EAB 8/6/03 1

S

Real Time EnterpriseReal Time Enterprise

Saundra Throneberry, CISO Strategy, Technology & StandardsSaundra Throneberry, CISO Strategy, Technology & Standards

Association for Enterprise IntegrationAssociation for Enterprise IntegrationEnterprise Integration Expo 2003Enterprise Integration Expo 2003

September 24, 2003September 24, 2003

Collaborative Identity Management

EAB 8/6/03 2

STopicsTopics

�� Business Drivers and Information Business Drivers and Information Security Standards AppliedSecurity Standards Applied

�� Information Security Strategy and the Information Security Strategy and the Real Time EnterpriseReal Time Enterprise

EAB 8/6/03 3

SInformation Security Business DriversInformation Security Business Drivers

LM Intranet• Internal Focus – Access to Employees and Sponsored Users Only• Centralized – Applications and Data in Fortified IT Bunkers• Prevent Losses – Minimal Confidentiality Breaches• IT Control – Administrators decide on access

Real Time Enterprise• External Focus – Access to Customers, Partners, Suppliers, Other Prospects• Distributed – Applications and Data across business units and networks• Generate Revenue – Security is to be an enabler for business• Business Control – Business units determine levels to grant access

Business• Lockheed Martin’s name signifies competence, trust, and excellence.• Protect information (internal and external) from abuse or loss providing a confidence to customers and partners. • Re-use of previous investments and to ensure new investments prepare for the competitive future. Security levels applied according to business needs.

Legal/Regulatory• Compliance with all applicable regulations, laws, contracts, policies, and mandatory standards • Insurance premiums minimized, limited liability to errors, fraud, and malfunction

User• Information entitled to by the user should be easily found• Information should be accurate to a pre-determined range• Educated and trained on security issues• Easy to use interfaces with neutral interaction

EAB 8/6/03 4

SBusiness Risk & SecurityBusiness Risk & SecurityBusinessAttributes

User Management OperationalRisk

ManagementLegal/

RegulatoryTechnicalStrategy

BusinessStrategy

• Accessible• Accurate• Consistent• Current• Duty Segregated• Educate & Aware• Informed• Motivated• Protected• Reliable• Supported• Timely• Usable

• Automated• Change Managed• Controlled• Cost Effective• Efficient• Maintainable• Measured• Supportable

• Available• Detectable• Error Free• Inter Operable• Productive• Recoverable

• Access Control• Accountable• Assurable• Auditable• Authenticated• Authorized• Flexibly Secure• Identified• Possession• Integrity• Non Repudiation• Trustworthy

• Admissible• Compliant• Enforceable• Insurable• Liability• Resolvable• Time Bound

• Architecture• COTS• Extendible• Flexible• Strategic• Legacy• Migratable• Multi Sourced• Scalable• Standard• Upgradeable• Traceable

• Name• Business Enabled• Competent• Confident• Credible• Governable• Custody• Investment ReUse• Reputable

Developing Model to be applied for Risk Assessment and Analysis, Reporting, and

Management Framework

EAB 8/6/03 5

S

ApplicationLayer

OperationsAnd Support AssetsHardware

Security

OperatingSystemLayer

PhysicalProtection

ClassificationAnd Control

TrainingAwareness

AuditCompliance

BusinessContinuity

Policy

Common Standard Framework for Effective Security Management, Measurement, and Practice for Industry, Government, and Commerce

Policy

GapsIdentity and Access Management: Implementation plans for identification into applications and automated provisioning of privileges to allow for role(s) based accessVersioning: Client and server versioning to deliver foundation security elements at the infrastructure level. Maintain a similar user experience enhanced with feature upgradesData Classification: Standardization of data classification elements externally to include application logic processing standards for access and protection

TrainingAwareness

AuditCompliance

BusinessContinuity

Fortified Layered Protection of Assets

ClassificationAnd Control

PhysicalProtection

HardwareSecurity

OperatingSystemLayer

ApplicationLayer

OperationsAnd Support Assets

Defense in Depth Defense in Depth -- ISO 17799 StandardISO 17799 Standard

EAB 8/6/03 6

SIntegrated ModelIntegrated Model

Users Roles Permissions Real Time Enterprises

Public/Private Key

Identity and Access Management

eXtensible MarkupLanguage (XML)

Applied to the Real Time Enterprise, focusing on external identity and access requirements

EAB 8/6/03 7

SPublic Key InfrastructurePublic Key Infrastructure

Data ConfidentialityData Confidentiality

Message AuthenticationMessage Authentication& Integrity& Integrity

AuthenticationAuthentication

NonNon--RepudiationRepudiation

Who am I dealing with? Are my communications private?

Has my communication been altered? Who sent/received it and when?

?

Fabrication Interception

Modification

ClaimsNot Sent/Not Received

Enables a business to ensure that levels and forms of trust thatexist in the physical world are implemented in the digital world

EAB 8/6/03 8

SPublic Key Infrastructure RoadmapPublic Key Infrastructure Roadmap

Authentication(Who am I dealing with?)

Web Server SSL CertificatesRouter CertificatesClient CertificatesVPN CertificatesCertificates on TokensCertificates on Smartcards

Data Confidentiality(Are my communications private?)

SSL EncryptionIPSec Protocol Encryption

Message Authentication/Integrity(Has my communication been altered)

Email PGP CertificatesEmail MS Exchange Certificates

Secure/MIMENon-Repudiation (Who sent/received it, and when)

Email PGP CertificatesEmail MS Exchange CertificatesTransaction

2002 2003 2004

Phased approach to implementation

Implemented Planned

Planned w/Dependencies

� Major Milestones

�Integrated with Enterprise Active Directory�External CA for collaboration auth session cert

�Certificate Server in UK, CA & Intl domains

�Key archival encryption certificates

�Certification with the Federal Bridge CA

�Certificate Authentication for LM Apps

�Enterprise wideuse of Encrypting Files

EAB 8/6/03 9

SIdentity Access ManagementIdentity Access Management

Fire

wal

l

Fi

rew

all

LockheedLockheedMartinMartin

External External WebWeb

ServerServer

ExternalExternalAuthenticationAuthentication

Services Services ((SiteminderSiteminder , ,

PKI)PKI)

ExternalExternalDirectoryDirectoryServices Services

ApplicationApplicationServicesServices

ii ii

DataDataServicesServices

ii ii

ApplicationApplicationServicesServices

i i

DataDataServicesServices

i i

LockheedLockheedMartinMartin

ProvisionProvision --inging

SystemSystem(ITODv1)(ITODv1)

External User External User (non(non--employee)employee)

MicrosoftMicrosoftMetaMeta--

directorydirectoryServicesServices(ITODv1)(ITODv1)

Fire

wal

l

Fi

rew

all

LockheedLockheedMartinMartin

External External WebWeb

ServerServer

ExternalExternalAuthenticationAuthentication

Services Services ((SiteminderSiteminder , ,

PKI)PKI)

ExternalExternalDirectoryDirectoryServices Services

ExternalExternalAuthenticationAuthentication

Services Services ((SiteminderSiteminder , ,

PKI)PKI)

ExternalExternalDirectoryDirectoryServices Services

ApplicationApplicationServicesServices

ii ii

DataDataServicesServices

ii ii

ApplicationApplicationServicesServices

ii ii

DataDataServicesServices

ii ii

ApplicationApplicationServicesServices

i i

DataDataServicesServices

i i

ApplicationApplicationServicesServices

i i

DataDataServicesServices

i i

LockheedLockheedMartinMartin

ProvisionProvision --inging

SystemSystem(ITODv1)(ITODv1)

External User External User (non(non--employee)employee)External User External User

(non(non--employee)employee)

MicrosoftMicrosoftMetaMeta--

directorydirectoryServicesServices(ITODv1)(ITODv1)

High Levels ofComplexity

ITOD - Information Technology Operational

Directive

EAB 8/6/03 10

SThe IT environment will integrate the business processes of the The IT environment will integrate the business processes of the organization in real time organization in real time (Real Time Enterprise (Real Time Enterprise –– RTE) versus periodic access to functional stovepipe informationRTE) versus periodic access to functional stovepipe information

Product Support Sell-Side Capabilities• F-16 Spares E-catalog Sales• C-5 Portal / Decision Support System

Logistics/Support� Arms-around

support� Autonomic

Logistics

� Network-based Simulations� Tests Integrated With Multiple Customers

Simulation-Based Acquisition / Virtual Test and Evaluation

Customer Relationship Management

� FMS Customers� Depots / Bases

CollaborativeDesign- Follow the

Sun (or moon?)

Virtual Manufacturing� Worldwide

teaming

LM Aero Programs

‘E-business On Demand’ Enabled by Common Infrastructure

� Security� Portal� Integration� Service Provisioning

Aeronautics Value Chain RTE ExampleAeronautics Value Chain RTE Example

Real Time Enterprise (RTE) VisionReal Time Enterprise (RTE) Vision

EAB 8/6/03 11

S3 Dimensions of Real Time Enterprise3 Dimensions of Real Time Enterprise

ApplicationApplicationIntegrationIntegration

Secure Secure InfrastructureInfrastructure

Information AccessInformation Access

24 x 724 x 7SecureSecure

Identity & Identity & Access Access Mgm’tMgm’t

Directory ServicesDirectory Services

EAI

EAI

J2EE

J2EE

.NET

.NET

Web

Ser

vice

s

Web

Ser

vice

sSe

rvic

e Or

ient

ed

Serv

ice

Orie

nted

Arch

itect

ure

Arch

itect

ure

RTE CapabilityRTE CapabilityEnvelopeEnvelope

Search & RetrievalSearch & Retrieval

Knowledge ManagementKnowledge Management

Content ManagementContent Management

CollaborationCollaboration

PortalPortalNot 1 Dimensional, but 3 Not 1 Dimensional, but 3 Distinct Dimensions That Distinct Dimensions That

Contribute to Enable the Real Contribute to Enable the Real Time Enterprise… Time Enterprise…

Many Capabilities Available Today with Combinations of

Current Technologies & Solutions

Real Time Enterprise Characteristics• Adaptable• Real time information• Federated• Event based• Iterative• Loosely coupled• Configurable (and re-configurable)• Short duration (90 to 180 day projects)• Evolutionary not revolutionary• Node-enabled legacy systems

EAB 8/6/03 12

SEnabling the Extranet Architecture (RTE Interface)Enabling the Extranet Architecture (RTE Interface)Intrusion Detection Firewall Upgrade Vulnerability Scans Public Key

EAB 8/6/03 13

SStrategic Model for the Future Strategic Model for the Future –– Integrated DefenseIntegrated Defense. . . emphasis on attributes/objects controls

integrated into data and servicesApplications

WebServers

New/DerivedTechnologies

AssetsApps

Web

WebWeb

Tech

Integrated Defense is the evolution of Defense In Depth to Service Orientation/Real Time Enterprise,

with Diverse and Adaptable Controls

Cos

t And

Inef

ficie

ncy

Time and Performance

XML ExtensibleMarkup Language

Digital RightsDirectory Integration

Routers/AppliancesApplication Firewalls

Secure AcceleratorsLoad BalancersProxy

EAB 8/6/03 14

SSummarySummary�� Key elements to realize Real Time Key elements to realize Real Time

Enterprise Enterprise –– “externally accessed”“externally accessed”�� Authentication Authentication –– Public Key InfrastructurePublic Key Infrastructure�� Identity and Access Management to Identity and Access Management to

Resources and ServicesResources and Services�� “Brokering” “Brokering” –– eXtensibleeXtensible Markup Language Markup Language

(XML)(XML)�� Security Risk Management, Business Security Risk Management, Business

Value, and Return on Investment aligned Value, and Return on Investment aligned to secure collaborative objectives and to secure collaborative objectives and strategiesstrategies