real time enterprise - national defense industrial...
TRANSCRIPT
EAB 8/6/03 1
S
Real Time EnterpriseReal Time Enterprise
Saundra Throneberry, CISO Strategy, Technology & StandardsSaundra Throneberry, CISO Strategy, Technology & Standards
Association for Enterprise IntegrationAssociation for Enterprise IntegrationEnterprise Integration Expo 2003Enterprise Integration Expo 2003
September 24, 2003September 24, 2003
Collaborative Identity Management
EAB 8/6/03 2
STopicsTopics
�� Business Drivers and Information Business Drivers and Information Security Standards AppliedSecurity Standards Applied
�� Information Security Strategy and the Information Security Strategy and the Real Time EnterpriseReal Time Enterprise
EAB 8/6/03 3
SInformation Security Business DriversInformation Security Business Drivers
LM Intranet• Internal Focus – Access to Employees and Sponsored Users Only• Centralized – Applications and Data in Fortified IT Bunkers• Prevent Losses – Minimal Confidentiality Breaches• IT Control – Administrators decide on access
Real Time Enterprise• External Focus – Access to Customers, Partners, Suppliers, Other Prospects• Distributed – Applications and Data across business units and networks• Generate Revenue – Security is to be an enabler for business• Business Control – Business units determine levels to grant access
Business• Lockheed Martin’s name signifies competence, trust, and excellence.• Protect information (internal and external) from abuse or loss providing a confidence to customers and partners. • Re-use of previous investments and to ensure new investments prepare for the competitive future. Security levels applied according to business needs.
Legal/Regulatory• Compliance with all applicable regulations, laws, contracts, policies, and mandatory standards • Insurance premiums minimized, limited liability to errors, fraud, and malfunction
User• Information entitled to by the user should be easily found• Information should be accurate to a pre-determined range• Educated and trained on security issues• Easy to use interfaces with neutral interaction
EAB 8/6/03 4
SBusiness Risk & SecurityBusiness Risk & SecurityBusinessAttributes
User Management OperationalRisk
ManagementLegal/
RegulatoryTechnicalStrategy
BusinessStrategy
• Accessible• Accurate• Consistent• Current• Duty Segregated• Educate & Aware• Informed• Motivated• Protected• Reliable• Supported• Timely• Usable
• Automated• Change Managed• Controlled• Cost Effective• Efficient• Maintainable• Measured• Supportable
• Available• Detectable• Error Free• Inter Operable• Productive• Recoverable
• Access Control• Accountable• Assurable• Auditable• Authenticated• Authorized• Flexibly Secure• Identified• Possession• Integrity• Non Repudiation• Trustworthy
• Admissible• Compliant• Enforceable• Insurable• Liability• Resolvable• Time Bound
• Architecture• COTS• Extendible• Flexible• Strategic• Legacy• Migratable• Multi Sourced• Scalable• Standard• Upgradeable• Traceable
• Name• Business Enabled• Competent• Confident• Credible• Governable• Custody• Investment ReUse• Reputable
Developing Model to be applied for Risk Assessment and Analysis, Reporting, and
Management Framework
EAB 8/6/03 5
S
ApplicationLayer
OperationsAnd Support AssetsHardware
Security
OperatingSystemLayer
PhysicalProtection
ClassificationAnd Control
TrainingAwareness
AuditCompliance
BusinessContinuity
Policy
Common Standard Framework for Effective Security Management, Measurement, and Practice for Industry, Government, and Commerce
Policy
GapsIdentity and Access Management: Implementation plans for identification into applications and automated provisioning of privileges to allow for role(s) based accessVersioning: Client and server versioning to deliver foundation security elements at the infrastructure level. Maintain a similar user experience enhanced with feature upgradesData Classification: Standardization of data classification elements externally to include application logic processing standards for access and protection
TrainingAwareness
AuditCompliance
BusinessContinuity
Fortified Layered Protection of Assets
ClassificationAnd Control
PhysicalProtection
HardwareSecurity
OperatingSystemLayer
ApplicationLayer
OperationsAnd Support Assets
Defense in Depth Defense in Depth -- ISO 17799 StandardISO 17799 Standard
EAB 8/6/03 6
SIntegrated ModelIntegrated Model
Users Roles Permissions Real Time Enterprises
Public/Private Key
Identity and Access Management
eXtensible MarkupLanguage (XML)
Applied to the Real Time Enterprise, focusing on external identity and access requirements
EAB 8/6/03 7
SPublic Key InfrastructurePublic Key Infrastructure
Data ConfidentialityData Confidentiality
Message AuthenticationMessage Authentication& Integrity& Integrity
AuthenticationAuthentication
NonNon--RepudiationRepudiation
Who am I dealing with? Are my communications private?
Has my communication been altered? Who sent/received it and when?
?
Fabrication Interception
Modification
ClaimsNot Sent/Not Received
Enables a business to ensure that levels and forms of trust thatexist in the physical world are implemented in the digital world
EAB 8/6/03 8
SPublic Key Infrastructure RoadmapPublic Key Infrastructure Roadmap
Authentication(Who am I dealing with?)
Web Server SSL CertificatesRouter CertificatesClient CertificatesVPN CertificatesCertificates on TokensCertificates on Smartcards
Data Confidentiality(Are my communications private?)
SSL EncryptionIPSec Protocol Encryption
Message Authentication/Integrity(Has my communication been altered)
Email PGP CertificatesEmail MS Exchange Certificates
Secure/MIMENon-Repudiation (Who sent/received it, and when)
Email PGP CertificatesEmail MS Exchange CertificatesTransaction
2002 2003 2004
Phased approach to implementation
Implemented Planned
Planned w/Dependencies
� Major Milestones
�Integrated with Enterprise Active Directory�External CA for collaboration auth session cert
�Certificate Server in UK, CA & Intl domains
�Key archival encryption certificates
�Certification with the Federal Bridge CA
�Certificate Authentication for LM Apps
�Enterprise wideuse of Encrypting Files
EAB 8/6/03 9
SIdentity Access ManagementIdentity Access Management
Fire
wal
l
Fi
rew
all
LockheedLockheedMartinMartin
External External WebWeb
ServerServer
ExternalExternalAuthenticationAuthentication
Services Services ((SiteminderSiteminder , ,
PKI)PKI)
ExternalExternalDirectoryDirectoryServices Services
ApplicationApplicationServicesServices
ii ii
DataDataServicesServices
ii ii
ApplicationApplicationServicesServices
i i
DataDataServicesServices
i i
LockheedLockheedMartinMartin
ProvisionProvision --inging
SystemSystem(ITODv1)(ITODv1)
External User External User (non(non--employee)employee)
MicrosoftMicrosoftMetaMeta--
directorydirectoryServicesServices(ITODv1)(ITODv1)
Fire
wal
l
Fi
rew
all
LockheedLockheedMartinMartin
External External WebWeb
ServerServer
ExternalExternalAuthenticationAuthentication
Services Services ((SiteminderSiteminder , ,
PKI)PKI)
ExternalExternalDirectoryDirectoryServices Services
ExternalExternalAuthenticationAuthentication
Services Services ((SiteminderSiteminder , ,
PKI)PKI)
ExternalExternalDirectoryDirectoryServices Services
ApplicationApplicationServicesServices
ii ii
DataDataServicesServices
ii ii
ApplicationApplicationServicesServices
ii ii
DataDataServicesServices
ii ii
ApplicationApplicationServicesServices
i i
DataDataServicesServices
i i
ApplicationApplicationServicesServices
i i
DataDataServicesServices
i i
LockheedLockheedMartinMartin
ProvisionProvision --inging
SystemSystem(ITODv1)(ITODv1)
External User External User (non(non--employee)employee)External User External User
(non(non--employee)employee)
MicrosoftMicrosoftMetaMeta--
directorydirectoryServicesServices(ITODv1)(ITODv1)
High Levels ofComplexity
ITOD - Information Technology Operational
Directive
EAB 8/6/03 10
SThe IT environment will integrate the business processes of the The IT environment will integrate the business processes of the organization in real time organization in real time (Real Time Enterprise (Real Time Enterprise –– RTE) versus periodic access to functional stovepipe informationRTE) versus periodic access to functional stovepipe information
Product Support Sell-Side Capabilities• F-16 Spares E-catalog Sales• C-5 Portal / Decision Support System
Logistics/Support� Arms-around
support� Autonomic
Logistics
� Network-based Simulations� Tests Integrated With Multiple Customers
Simulation-Based Acquisition / Virtual Test and Evaluation
Customer Relationship Management
� FMS Customers� Depots / Bases
CollaborativeDesign- Follow the
Sun (or moon?)
Virtual Manufacturing� Worldwide
teaming
LM Aero Programs
‘E-business On Demand’ Enabled by Common Infrastructure
� Security� Portal� Integration� Service Provisioning
Aeronautics Value Chain RTE ExampleAeronautics Value Chain RTE Example
Real Time Enterprise (RTE) VisionReal Time Enterprise (RTE) Vision
EAB 8/6/03 11
S3 Dimensions of Real Time Enterprise3 Dimensions of Real Time Enterprise
ApplicationApplicationIntegrationIntegration
Secure Secure InfrastructureInfrastructure
Information AccessInformation Access
24 x 724 x 7SecureSecure
Identity & Identity & Access Access Mgm’tMgm’t
Directory ServicesDirectory Services
EAI
EAI
J2EE
J2EE
.NET
.NET
Web
Ser
vice
s
Web
Ser
vice
sSe
rvic
e Or
ient
ed
Serv
ice
Orie
nted
Arch
itect
ure
Arch
itect
ure
RTE CapabilityRTE CapabilityEnvelopeEnvelope
Search & RetrievalSearch & Retrieval
Knowledge ManagementKnowledge Management
Content ManagementContent Management
CollaborationCollaboration
PortalPortalNot 1 Dimensional, but 3 Not 1 Dimensional, but 3 Distinct Dimensions That Distinct Dimensions That
Contribute to Enable the Real Contribute to Enable the Real Time Enterprise… Time Enterprise…
Many Capabilities Available Today with Combinations of
Current Technologies & Solutions
Real Time Enterprise Characteristics• Adaptable• Real time information• Federated• Event based• Iterative• Loosely coupled• Configurable (and re-configurable)• Short duration (90 to 180 day projects)• Evolutionary not revolutionary• Node-enabled legacy systems
EAB 8/6/03 12
SEnabling the Extranet Architecture (RTE Interface)Enabling the Extranet Architecture (RTE Interface)Intrusion Detection Firewall Upgrade Vulnerability Scans Public Key
EAB 8/6/03 13
SStrategic Model for the Future Strategic Model for the Future –– Integrated DefenseIntegrated Defense. . . emphasis on attributes/objects controls
integrated into data and servicesApplications
WebServers
New/DerivedTechnologies
AssetsApps
Web
WebWeb
Tech
Integrated Defense is the evolution of Defense In Depth to Service Orientation/Real Time Enterprise,
with Diverse and Adaptable Controls
Cos
t And
Inef
ficie
ncy
Time and Performance
XML ExtensibleMarkup Language
Digital RightsDirectory Integration
Routers/AppliancesApplication Firewalls
Secure AcceleratorsLoad BalancersProxy
EAB 8/6/03 14
SSummarySummary�� Key elements to realize Real Time Key elements to realize Real Time
Enterprise Enterprise –– “externally accessed”“externally accessed”�� Authentication Authentication –– Public Key InfrastructurePublic Key Infrastructure�� Identity and Access Management to Identity and Access Management to
Resources and ServicesResources and Services�� “Brokering” “Brokering” –– eXtensibleeXtensible Markup Language Markup Language
(XML)(XML)�� Security Risk Management, Business Security Risk Management, Business
Value, and Return on Investment aligned Value, and Return on Investment aligned to secure collaborative objectives and to secure collaborative objectives and strategiesstrategies