© tecsec® incorporated 2003 threat notification model for federal, state and local authorities...
TRANSCRIPT
© TecSec® Incorporated 2003
Threat Notification Model forThreat Notification Model forFederal, State and Local AuthoritiesFederal, State and Local Authorities
Getting Critical Information to the Homeland Security Threat-Fighter
Standards-based Desktop Software provides Secure Information Sharing without Cost of New Infrastructure
© TecSec® Incorporated 2003
OverviewOverview
• President’s National Strategy Defines the Problem• Sharing Threat Information Selectively, Confidentially, and
on a Need-to-Know and Need-to-Share Basis
© TecSec® Incorporated 2003
The ProblemThe Problem
© TecSec® Incorporated 2003
President’s National Strategy Document asserts:President’s National Strategy Document asserts:
Currently, there is noCurrently, there is no central, coordinating mechanism to assess the impact ofcentral, coordinating mechanism to assess the impact of
sensitive information and ensure that it gets to all thesensitive information and ensure that it gets to all theparties with a parties with a need to knowneed to know..
Adding to this problem isAdding to this problem isthe lack of technical communications systems to enablethe lack of technical communications systems to enablethe secure transmittal of classified threat information tothe secure transmittal of classified threat information to
the owners and operators of concern.the owners and operators of concern.
Source: The National Strategy for The Physical Protection of Critical Infrastructures and Key Assets, February 2003, Page 26
© TecSec® Incorporated 2003
One of the first steps we must take is to preciselyOne of the first steps we must take is to precisely
define information sharing requirements as theydefine information sharing requirements as they
pertain to the critical infrastructure and key assetpertain to the critical infrastructure and key asset
protection mission. protection mission.
These requirements should focusThese requirements should focus
on the sharing of real-time threat, vulnerability, andon the sharing of real-time threat, vulnerability, and
incident data; best practices; security guidelines; risk incident data; best practices; security guidelines; risk assessments; and operational procedures.assessments; and operational procedures.
Source: The National Strategy for The Physical Protection of Critical Infrastructures and Key Assets, February 2003, Page 26
Need to Define Information Sharing RequirementsNeed to Define Information Sharing Requirements
© TecSec® Incorporated 2003
Threat Notification and DistributionThreat Notification and Distribution
From Federal to State & LocalFrom Federal to State & Local
Or Vice-VersaOr Vice-Versa
© TecSec® Incorporated 2003
Sample Threat Notification EnterpriseSample Threat Notification EnterpriseSecretary
of theDepartment of
Homeland Security
Governoror State CIO
Governoror State CIO
Governoror State CIO
MAYORDirector,
Water Treatment Facility
StateMedical Director
PoliceForce &
Fire Dept Staff
HospitalStaff
WaterTreatment
Staff
Sta
teLo
cal
Emergency Medical
TechniciansFR
Fed
eral
FR = First Responders
© TecSec® Incorporated 2003
Information Sharing FlowInformation Sharing Flow
And from the top down or the bottom up…..
Information Sharing can occur……vertically or horizontally
Or in a variety of other configurations depending on the Enterprise Architecture and Workflow
© TecSec® Incorporated 2003
Threat AnalysisThreat Analysis
• Threat is received at the Federal Level and analyzed• Differentiated Access Control Credentials are applied
to Threat Notification• Threat is distributed to State and Local and First
Responders and/or to other Agencies.
© TecSec® Incorporated 2003
Threat Notification: Credentialing and DistributionThreat Notification: Credentialing and Distribution
Threat Notification
Threat Notification
Threat NotificationThreat Notification
Federal
State
Local
Different Credentials are Assigned to Different Parts of a Single Threat Notification.
The Notification is dispersed throughout the “Enterprise”.
FR
FR = First Responders
© TecSec® Incorporated 2003
Threat Notification with Credentials AssignedThreat Notification with Credentials Assigned
Secretary of the
Department of Homeland Security
Governoror State CIO
Governoror State CIO
Governoror State CIO
MAYORDirector,
Water Treatment Facility
StateMedical Director
PoliceForce &
Fire Dept Staff
HospitalStaff
WaterTreatment
Staff
Emergency Medical
Technicians
Fed
eral
FR = First Responders
Sta
teLo
cal
FR
© TecSec® Incorporated 2003
Access to the Threat NotificationAccess to the Threat Notification
Access to the Threat Notification is Limited by a Recipient’s Role…and the Credentials Associated with that Role.
FEDERAL ROLE
•Federal Credential
•State Credential
•Local Credential
•FR Credential
STATE ROLE
•State Credential
•Local Credential
•FR Credential
FR ROLE
•FR Credential
• Federal Role: has all Credentials & can access the entire document.
• State Role: can only access the State, Local, and FR portions.
• Local Role: can only access the Local and FR portions.
• FR (First Responders) Role: can only access the FR portion
Threat Notification
Threat NotificationFederal
StateLocal
FR
LOCAL ROLE
•Local Credential
•FR Credential
FR = First Responders
© TecSec® Incorporated 2003
Constructive Key ManagementConstructive Key Management®® (CKM(CKM®®))
© TecSec® Incorporated 2003
CKM Enterprise Architecture ConceptsCKM Enterprise Architecture Concepts
• Enterprise– A collection of Members, Organizational Units, Roles,
Domains, Categories and Credentials that are administered as a whole.
• Domain– A grouping of Roles, Categories and Credentials with
common security needs that defines who can communicate securely with whom within the Enterprise.
• Organizational Unit (OU)– A grouping of Members with common attributes
© TecSec® Incorporated 2003
CKM Enterprise ArchitectureCKM Enterprise Architecture
President
Director Director Director
Manager Manager Manager
A typical CKM Enterprise can be modeled after a standard organizational chart
It consists of Organizational Units (OUs), which can be thought of as Departments.
HR OU Finance OU Sales OU
And Domains, which can be thought of as Working Groups or Communities of Interest
President
Director Director Director
Manager Manager Manager
Domain 1 Domain 2
© TecSec® Incorporated 2003
CKM Enterprise AdministrationCKM Enterprise Administration
• CKM Enterprise Builder provides a Division of Labor and a Balance of Power by distributing the administration among three types of administrators for each CKM Enterprise.
• No one person has all the keys to the kingdom
© TecSec® Incorporated 2003
CKM Enterprise AdministrationCKM Enterprise Administration
• Enterprise Authority (EA)• Domain Authority (DA)• Organizational Unit Authority (OUA)
All Administrators are Members of the Enterprise.
There are three types of Administrators in a typical CKM Enterprise
© TecSec® Incorporated 2003
Distribution of Labor – Balance of PowerDistribution of Labor – Balance of Power
• Enterprise Authority (EA)– Maintains the Enterprise Structure– Creates Domains and Organizational
Units– Creates Custom Fields– Creates Top Organizational Unit
Authority (who is assigned to all OUs)– Creates other EAs (optional)– A DA placeholder is automatically
created when the Domain is created – this is assigned to a specific Domain.
• Organizational Unit Authority (OUA)– Administers one or more Organizational Units– Creates Members– Assigns Roles to Members– Creates and Distributes Tokens to Members– Creates other OUAs (optional)
• Domain Authority (DA)– Defines Domain Policy– Administers a Domain– Creates Categories, Credentials and Roles– Assigns Roles to Organizational Units– Creates other DAs (optional)
© TecSec® Incorporated 2003
Credentials and RolesCredentials and Roles
© TecSec® Incorporated 2003
Credentials and RolesCredentials and Roles
• Credential – a control method– Access to information is controlled by distributing appropriate
Credentials to a person’s functional Role.– When distributing objects (files, emails, all or just part of
documents, etc.), Members apply Credentials to define Recipients
– A cryptographic value used in the key generation and regeneration process as an enforcing mechanism.
• Role - a person’s assigned duties – Credentials (and other Domain and Enterprise Information) are
assigned to Roles based on duties and need to know.– A Project Mgr. may have several Credentials that give
differential access (read and/or write) to types of information.
© TecSec® Incorporated 2003
Credentials are Assigned to RolesCredentials are Assigned to Roles
Federal Credential
State Credential
Local Credential
Staff Credential
State Credential
Local Credential
Staff Credential
Local Credential
Staff Credential
Federal Role
State RoleLocal Role
Staff Credential
1st Reponders Role
© TecSec® Incorporated 2003
Need to KnowNeed to Know Roles are Assigned to Members Roles are Assigned to Members ……
Federal Role State Role Local Role
Under Secretary Management
Under Secretary Science &
Technology
Under Secretary Information Analysis
& Infrastructure Protection
Under Secretary Border &
Transportation Security
Under Secretary Emergency
Preparedness & Response
Governor
State CIO
State Police Chief
State Medical Director
State Fire Chief Sheriff
Mayor
County Executive
EMT Director
Hospital Director
Local Police Chief
Local Fire Chief
FR Role
Law Officer
Fire Fighter
Emergency Medical Technician
Hospital Worker
© TecSec® Incorporated 2003
Credentials Assigned by Sender to Objects when Credentials Assigned by Sender to Objects when Distributing MessageDistributing Message
Threat Notification DocumentThreat Notification Document
Federal
State
Local
This portion was encrypted with the Federal Credential
This portion was encrypted with the
State Credential
This portion was encrypted with the Local Credential
FR
This portion was encrypted with the
First Responders (FR) Credential
© TecSec® Incorporated 2003
CKM provides Instant Network for Homeland CKM provides Instant Network for Homeland
Security with Need to Know Information AccessSecurity with Need to Know Information Access
• Transport independent, reliable, messaging• Secures the data in transit and at rest• Sender and Recipient Authenticated• Information Confidentiality• Sender Alert uses pre-assigned Credentials to
need-to-know, known parties.• Quick deployment and installation• Low Cost, standards-based, proven products• Microsoft® Windows® and PKI compatible + others• Wireless application will be available
© TecSec® Incorporated 2003
IdentificationIdentification
AuthenticationAuthentication
AuthorizationAuthorization
© TecSec® Incorporated 2003
Identity, Authentication, and AuthorizationIdentity, Authentication, and Authorization
• CKM Token with CKM Credentials for Authorization• PKI Certificate on the CKM Token for Identity
Authentication• Token can be software or hardware• The Member must authenticate to the Token before
participating in the CKM System
© TecSec® Incorporated 2003
Backup SlidesBackup Slides
© TecSec® Incorporated 2003
Facts About First Responders
• There are over 1 million firefighters in the United States, of which approximately 750,000 are volunteers.
• Local police departments have an estimated 556,000 full-time employees including about 436,000 sworn enforcement personnel.
• Sheriffs' offices reported about 291,000 full-time employees, including about 186,000 sworn personnel.
• There are over 155,000 nationally registered emergency medical technicians (EMT).
Source: http://www.whitehouse.gov/news/releases/2002/01/print/20020124-2.html