ASD Convention Workshop 6 e-standards: a Strategic Asset across the Value Chain Security Secure Information Sharing Steve SHEPHERD Executive Director UK CeB Istanbul, 6 October 2011 1
Information security Aerospace and defence information is often constrained by: National security Export controls Proprietary rights Aggregations of data potentially convey more significant information and often carry a higher classification Integrated data contains significant IP eg 3D visualisation tools rather than CAD models for quotations Advanced Persistent Threats + we have the information explosion across the Extended Enterprise So: E-Business requires standards for Secure Information Sharing Slide 2 2
Secure Information Sharing E-Mail (with attachments) Voice & Teleconferencing Person to Person Web Conferencing Browser access to Applications Person to Application CWEs / SWEs Fax Video Instant Messaging Web Discussion forums Access to Intranets Application to Application Data Exchange + Data Transport Systems + Enablers and Trust Mechanisms Slide 3 3
Secure Information Sharing TSCP Secure E-mail v1 The Transglobal Secure Collaboration Program (TSCP) is a governmentindustry partnership focused on mitigating the risks related to compliance, complexity and cost related to secure information sharing that are inherent in large-scale, collaborative aerospace and defence programs that span national jurisdictions. The TSCP Secure E-mail v1 specification allows organizations to send digitally signed and/or encrypted email over the internet securely The specifications and key supporting documentation are made publicly available and their usage is encouraged by adoption as industry specifications in Europe (ASD SSG) and the US (AIA) Slide 4
Government-industry partnership specifically focused on mitigating the risks related to compliance, complexity, cost and IT that are inherent in large-scale, collaborative programs that span national jurisdictions. To do business in the world today, A&D companies must balance the need to protect intellectual property (IP) while demonstrating willingness and ability to meet contractual requirements from government customers for auditable, identity-based, secure flows of information. PAGE 5 TSCP Common Framework for Federated Collaboration Identity Management & Information Assurance: Provide assurance that collaborative partners can be trusted Meet government agencies emerging requirements for identity assurance across domains Establish common credentialing standards that accommodate and span national jurisdictions Protect personal privacy data of employees Data Protection: Define fine grain access right attributes for data labeling and data right s management Establish Application Awareness Demonstrate compliance with export control regulations Protect corporate IP in collaborative and other information sharing programs Facilitate Secure Collaboration: Provide collaborative toolsets that will interoperate with customers and suppliers Facilitate re-use collaborative capabilities among multiple programs
Secure E-mail V1 Business Drivers Multiple organisations needing to exchange sensitive information Provide: Confidentiality of the message in transit from sender to recipient Assurance of the identity of the sender Confidence in the integrity of the message Using a solution that: Requires minimal user training Scalable across the Aerospace and Defence sector Supportable Enables continuing use of COTS products Exploits digital certificates trusted via bridges Uses the internet as the transport mechanism PAGE 6 TSCP Expo - September 2010
Signature High confidence in the e-mail message Who identity of sender linked to the certificate What content verified by system Out of the box Outlook and Notes client capability Indicated by the rosette symbol PAGE 7 TSCP Expo - September 2010
Encryption Restricts access to the message recipients e-mail encryption is an out-of-the-box capability in Outlook, Notes and RIM clients Encryption for TSCP Secure E-mail V1 S/MIME standard and 3DES 168 bit algorithm Government approved Implementations accreditable for UK RESTRICTED information Encryption indicated by Lock symbol PAGE 8 TSCP Expo - September 2010
Trust path established between organisations Consistent policies across organisations Link provided by bridge rather than directly from organisation to organisation Assured by independent third party Other Bridge CertiPath Other Organisation Other Organisation Other Organisation Northrop Grumman Raytheon BAE Systems PAGE 9 TSCP Expo - September 2010
Secure E-mail V1 Summary The TSCP implementation pattern exploits existing standards for: Simplicity Builds on and works alongside existing infrastructure and practices Supported by COTS products Straightforward user interface Security Government approved encryption standard Implementations accreditable for UK Restricted Trust managed by the enterprise Speed Enterprise deployment in a months User deployment and training in hours Message sending in minutes Implementation and growth in usage continues Production systems are in use and delivering benefit today PAGE 10 TSCP Expo - September 2010
Secure Information Sharing TSCP Secure E-mail v1 is the first TSCP deliverable to be adopted by ASD SSG and by AIA ASD SSG will examine future TSCP deliverables for adoption to provide a suite of Secure Information Sharing capabilities Secure Capabilities use the internet as a transport mechanism Secure Capabilities can be used down the supply chain by small enterprises Slide 11