1 / 13

Secure Access Management for Secure Operational Network (SAMSON) TDP

Secure Access Management for Secure Operational Network (SAMSON) TDP. Defence R&D Canada SA: Daniel Charlebois, PhD PM: Darcy Simmelink PS: Bruce Carruthers Bell Glen Henderson Pamela Kline Oct 30 th , 2012. SAMSON Project Objectives. Demonstration in a live network environment

keith-lester
Download Presentation

Secure Access Management for Secure Operational Network (SAMSON) TDP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Access Management for Secure Operational Network (SAMSON) TDP Defence R&D Canada SA: Daniel Charlebois, PhD PM: Darcy Simmelink PS: Bruce Carruthers Bell Glen Henderson Pamela Kline Oct 30th, 2012

  2. SAMSON Project Objectives • Demonstration in a live network environment • Certification and accreditation • Integration with DND applications • System and life-cycle management (evergreen) • Provide exploitation bridge to a capital project • Scaling and performance • Trustable solutions Secure Access Management for Secure Operational Networks (SAMSON) will demonstrate a capability for caveat and need to know separation in a single network environment through the application of content based information security management and mandatory access controls.

  3. CEO Secret NATO Secret SAMSON Secret CEO NATO CAN/US COALITION • Many networks • Reduction of footprint on desktop • Inter-Caveat data exchange through external device • Secure the data by securing the network Current available solutions (MILS) CEO Secret CEO TS CANUS Secret Designated Commercial MILS • Reduced number of networks • Reduction of footprint on desktop • Inter caveat data exchange within SAMSON not required • Security travels with the data • Enables security and coalition cross domain solutions (not just dirty word search)

  4. SAMSON – How it works What is security classification? Canadian Eyes Only STOP! My name is PEP I must check that policy grants you access Hey! PDP, can this person access this CEO information? HMMM! What does the policy say? TAS, Captain Canada has accessed this info He’s Captain Canada Hey! IdM, who is this? PEP, Captain Canada can view this information

  5. What is “net new” to architecture? Labeling Service • Labeling Service • Policy Enforcement Points • In front of services • Communications layer (XMPP) • To services (not data) • Separate data from control • Audit (all access requests) • Policy engine (XACML) • Crypto (Symmetric Key) Domain Mgr IdM Crypto Service IQS Admin Decision Point Admin Server SAMSON Messaging Service Audit Policy

  6. What does SAMSON do? BETTER PROTECTION • Policy based Access Control : • You see only what you are entitled to see • You receive (decrypted) only what you are entitled to receive • Security with the data • All data AES 256 encrypted on server, TLS encrypted in transit • FIPS 140 cryptographic algorithms (Green Hills and RSA) • All data decrypted at PEP(interoperable with end-point security solutions) • All links use dual authenticated TLS • Administrators (or anyone with Admin access privileges) • See only file names / encrypted data • Audit • Every transaction (approved or denied) in trusted audit log

  7. Staff Officer has access to CAN rel US caveat What does it look like? (Encrypted File) Sr. Officer has access to all CEO, NATO, CAN rel US caveats and sees all files • SAMSON PROVIDES BETTER PROTECTION • You see only what you are entitled to see • Each file encrypted with unique symmetric key

  8. What does it look like for an Admin? Admin (PEP mediated) sees CEO and Rel-all files Admin (unmediated) Can see everything But encrypted • BETTER PROTECTION IN A SHARED ENVIRONMENT • Unauthorized users can see normal COTS file server • Data on server is encrypted with symmetric key – administrator sees encrypted files • Data in transit is encrypted with TLS links

  9. “Net New” to user What the user sees: (Encrypted email) • BETTER PROTECTION – Policy Based Access Control / encryption • Each email + attachment encrypted with unique symmetric key • POP/SMTP, Microsoft legacy, and EAS/EWS support • User’s only change is that they have to label the data

  10. What the user sees: (Encrypted chat) • Each message in unmodified chat server room encrypted • All messages can be encrypted (AES256) • All messages are labeled • One key per caveat in each room.

  11. What does SAMSON do for me? BETTER SHARING OF DATA • Users with sharing privileges can re-caveat files: • Redact privileged information, re-caveat and save • One file change to share file • Admin with Identity Management privileges can add / remove domain / need to know • Add domain to users • One IdM change to add user to domain • Admin with policy privileges can change policy • Add / change policy to share community of interest • One policy change to share everything • Works on existing infrastructure • Unmodified email, chat, and file servers • Client must label information, otherwise unmodified client • Transparent to user

  12. PROJECT CURRENT STATUS • What have we done • Final year • Participation in exercises • Coalition Attack Guidance Experiment (CAGE) planned November 2012 • Email, File, Chat • Exploitation • Entering Exploitation phase in 2013 • Contract sufficient to build operational pilot • Interested partners are planning for deployment • Examine business transformation and scalability • SAMSON specifications were used in specifying DND CIS operating concept • Formal Accreditation • Following EAL 3 / CC • FIPS 140 cryptographic algorithms (Green Hills and RSA) • Demonstration on operational exercises (CWID 11, EC10, EC11, CAGE 2012). • Penetration testing planned

More Related