGRAPHIC
DOCUMENTATION AHWG
(AHWG/14)
IPSec TF
UNCLASSIFIED
TECHNICAL INFOSEC
DOCUMENTATION AHWG
(AHWG/15)
TC Syndicates
IPSec TF
21
New IA Sub-Committee
Sub-Structure
NATO HQ
C3 Staff
IA SC
AC/322 (SC/4)
AHWG/1
Cross domain
Issues AHWG
AHWG/3
Security Management
Infrastructure AHWG
AHWG/2
Technical IA
Services AHWG
AHWG/4
Cryptographic
Services AHWG
AHWG/5
Reserved
UNCLASSIFIED
22
And Then
NATO HQ
C3 Staff
Information Assurance
NATO Public Key Infrastructure
NPMA & PAC
MILESTONES
One example of ongoing initiatives and
challenging implementation
UNCLASSIFIED
23
NATO Public Key
Infrastructure (NPKI)
NATO HQ
C3 Staff
NPMA & PAC
The NATO PKI Management Authority (NPMA) serves as the
executive agent for the development and operation of the
NATO PKI.
NPMA primary focus is to establish and maintain the desired
level of trust when providing PKI services to NATO users and
when defining the rules for interoperation with other PKIs.
The NATO PKI Advisory Cell (PAC) provides assistance to the
NPMA on legal issues, technical issues, and current NATO
standard operating procedures.
UNCLASSIFIED
24
NPKI Relationships
NATO HQ
C3 Staff
NC3B
SC/5
NPMA
SC/4
CES
PAC
SMI
NOTES
CES
SMI
: Tasking Authority
: Co-ordination
: Deliverables
: Common Enterprise Services
: Security Management Infrastructure
UNCLASSIFIED
25
NPKI Governance &
Operational
NATO HQ
C3 Staff
NC3B
NPMA
PAC
Tier 1
Root CA
(DACAN)
Tier 2
Certification Authorities
(NITC, NCSA and other appropriate authorities)
Tier 3
SUBORDINATE CAs or RAs
UNCLASSIFIED
26
NPKI Milestones
NATO HQ
C3 Staff
NPMA and PAC establishment;
Certificate Policy approval;
Interoperability Directive production;
Root Certificate Authority (CA) deployment;
First Sub-CA activation;
Provision of certificate services to projects.
UNCLASSIFIED
27
Ongoing initiatives &
implementation - NRoI
UNCLASSIFIED
NATO HQ
C3 Staff
28
NRoI PKI Architecture
Disk Encryption
VPN
Secure Mail
UNCLASSIFIED
NATO HQ
C3 Staff
Secure Web
29
And More
NATO HQ
C3 Staff
Information Assurance
Cyber Defence Programme
NATO Computer Incident Response Capability
NCIRC + Intrusion Detection Systems
NCIRC Management
NCIRC Services
UNCLASSIFIED
30
Cyber Defence Programme
NATO HQ
C3 Staff
Phase 1: NCIRC IOC + IDS
NCIRC IOC: 16 DEC 2004
NCIRC + IDS IOC: 28 NOV 2006
IDS Sensors at Critical NATO Network Interfaces;
74 IDS Sensors are operational (37 on NS & 37 on NU Networks)
Phase 2: IMPLEMENT CAPABILITIES TO OVERCOME THE VULNERABILITIES
Continuation of Implementing CD Projects:
Transition from NCIRC IOC to FOC (2008-2012)
Security Training and Awareness Programme
Implementation of Public Key Infrastructure
Modernise NATO Key Management Systems
Phase 3: IDENTIFY MINIMUM REQUIREMENTS AND RESOURCES IN
ELIMINATING OR MITIGATING OTHER VULNERABILITIES
Broaden CD view
Legal Aspects
New Technology
CIS NATO-wide Enterprise Continuity Plan
UNCLASSIFIED
31
NCIRC
NATO HQ
C3 Staff
NCIRC authority delegated by Nations in decisions of NAC
Cyber Defence Capability
To respond to COMPUSEC threats and vulnerabilities;
To Handle and Report incidents and disseminate
incident-related information
To Concentrate Incident Handling into one centralized
and co-ordinated effort;
To Mitigate effects of COMPUSEC related problems.
Co-operation of all NATO civil and military bodies, as well as
final users
NCIRC is a tool to reduce the Computer Security Risks
supporting NATO by performing the services defined in
NCIRC CONOPS.
UNCLASSIFIED
32
NATO HQ
NCIRC Organisation
NATO Security
Committee
TIER 1
NATO
C3
Board
NCIRC
CO-ORDINATION
CENTRE (CC)
NATO CIS Security
Accreditation Board
(NSAB)
NOS
ACO Intel
ACT OS
NATO Office of Security
(NOS)
&
NHQC3 Staff
INFOSEC Branch
Other SABs
(e.g. BICES, ACCS,
BRASS)
TIER 2
C3 Staff
CI and Law
Enforcement
CERTs
Forum of Incident
Response & Security
Teams (FIRST)
NCIRC
TECHNICAL CENTRE (TC)
Other CERTs
NCSA/NITC
(With Scientific Support from NC3A)
TIER 3
NCSA
SECAN
National Govt.
Non-Govt.
Commercial
NATO Civil & Military Bodies
for assigned CIS
Local CIS Operating Authorities
UNCLASSIFIED
33
NCIRC Services
NATO HQ
C3 Staff
Development of OS Security settings (Vista, Solaris)
NCIRC Security Bulletins & Reports
On site VA in conjunction with SECAN
Anti-Malware Management
Releasing of AV updates
Handling of AV support calls/requests
Field support visiting
INFOSEC T & A Programme
Mail content monitoring
Web Sites protection
Forensics along with NC3A
UNCLASSIFIED
34
To be Effectively Involved
NATO HQ
C3 Staff
Others Areas of Interest
Capability Package development & implementation
INFOSEC Capability Package
(Crypto Mod / Transformation)
NATO Network Enabled Capability
SCIP & IP Sec
examples of ongoing initiatives and challenging implementation
UNCLASSIFIED
35
Capability Life-Cycle Process
Concept &
Requirements
Development
Capability
Definition
Capability
Realisation
NATO HQ
C3 Staff
Capability
Usage
Nations / organisations have many variants of this, but the
overall pattern is the same
The development and provision of interoperability is an
integral part of this process
This is not a linear process - reiteration and evolution are
needed
UNCLASSIFIED
36
CP Approval Process
NATO HQ
C3 Staff
Submit
SCs
SUPPORTS
DEVELOPMENT
C3 Policy/
technical
NC3A
REVIEWS
operational
resources
NHQC3S
NC3B
IMS
MC
IS
SRB
NAC/DPC
UNCLASSIFIED
Endorse
Approve
37
NATO HQ
Bi-SC AIS Development Lines C3 Staff
2006
2007
CP5A0050/9B0020: CORE Services
CP5A0004: MMHS Project
CP5A0005 : ACE ACCIS
Step 5
CP5A0007
OPS Functional Services ( Joint, Air, Land)
CP9B3013: MAR OPS CCIS
2008
2009
2010
CP9C0150
Core AIS for Static Commands
CP9C0107
OPS Functional Services
( Joint, Air, Land and Maritime)
CP0A0110: INTEL Functional Services
CP9C0103: LOG Functional Services
…
CP5A0053/9B0010: PERS Functional
Services
Assess the suitability of projects to support EBAO and TOAs
Make Development Lines for individual projects
Identify service specification requirements
Determine maturity levels
Adjust the projects
UNCLASSIFIED
38
INFOSEC CP Projects
Project
Number
NATO HQ
C3 Staff
PROJECT TITLE
0CM03039 Provide On-Line Cryptographic Equipment
0IS 03067
Provide NATO Electronic Key Management System (NEKMS)
0CM 03040 Provide Off-Line Cryptographic Equipment
0CM 03004 Provide NATO Computer Incident Response Capability (NCIRC)
0CM 03072 Provide NATO Public Key Infrastructure (NPKI)
0CM 03069 Provide NATO Secure Information-Exchange Interfaces (NSII)
0CM 03070 Provide NATO INFOSEC Management (NIM)
0CM 03071 Provide INFOSEC Support
UNCLASSIFIED
39
Ongoing initiatives &
implementation - SCIP
NATO HQ
C3 Staff
Secure Communications Interoperability Protocol
Derived from the US FNBDT programme
Protocols offered to NATO
Allows the end-to-end secure communications:
over a range of network technology
and supports a range of security algorithms
Collaboration between multiple nations, industry, an
IICWG, NATO
i.e. many moving parts
Interoperability testing conducted with prototypes Oct 06
UNCLASSIFIED
40
Ongoing initiatives &
implementation - SCIP
NATO HQ
C3 Staff
NGCS/NDN
Voice Gateway
NGCS
NDN
NSP2K
SCIP terminal
GSM, PMR,
PSTN...
National
Tactical
(4578)
NATO DCM
SCIP terminal
UNCLASSIFIED
41
Ongoing initiatives &
implementation - IP Sec
Network and Security
Management Centre
NINE is not a device
NINE 5
4
The NINE Interface
Specification should
state how a NINE
device interoperates
with other
devices/networks
NE
NI
4
NINE - NII IP Network
Encryption
E
IN
C3 Staff
The establishment of a Protected Core Network (PCN) requires
interoperable secure IP services
The development / identification of specifications for secure IP is
being developed through an IP Security Task Force under the
NATO C3 Board - SC/4 & SC/6
N
NATO HQ
NINE 2
NINE 2
NINE
PCORE
NINE 5
NINE
NINE 3
UNCLASSIFIED
42
NATO HQ
Protected Core
C3 Staff
PROTECTED CORE (PCore)
Z
E
E
Z
PROTECTED CORE
SEGMENT
E
E
Z
E
E
PROTECTED CORE
SEGMENT
E
E
E
E
E
Z
E
E
Z
E
E
E
E
Z
E
E
E
RE
CO
D
TE NT
EC ME
OT EG
PR S
Enforcement points ensure
that policy is enforced
throughout the PCore
E
Consumer Modules under
different ownership can access
the PCore at any PCS in
accordance with SLAs
E
E
E
E
Z
Service Level Agreements
(SLAs) between PCS owners
Z
Protected Core Segments (PCSs)
under different ownership, all built
upon the principles of Protected Core
Networking (PCN)
UNCLASSIFIED
43
Summary
NATO HQ
C3 Staff
Protecting Information is Complex
Policy, Directives, Guidance and Oversight Provide
Common Agreed Methods for Protection
Collaborative Process Between NATO Bodies and NATO
Nations
Focus on key lines of development
The parallel lines of development (national and
NATO) need to be closely co-ordinated
(NC3B - NNEC governance role ?)
Test Service and Interface Specifications in the
development process and when integrated in
capability
Requires Constant Vigilance
UNCLASSIFIED
44
NATO HQ
C3 Staff
Questions?
UNCLASSIFIED
Colonel Enrico Bologna ITAAR
45
NHQC3S – INFOSEC Branch Chief