Air Force Developing New Access Control Model for JIE
Securing its networks from external attack has been the Defense Department’s top priority as it rolls out the Joint Information Environment (JIE) to the services and defense agencies. That’s the role of its Joint Regional Security Stacks.
The next piece is securing the network internally. JIE aims to make defense systems, applications and databases accessible and sharable across the vast defense enterprise, whether back in the U.S. or overseas. The key to that will be access control.
An Air Force pilot program at Hanscom Air Force Base, Mass., aims to settle how access control will work across the JIE. The system is in development now and this summer will be tested with about 10 applications selected by the military services. If successful, it will be rolled out to other applications and across the enterprise beginning next year.
The Department of Defense Strategy for Implementing the Joint Information Environment, published in 2013, declared that “Identity and Access Management (IdAM) is fundamental to the security of data and secure information sharing with mission partners.” From the start, the aim was to eliminate cumbersome local controls and replace those with a centrally controlled, consistent and largely automated system that would:
- Ensure timely and secure access to mission-essential data and services, regardless of users’ locations.
- Identify and monitor the users on defense networks at all times – as well as what they are doing.
- Block adversaries from freely moving from network to network within the joint enterprise; if an intruder would gain access to one part of the network, the system would block access to other parts.
Access issues are complicated. Data can be controlled for many reasons. It may be classified for national security purposes, or protected because it contains personal or personally identifiable information or because it represents proprietary intellectual property.
Policy dictates what a given individual can access – files, directories and applications – and must take into account the reason for access, such as where the person works, and the level of access, which may involve the individual’s rank, grade or job characteristics. But translating that policy into something automated is a challenge. Access can be based on roles (called role-based access control, or RBAC) or attributes (access-based access control, or ABAC).
The National Institute for Standards defines ABAC as “a logical access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment conditions against policy, rules, or relationships that describe the allowable operations for a given set of attributes.”
ABAC allows for more granular control, said Frank Konieczny, chief technology officer for the Air Force. His service is leading the Enterprise Level Security pilot for JIE, which will be installed on MilCloud this summer. Once the tests are complete, he said, the goal is to open up the full-scale program for a full competition in 2017.
Access control issues go beyond technical concerns. They can also create bureaucratic hurdles and roadblocks.
Mark Krzysko, deputy director for enterprise information in the Office of the Undersecretary of Defense for Acquisition, Technology and Logistics/Acquisition, Resources and Analysis (OUSD AT&L/ARA), flagged access management as a critical business concern for DoD during a panel discussion in February.
“I think access is what really beleaguers us in the future,” Krzysko said. “I think we’re relatively immature in terms of doing that.” The technology is not the problem. Rather, it’s a matter of effectively setting rules that make sense across the organization.
Krzysko commissioned a RAND study, Issues with Acquisition Data and Information, that details the challenges acquisition staffers have in accessing a variety of types of information. Among researchers’ findings:
- Highly decentralized data access policies were vague and “subject to a wide range of interpretation.”
- Data “owners” had wide latitude in determining the level of protection data needed, yet “marking criteria are not always clear or consistently applied.”
- Structural and cultural barriers combine with policy guidance to limit “visibility and sharing of data and information.” Lacking trust among disparate offices and agencies, the report said, “results in a strong conservative bias in labeling and a reluctance to share.”
As the services share more information, as well as tools, across the defense enterprise, the issues will expand. The Air Force pilot “is not a technical issue,” Konieczny said. It’s the details that make this kind of thing hard, especially as policies and programs reach across traditional service boundaries where they have to overcome differences in mission as well as approach.
“The Army has a lot of use cases which are going to be more tactical [than those in the Air Force],” Konieczny said. Army users are more mobile and, in combat, operate in smaller groups further from direct network assets. Remote access for an airman might mean working at a terminal on a remote base or out on a flightline; for a soldier or Marine, meanwhile, it could mean operating as a squad or platoon on patrol, using radios or satellite links to communicate.
For JIE to work, all those use cases must be taken into account, and systems need to be able to adapt rapidly as individuals and units move from garrison to deployed situations and back again. Being able to do that dynamically – and with a minimum of human intervention – is the goal.