Friday, August 16, 2013

The Need for a Cross Domain Communication Reference Architecture

Secure Cross Domain Communication (CDC) has been a critical concern in the recent past particularly for the US Intelligence Community. Secure protocols for CDC has drawn significant thrust from the intelligence community, industry, and academia alike. Yet, coordination of activities between different (security) domains remains a crucial challenge. Cross-domain data flows often require extensive human reviews that are both time-consuming and error-prone. A partial survey of current cross-domain security solutions revealed, among others, the following issues:
  • From the perspective of mission applications design, current CDC solutions require mission application programs to design and implement their own individual solutions around particular guard designs, resulting in vendor lock-ins. Developers have to learn guard interfaces, design architectures for interacting with them, incorporate CDC concepts into their specific applications, and manage accreditation for the resulting systems
  • From the perspective of enterprise security infrastructure, guard products are typically transport oriented. This would require the guard to have the highest security privilege in order to be able inspect inform passing through it, contrary to best security practices. Furthermore, this implies same security terminology is required for both domains connected by the guard. For example, the same set of security labels have to be used. Such an assumption is not always true, especially when the information exchange across organizational boundaries. Last but not least, associating the guards with the links often fails to scale as the number of security domains increase, such as in the interagency cases, commonly known as the “n squared problem”.
  • CDC guards often have limited configurability and API. The result will be a proliferation of locked-in stacks that will reduce purchasing flexibility and increase program development expense.

In addition, current CDC solutions require excessive amount of human intervention, mainly due to the lack of a standard and flexible framework for describing information. Many guards use dirty word list or some rudimentary rules expressed in XSLT to filter information passing through them. These techniques often fail to take into account the context of messages and meaning of the words, leading to false positives or negatives. Human review is often required to adjudicate ambiguities, leading to critical delays in the workflow.

Most of the CDC solutions today focus on one or more particular aspects of cross-domain communications, for example, filtering information in web (HTTP) traffic.  To understand the multi-faceted nature of cross domain communication, we need to a conceptual framework in which interactions among CDC participants can be abstracted out, forming the basis for protocols.

To highlight the issues that the reference architecture needs to address, let us consider the simple use case shown above. In this example,
  1. A user submits a classified travel request through a Mission Planning System (MPS).
  2.  The MPS then sends a web service request to a Financial Management System (FMS), which is part of an unclassified network/domain.
  3. When the classified travel request passes through the guard, all classified information (itinerary) in the request needs to be redacted, allowing the rest of the message to pass as is.
  4. The FMS sends an email via SMTP to the mail server for the approver’s review. Since the mail server is on the classified network/domain, the guard needs to restore the redacted content for the approver to see the request in its entirety.
  5. The approver accesses the mail server from his/her classified workstation.

In reality, the workflow is likely to be more complex. But, the simplified example above is sufficient and suitable for our discussions. Consider the following questions raised by this use case.
  • How is the guard included in the workflow?

a.     If the guard is transparent to the mission application, then does the application need to be notified in case the guard blocks the message?
b.     If, on the other hand, the guard is an active participant in the workflow, would the guard “proxy” the target system by exposing the same web service interface? In other words, should the mission application address the request to the guard, instead of the financial management system?
c.     In (b), can the guard hide the identity of the source/target systems for security reasons – For instance, can the guard certify to the mission that the message is delivered to the proper target system, without revealing the identity of the system?
d.     Can the guard act as the information brokers across domain as well? For instance, can the guard locate the appropriate recipient in the correct domain for a particular message?
  • How does the guard determine which content to redact and which to allow without redaction?

a.     Is there a standard vocabulary that the guards and mission application share to describe the information, the actors, the security labels, and the security actions?
  •  Is a single guard or multiple guards monitoring both Web Service and SMTP traffic on the network/domain?

a.   Or should the guard just monitor TCP/IP packets without knowledge of application level protocols?
b.     If there are two different guards, how do they coordinate with each other? In the above example, how would a Web Service guard and an email guard coordinate to restore the redacted information for the approver?

A reference architecture will not provide standard answers to these questions. Rather, it will delineate responsibilities among various CDC participants, and describe how they interact with one another. As such, it will allow design choices like these to be made by the designers and/or architects of – infrastructure, mission application(s), guard products, etc., based on their unique business needs.

CDC is a shared responsibility between the CDC infrastructure and the mission application taking advantage of such an infrastructure. For the purpose of protocol design, we are primarily concerned with the infrastructure aspects of CDC. That is, standardized interfaces for products (hardware or software) whose primary responsibility is to facilitate secure cross-domain communications. A security guard is one such product, and perhaps the most important. 
As shown in the diagram, the reference architecture needs to address the following concerns-
  • Architecture Concerns: We believe it is reasonable to assume that mission applications are aware of the fact that they interact with system in other security domains, and therefore, the presence of security guards. It is the application’s responsibility to properly handle the cases where a message is rejected by the guard for security reasons.
  • Policy Concerns: Security attributes for application-specific messages need to be defined so that proper security policies can be enforced by the infrastructure. We consider this an application concern in the sense that the security attributes are associated with individual data elements processed by the application, even though it is likely that a security administrator attaches these security attributes at runtime.
  • Network Concerns: Specifically, the reference architecture needs to address the concerns of how the guard(s) interacts with the network. Any protocol needs to address how CDC-specific communications (messages between the application and the guard as well as messages between the guards) are carried in the network protocols. For example, how such messages are carried in a SOAP message for web services-based communications or in the HTTP header for web traffic. Doing so could require extensions to existing protocols so that security-specific information could be added to the messages. A particular aspect of integrating guard with network protocol is a mechanism to handle end-to-end encryption and authentication. For example, if a mission application encrypts payload using WS-Security, the guard would not be able inspect the message content unless the message is addressed to the guard (instead of the target system) and encrypted using the guard’s keys.
  • Information Concerns: Specifically, how guards interact with information floating through them. We believe there need to be a convention for determining how application-specific messages are interpreted and acted upon by the guards, while the goal of enabling: 1) Automation, so that time-consuming and error-prone human reviews can be reduced and, in some cases, eliminated; 2) Interoperability, so that CDC solutions from multiple vendors can work together seamlessly, and vendor lock-ins is avoided.
  • Workflow Concerns: Specifically, how guards interact with other participants of the workflow, i.e. mission application and other guards. Compared to the others, there has not been extensive research on this aspect of CDC. Much less discussion about how existing standards such as Business Process Modeling Notation (BPMN) languages can be leveraged for CDC. One important workflow consideration is whether or not the guard is an active participant in the workflow, and if so, how does the guard act as a service intermediary.