Title: Transatlantic Secure Collaboration Program TSCP Briefing for the Federal PKI WG
1Transatlantic Secure Collaboration Program
(TSCP)Briefing for the Federal PKI WG
Washington 13 May 2004
www.tscp.org
2The Defense Business Environment
- DOD
- Warfighter defeats the enemy and keeps the
peace - Intelligence knows about the enemy
- Business converts to defence capability under
political governance - Coalition Allies/Partners
- Industry Primes/Partners
- Products
- Services and support
- Supply chain
- Most verticals
- Increasingly international
3The collaboration model is changing to adapt to
the new industry trends . . . the security
solution must be equally adaptable and flexible
Security Model
4Data in the collaborative environment
- A typical corporation aligns and optimises its
processes. The internal environment is
process-centric. - Collaborating organisations depend on shared
information. This environment is data-centric. - Successful collaboration depends ultimately on
measurable data quality. - Standard contractual clauses are needed for data
quality, metrics and audit. - Sharing sensitive data requires data segregation
management - So, what building blocks do we need to get there,
and how are we doing?
5Collaboration maturity is driven by the depth of
information available between partners
Levels of Collaboration
Attributes of Collaboration
Objective
Capabilities Being Used
Business Benefit
Risks
- Collaborative Product Design and Development
- Enterprise Bus. Intelligence
- Improved knowledge sharing, reducing product
cycle time - Single access to data sources, reducing search
and acquisition time
- Greater exposure to intellectual property loss
- Data corruption/theft
HIGH
Level Four Extended Collaborative Enterprise
Product Lifecycle Management
- Enterprise Program Management
- Portals/Search Tools, Document Management
- Peer-to-Peer Collaboration
- Improve and transparency of schedules resource
allocation - Increased access and reuse of internal knowledge
to enhance innovation
- Exposure and/or theft of intellectual property
- Transparency into potentially damaging program
management issues
Level Three Contextual Collaboration
Program Management
Collaborative Capabilities
- Inter-Enterprise Process Management /Web Services
(ERP/SCM/CRM Integration) - B2B Exchanges
- Automate collaborative process management across
the enterprise between organizations - Improve supply chain transparency and open
channels for new partners
- Process automation creates greater
interdependencies and management complexity - Insights into financial aspects of the business
model
Level Two Collaborative Commerce
System-to-System Messaging
- Office productivity tools and simple information
exchange, calendaring and scheduling - E-mail, attachments, secure instant messaging
- Improving individual team productivity through
greater reach (e.g., e-mail) and standardization
(e.g., PDF, .doc)
- Inadvertent transfer of sensitive documents
- Viruses
Level One Productivity-Centric Collaboration
Simple Messaging
LOW
6What are Data and Information?
SecurityCommercial legal
Competition
Collaboration
Need for Trust and a Common Language of
Business
7In a collaborative environment based on Trust,
how important is it ...
- To Trust someone else? (Corporate view)
- To be Trustworthy? (Collaboration view)
8Protecting Sensitive Data The Gap
Few people, little data, low dynamics
Rules
No Rules
Lots of people data, rapid dynamics Cross-orga
nisation cross-nation
9The Phase I delivered a guidance framework to
enable secure collaboration
Background
Framework for Secure Collaboration
Motivation
Defense Collaboration
- The drive by UK MOD, US DoD, industry and
exchanges to meet collaborative business goals
requires information to be shared more widely,
securely, effectively and affordably between US,
UK and other European nations - To collaborate successfully, corporations must
- Connect securely to collaborative partners
(secure transport) - Know and control who is accessing its data
externally (authentication) - Segregate data by projects and programs
(authorization) - The ability to segregate data at all layers
(network, host, application, data base) is not
currently being addressed
10The purpose of the Framework was to provide a
common baseline to setup Secure Collaborative
Environments (SCE)
Background
Personal Information
Government Information
Corporate Information
REGULATIONS
11The Framework also outlined a conceptual
architecture designed with trust zones where
the SCE would be contained in the Yellow Zone
SCE Conceptual Architecture
12Phase 2 Requirements
The Governance Board provided statements of
requirement to develop guidance framework
documents
Summary of Key Requirements
13Phase II Players
- Airbus/EADS
- BAE SYSTEMS
- The Boeing Company
- CAE
- Lockheed Martin Corporation
- Northrop Grumman
- Raytheon Company
- Rolls-Royce
- Smiths Aerospace
- Westland Helicopters
14Purpose, Background StatusOverview
Booz Allen, sponsored by ten companies and
supported by the UKCeB TF, was tasked with
developing guidance to protect export controlled
data in a collaborative environment
- Background
- European, UK, US, and some Canadian defense
companies involved in international collaboration
are increasingly concerned at the extent to which
the penalties associated with violations of
diverse multi-jurisdictional export control
regulatory environments are hampering or
threatening their ability to collaborate and
compete in a broadly similar manner across
national boundaries - Requirements
- Provide guidance on the protection of
export-controlled data in a way that gives
greater confidence of compliance to the
regulators of different nations and collaborative
partners, particularly with regard to the sharing
of measurable audit data. The guidance should
build upon the Phase 1 Framework for Secure
Collaboration. - Provide guidance for companies involved in
collaboration to implement common and
interoperable identity management capabilities to
control access to data - Approach
- (1) Capture the requirements, define the As-Is
and To-Be, assess the gaps, and identify a
design to bridge the gaps - (2) Coordinate with other relevant initiatives
and best practices and engage with major
stakeholders outside the TSCP participants - (3) Design a framework of principles and
guidelines including management, procedural, and
technical characteristics - Program Goals
- Participating companies will endorse and accept
the requirements, design and framework - The US, UK, and Canadian regulatory authorities
will find the framework to be sound guidance for
improved collaboration
15Collaborative Identity management is a critical
capability required to mitigate the risks
associated with compliance to export control
regulations
ApproachPhase II
Integration of Export Control Guidance
Collaborative Identity Management Frameworks
Export Controls
Collaborative Identity Management
Collaboration Program Requirements
Identity Management Capabilities Required to
Support Export Control Compliance
Federated Collaborative Identity Management
Framework
Export Controls Guidance
16The As Is CTA relies upon replication of data
and many 11 trust relationships to facilitate
collaboration
Validated Draft Design Review Conceptual
Architecture (As-Is)
Nation 2
Nation 1
- Distributed replicated data environment results
in higher costs and difficult data management - Duplicative security management results in
overall lower security environment - Multiple identity repositories cause duplication
and difficulty in management - Trust is formed on one-to-one basis and is not
scalable - Third Parties are used to host collaborative
applications and infrastructures, driving
increased cost and point solutions
Company B
Company A
Trusted Corporate LAN
Collaboration Trust - DMZ
17The To Be CTA (Gold) uses common
interoperability mechanisms and integrated data
environments to drive trusted collaboration
Validated Draft Design Review Conceptual
Architecture (To-Be)
Nation 2
Nation 1
- Integrated data environment results in less
replication, lower costs, and better control - Interoperable security management mechanisms and
infrastructure increases security while reducing
cost - Directory gateway brokers leverage, do not
replace, existing repositories while providing
interoperability mechanism - Trust is formed across federated environment
using bridging mechanisms - Third Parties and consortia assist in hosting
trust and interoperability infrastructure through
Commercial Bridge and Trusted Directory Gateway
Broker
Company B
Company A
Trusted Corporate LAN
Collaboration Trust - DMZ
18A comparison of the two states shows a move
towards integrated, streamlined, and standardized
architectures
Validated Draft Design Review Conceptual
Architecture (Differences)
As-Is
To-Be (Gold)
- DATA Physically segregated data with no
standard tagging schemes - SECURITY MGMT Duplicative and stove piped
security management - IDENTITY No single authoritative or
interoperable identity solution - THIRD PARTIES Reliance on third party services
for specific collaborative applications and
directories for niche applications - APPLICATIONS Complex application data flows
with hard wires security - ACCESS Proprietary access management processes
and data flows - TRUST Trust largely based on human processes or
11 point solutions
- DATA Integrated data uses tagging schema to
assist in managing security - SECURITY MGMT Distributed yet consistent
security management with directory integration - IDENTITY Standardized identity schema ensures
interoperability with many repositories - THIRD PARTIES Third parties assist in
interoperability/bridging environment Not just
apps - APPLICATIONS Data flows largely unaffected but
use consolidated security infrastructure - ACCESS Streamlined access management through
common policies, procedures, mechanisms - TRUST Trust based on standard processes,
schemas, and minimal additional technology
investment
19How-To Guide Migration Plan
The final How-To Guide will outline a generic
migration plan that can be leveraged to build a
company-specific migration plan
Activities/Work steps
Quarters
Illustrative
Q1
Q2
Q3
Q4
Q5
Q6
Q7
Q8
Q9
Q10
Q11
Q12
Q13
Q14
- Identify Collaboration Requirements
- Compliance
- Complexities (G/S/B)
-
- Baseline Current Capabilities
- Compliance
- Complexity
- Perform Gap Analysis
- I/M, IAM, GO, TA
- Develop Migration Plan
-
-
-
- Migrate to Bronze level capabilities
- Information Management
- Identity Management
- Governance Oversight
- TA
- Technical Architecture
-
- Migrate to Silver level capabilities
- Information Management
- Identity Management
- Governance Oversight
- TA
- Technical Architecture
-
- Migrate to Gold level capabilities
- Information Management
- Identity Management
- Governance Oversight
- TA
- Technical Architecture
-
Phase 0 K - K
Phase I K - K
Phase II K - K
Phase II K - K
20TSCP Way Ahead
- Implementation of the Phase 1 and Phase 2
documents - Support for the implementation of the Commercial
Bridge - Support for the implementation of UID
- possibly, Controlled Information Release
21UID Network Centric Collaboration
Industry
Unique Identification
People
Item
Location
Enterprise
Data
Network Centric Collaboration
U.S. Agencies External Governments (e.g., UK,
Australian, Canadian, Dutch)
22Collaboration depends on Data Interoperability
Company A
Company B
Global Interface Standards
Asset tracking
Asset tracking
23Unique IDentification (UID) is.
. . . the set of data for tangible assets that is
globally unique and unambiguous, ensures data
integrity and data quality throughout life, and
supports multi-faceted business applications and
users.
UID is . . .
24(No Transcript)
25(No Transcript)
26Enterprise Integrated Data Environment (EIDE)
Provide an enhanced environment that enables the
DoD Logistics Enterprise to execute practices,
processes, applications and decision support
tools to achieve logistics interoperability and
allow for information exchange within and between
internal and external DoD business partners.
- Non-system dependent transactions -
Consolidation and reuse of Interfaces - Data
integration/sharing - Leverage Modernization
Efforts - Data Standards not Standard Data
27Logistics Enterprise Architecture Blueprint
SCOR
Operational
View
Process Architecture
Identifies Warfighter
Relationships and Information Needs
Performance Based Metrics
Processing and Inter-Nodal Levels of Information
Exchange Requirements
Processing and Levels of Information Exchange
Requirements
Data Views
Systems Associations to Nodes, Activities,
Needlines and Requirements
Basic Technology Supportability and New
Capabilities
Specific Capabilities Identified to Satisfy
Information-Exchange Levels and Other Operational
Requirements
Systems
Technical
View
View
Procurement of the Selected
Technical Criteria Governing
Relates Capabilities and Characteristics
Interoperable Implementation/
Prescribes Standards and
to Operational Requirements
System Capabilities
Conventions
28Defence contracting environment today requires
greater co-operation across national borders
inside a global company and across companies.
Industry has made assumptions and is acting on
them
Strategic Imperatives
Requires
But,
- US DOD is the dominant customer
- US DOD is contracting for digital signatures on
important electronic documents and its payment
portal - US DOD is contracting for ISO Unique
Identification of Tangible Items. - US DOD is putting into existing collaborative
programs JSF, CH47 - US DOD is specifying GIG architectural components
in contracts - US DOD is demanding shorter technology refresh
cycles - International regulators demand compliance or
impose penalties
- US DOD to secure agreement with allies and trade
associations. - Companies to collaborate with US DOD to develop
approaches that maximise interoperability and
reuse - Secure data exchange between partners operating
in different countries. - System of systems approach based on uniqueness
standards - Collaboration in real-time to reduce the product
development timeframe - Compliance with increasingly complex regulations
- Organisations need help to use TSCP 1 2 to best
effect. - Companies need to see benefits of TSCP investment
and best practice ? V2 - Companies need approach to implement DOD/ATA UID.
- Companies need a way to link trust communities to
satisfy DOD. - Companies need guidance to share/release
documents under control. - Companies need guidelines to improve and measure
data quality. - Need KPI evidence of risk management benefits
29US DOD clean audit
Get ISO approval as part of ISO 10303
Company Repositories
30Controlled Information Release involves the use
automation and rules.
31Importance.. Why Should You Care?
- The Giants of Defense Industry are Putting Their
Money on Solving Net Centric for Themselves - Same Solution Space that DoD is Pursuing /
Funding - Names/Motivations may be different, but Results
Same - All Concerned Accept Need to Interoperate
- Internationally
- Between Competitors and Sub-Contractors
- With their Defense Customers,
- DOD, MOD, Other Primes, Other Defense-Related
Organizations - These Companies Deploy With Us
- For the Finish Line, We now have opportunity to
Help - Build to Interoperability (on the first try)
- Use Their Synergy and
- Pool Results of Our Combined Investments
32Identity Management
- Separate Identity from Attributes
- Strong Identity Management
- Up Front Identity Proofing is Critical
- Everyone needs strong credentials
- Only one world-wide infrastructure for DoD
- Authentication is Centralized in the Enterprise
- Authorization is Decentralized
33What are the data implications?
- In the DMZ
- Meta² data registry language of the company.
- Meta data registry discovery data pointer
- Audit quality metrics
- Segregated, tagged data in the collaboration
environment - In the collaboration zone
- Commercial Bridge
- Attribute Broker
- Audit record keeper
34Summary
- Collaboration requires Trust and a Common
Language of Business to meet a range of
challenges, including regulatory. - Governments and industry are investing in strong
identity management and strong data segregation
management, with guidance for their
implementation - Interoperability demands data standardisation and
data quality metrics to underpin audit. - Expect to see collaborative Trust and Common
Language of Business mechanisms appear in DOD and
other nations contracts - How will the Federal community engage with
partners and industry to tackle the common
challenges?
35Back Up Slides
36Possible view of the Commercial Bridge
37DOS
Treasury
Higher Ed
DOD
NASA
FBCA
Illinois
ECA
3
3
3
LM
CommercialBridge
Boeing
Auto ??
NG
S
E
A
Rail ??
38Commercial Bridge
- Relevant Milestones
- Dec 04 - DOD x-cert with FBCA
- Apr 05 Commercial Bridge operational x-cert
with FBCA - 3Q05 MOD x-cert with FBCA
- Events
- 28 April Initial Planning Meeting for the
Governance Board - 4 governments and 4 companies
for 12-18 months only - 11 May International CIDM Forum
AFEI/AIA/SBAC/DMA possibly supported by AFCEA,
AIAC NIID - Challenges
- DOD ECA policy under review cost, risk and
liability issues. Industry view?? - Industry take-up sufficient to start up