Identity, Access, Secure Collaboration Done the Aerospace Way

| 0 Comments | 0 TrackBacks

Page:   1   2   3  Next  »

The Transglobal Secure Collaboration Program: Influencing identity, access and collaborative transaction security beyond industry boundaries

Competitors one day, partners the next. That's a business model edging its way into a variety of industries, from healthcare and life sciences to manufacturing and finance and even security. It's a model that will draw on the ubiquity of mobile computing and efficient cloud-based infrastructure. It will also require strong security measures to ensure greater protection of intellectual property and competitive data even as companies become more open.

None of this is news to the aerospace & defense industry. And that industry's model for managing collaborative transactions and data exchange securely is poised to influence other vertical industries. That's why Security Squared spent time this month talking to leaders and members of the Transglobal Secure Collaboration Program.

The TSCP is an international cooperative of leading A&D companies and government agencies who work together to figure out how they will exchange data securely. The group's commercial user, or "platinum," members include BAE Systems, Boeing, EAD, Finmeccanica, Lockheed Martin, Northrup Grumman, Raytheon, and Rolls Royce. Government members include the U.S. Department of Defense, the General Services Administration and the Secret Service as well as the defense ministries in the U.K. and Netherlands and the French government.
As DoD trading partners, the Platinum members already are subject to such mandates and formal specifications as Homeland Security Presidential Directive 12 (HSPD-12), many Federal Information Processing Standards (FIPS), the Federal Identity, Credential and Access Management (FICAM) roadmap and more.  

Further, the DoD and aerospace industry have invested about $1 billion collectively in just the last two or three years on identity and credentialing security, said Keith Ward, director of enterprise security and identity management for Northrop Grumman and chairman of the TSCP.

Rather than create new standards that might compete with existing mandates, TSCP members figure out how to use their compliance and security investments more effectively, he said.

"We're looking to mitigate the risk related to compliancy and complexity as well as to protect intellectual property in the commercial space against cyberthreats," Ward said. "It's going to take a collaborative effort to do that."

To that end, the group creates what Ward calls "smaller 's' specifications" about how to apply the formal standards and policies coming out of government agencies to their shared business transactions. Further, he said the goal is for vendors to adjust their "product roadmaps" to incorporate these guidelines, further propagating their use. TSCP now focuses on three transaction spaces: secure documentation, secure email and secure identity federation.

The TSCP's "how to guides" in these areas are platform and technology agnostic, said Ward. Its spec for how to implement secure email, for instance, was developed under Microsoft's Exchange server. The Federal Aviation Association used the same how-to guide with IBM's Lotus Notes.

"TSCP is not done in a set way--it's a broad specification," said Dmitry Kagansky, chief technical officer, the Public Sector Group, Federal Division, of Quest Software www.quest.com. For example, he noted organizations are free to handle authentication in different ways within the TSCP guidelines.

At the same time, the group's guidelines ensure the solutions individual companies select are interoperable. Many A&D projects often have to devote significant IT dollars and resources to overcoming proprietary technology used by project partners, said Jeff Nigriny, president and CEO of CertiPath, the A&D industry's PKI bridge.

"The industry has had enough of that," he said. "As long as we're standardizing, we can probably solve the security problems in a very real way while we're doing that.

Page:   1   2   3  Next  »

The Transglobal Secure Collaboration Program: Influencing identity, access and collaborative transaction security beyond industry boundaries

Competitors one day, partners the next. That's a business model edging its way into a variety of industries, from healthcare and life sciences to manufacturing and finance and even security. It's a model that will draw on the ubiquity of mobile computing and efficient cloud-based infrastructure. It will also require strong security measures to ensure greater protection of intellectual property and competitive data even as companies become more open.

None of this is news to the aerospace & defense industry. And that industry's model for managing collaborative transactions and data exchange securely is poised to influence other vertical industries. That's why Security Squared spent time this month talking to leaders and members of the Transglobal Secure Collaboration Program.

The TSCP is an international cooperative of leading A&D companies and government agencies who work together to figure out how they will exchange data securely. The group's commercial user, or "platinum," members include BAE Systems, Boeing, EAD, Finmeccanica, Lockheed Martin, Northrup Grumman, Raytheon, and Rolls Royce. Government members include the U.S. Department of Defense, the General Services Administration and the Secret Service as well as the defense ministries in the U.K. and Netherlands and the French government.
As DoD trading partners, the Platinum members already are subject to such mandates and formal specifications as Homeland Security Presidential Directive 12 (HSPD-12), many Federal Information Processing Standards (FIPS), the Federal Identity, Credential and Access Management (FICAM) roadmap and more.  

Further, the DoD and aerospace industry have invested about $1 billion collectively in just the last two or three years on identity and credentialing security, said Keith Ward, director of enterprise security and identity management for Northrop Grumman and chairman of the TSCP.

Rather than create new standards that might compete with existing mandates, TSCP members figure out how to use their compliance and security investments more effectively, he said.

"We're looking to mitigate the risk related to compliancy and complexity as well as to protect intellectual property in the commercial space against cyberthreats," Ward said. "It's going to take a collaborative effort to do that."

To that end, the group creates what Ward calls "smaller 's' specifications" about how to apply the formal standards and policies coming out of government agencies to their shared business transactions. Further, he said the goal is for vendors to adjust their "product roadmaps" to incorporate these guidelines, further propagating their use. TSCP now focuses on three transaction spaces: secure documentation, secure email and secure identity federation.

The TSCP's "how to guides" in these areas are platform and technology agnostic, said Ward. Its spec for how to implement secure email, for instance, was developed under Microsoft's Exchange server. The Federal Aviation Association used the same how-to guide with IBM's Lotus Notes.

"TSCP is not done in a set way--it's a broad specification," said Dmitry Kagansky, chief technical officer, the Public Sector Group, Federal Division, of Quest Software www.quest.com. For example, he noted organizations are free to handle authentication in different ways within the TSCP guidelines.

At the same time, the group's guidelines ensure the solutions individual companies select are interoperable. Many A&D projects often have to devote significant IT dollars and resources to overcoming proprietary technology used by project partners, said Jeff Nigriny, president and CEO of CertiPath, the A&D industry's PKI bridge.

"The industry has had enough of that," he said. "As long as we're standardizing, we can probably solve the security problems in a very real way while we're doing that.

<!--nextpage-->

Wide Influence

TSCP's influence is strong within the A&D industry and is poised to grow beyond it, said organization officials and members.

The TSCP's Executive Forum is made up of C-level executives from A&D companies and federal agencies. "These are key people who can create policy within their organizations," said Ward, noting they also often control budgets.

TSCP also has a legal working group that looks at intellectual property issues. A government alignment committee evaluates international government security mandates and how these match with TSCP initiatives. Other groups include the Export/ITAR (International Traffic in Arms) working group; an architect board and the cyber working committee, of which the U.S. Secret Service is the forensic arm.

Though the user member list may seem small, the TSCP platinum members are important customers of leading vendors. For instance, the group's members represent about 25% of Microsoft's global sales, said Ward.

"We can touch a lot of customers at once," said Kagansky, of Quest Software, which joined TSCP as a vendor member at the urging of Lockheed, which had purchased a Quest tool for internal identity federation.

Kagansky said another advantage to being a vendor member is the ability to influence the group's specifications. "We are involved earlier and can help end users understand what can and can't be done," he said. "Also, the specs that emerge are never a surprise."

In addition to influencing product design, the TSCP provides models to other federal agencies about how to implement transaction security practices that meet federal standards.

"TCSP is pretty far ahead on secure email implementation," said Kagansky. "They're a reference for how others should do this." He further noted that the finance and oil and gas industries also operate under some similar compliance mandates and could benefit from TSCP guidelines.

Some of these guidelines could be propagated to other verticals via entities like Exostar, which offers secure collaboration and identity federation services to the A&D space and is also cross-certified with the SAFE-Biopharma bridge certificate authority in the life sciences industry.
 
In addition, some A&D trading partners may make only a single component for an A&D project, with the bulk of their business in other vertical markets. Yet as these companies adopt secure collaborative practices so they can exchange data with their A&D customers, they could extend those practices to partners in other industries.

Nigriny noted many of TSCP's specifications are relatively industry-neutral, particularly with secure email and documentation. While some federation specifications are more industry-centric, the TSPC wrote broader attribute and collaboration profiles useful to vendors who work across vertical industries. "The TSCP has done itself a pretty good service by keeping its industry-specific nuances fairly tightly cordoned off," he said.

"A lot of our members keep us in check, in making sure that the value proposition TSCP brings to the table allows them to cross sectors," said JP Calderon, membership director for TSCP. "Federation, secure email, labeling--those are things starting to be leveraged in a lot of industries to protect intellectual property," he said.

Yet TSCP is not trying to include everyone in its member base. "When we look at vendors, we have a process where we do a sanity check, to make sure there's a 50/50 benefit to the vendor and TSCP," said Calderon. He notes members supply a lot of input about what vendors to work with in terms of the challenges they're trying to solve.

"Joint research and development and working where we have synergy together, is the attraction and appeal of TSCP. Some companies get it, some think they can create this themselves," said Ward. He expects membership will grow as synergies become apparent among the government, A&D, and vendor members.

<!--nextpage-->

Identity Matters

One of TSCP's focal points is identity federation, in which an identity trusted by one trading partner can then therefore be trusted by other trading partners.

"Before we can even begin to have an intelligent conversation about how to secure them, we need to be confident we know who the people are on each end of the transaction," said Nigriny.

While most enterprises today manage physical and logical access control separately, TSCP follows the government HSPD-12 model that calls for converged access. So an identity could be physical, say, when a contractor visits a federal agency's or partner's facility. Or it could be digital, with a contractor or project co-designer requiring access to online documents.

The work to secure cyber transactions naturally led the A&D companies that had invested significant dollars in logical access credentials to ask why these credentials couldn't also work for physical access, internally and at trading partner facilities, Nigriny said.

"If you look at physical access, it's the exact same problem we have with logical access," he said. "It's about protecting and controlling access to resources. This idea that I can use one credential and do both [physical and logical access control] is a very powerful thing. It's powerful because it means there's a unique identifier in that credential that I have access to and can track when someone's getting into a logical environment or physical environment."

Further, Nigriny noted that use of PKI for physical identity federation means not only that an organization can use a visitor's own credentials but can check in real time to see whether they are still valid.

Converged Credentials Emerge


While conceding that truly converged access control is still fairly rare today, Nigriny said one DoD facility will soon allow physical card readers on its network so that physical and logical access can be correlated, enabling network nodes to contribute to situational awareness. Further, DoD contractors increasingly are showing interest in deploying similar systems at their own facilities, using PIV-I credentials, he said.

Other TSCP members also are shaping the one credential evolution.

Ward, for instance, works at Northrup Grumman, which in October participated in the DHS/FEMA "Autumn Blend" exercise. That consisted of a live demonstration of physical and logical authentication in a simulated emergency at the company's Newport News, Va. shipyard. It included use of federal credentials like PIV and PIV-I authentication, including Northrup Grumman's own converged credential, as well as TSCP authentication specifications.

"The TSCP's next steps are getting those specifications moved into other venues and forums," said Ward.

# # #

No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/262

Leave a comment