2007 Issue 2 - Raytheon
2007 Issue 2 - Raytheon
2007 Issue 2 - Raytheon
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Feature<br />
Col. Roger Shell was<br />
the deputy director of<br />
the National Security<br />
Agency’s (NSA)<br />
National Computer<br />
Security Center (NCSC)<br />
as it was formed in the<br />
early 1980s. Dr. Kenneth<br />
Kung joined NCSC in<br />
1984 as one of the<br />
system evaluators using<br />
the famous Orange<br />
Book. He learned his<br />
information assurance<br />
techniques from<br />
Dr. Shell and other<br />
early pioneers in this<br />
field (e.g., Steve Walker,<br />
David Bell, Marv<br />
Schaefer, Earl Boebert,<br />
etc.). Dr. Kung is the<br />
co-author and<br />
contributor to several<br />
other Rainbow Series of<br />
guidelines, while NSA<br />
remains the premier<br />
organization to learn<br />
the latest information<br />
system and weapon<br />
system protection<br />
techniques.<br />
8 <strong>2007</strong> ISSUE 2 RAYTHEON TECHNOLOGY TODAY<br />
The Benefits of<br />
Multi-Level Security<br />
Multi-level security (MLS)<br />
has been a holy grail ever<br />
since the early days of<br />
applying computer systems to meet<br />
the automation needs of military<br />
and intelligence systems. In the<br />
1970s, MITRE published a series of<br />
papers (by Bell and LaPadua) that<br />
describe the issues and rules of<br />
determining access rights of individual<br />
users to information, based on<br />
their credentials. In fact, in 1971,<br />
Dr. Roger Schell (then a U.S. Air<br />
Force major) conducted his Ph.D.<br />
research at MIT on the Multics OS<br />
protection rings.<br />
Although multiple initiatives in the<br />
1980s and ‘90s were launched to<br />
tackle the MLS “problem,” the issue<br />
is still with us today. This article<br />
addresses the background of the<br />
issues involved in solving the general<br />
MLS problem. It also describes<br />
both the security functionality and<br />
the assurance needs of the<br />
Department of Defense (DoD) community<br />
of users and possible solutions<br />
to address those needs.<br />
The DoD has a goal of fielding<br />
systems that provide the right information<br />
at the right time to the<br />
right person. In many cases, this<br />
goal is difficult to achieve due to<br />
the security classification of<br />
the data. To properly safeguard<br />
information today, many DoD information<br />
systems are separated in<br />
domains at the highest classification<br />
level of any data in the<br />
domain. They are commonly<br />
referred to as “system high”<br />
domains. If an individual does not<br />
possess a security clearance to<br />
access a domain, they are denied<br />
access to all information within the<br />
domain, even though some of the<br />
information may have originated at<br />
a lower classification and thus<br />
should be accessible to the individual.<br />
To ameliorate this problem,<br />
high-speed guards requiring additional<br />
hardware and processing<br />
overhead, or labor intensive procedures<br />
such as manually reviewing<br />
data, are commonly used when<br />
moving data between domains.<br />
The single-level security domain<br />
paradigm is not compatible with<br />
this time-sensitive collaborative processing<br />
environment needed to<br />
support net-centric operations and<br />
the systems of element approach<br />
where information is first published,<br />
then later subscribed. The concept<br />
of using single-level security<br />
domains results in over-clearing personnel,<br />
over-classifying data and<br />
creating system inefficiencies and<br />
redundancies. To minimize or eliminate<br />
these problems, the concept<br />
of MLS systems was developed.<br />
MLS eliminates the need for these<br />
separate domains. MLS systems<br />
reduce the total cost of ownership<br />
by eliminating hardware and software<br />
redundancies. Top secret,<br />
Unclassified<br />
Domain<br />
secret, confidential and unclassified<br />
data all can reside in a single MLS<br />
domain. MLS provides the ability to<br />
simultaneously receive, process,<br />
store and disseminate data of multiple<br />
classifications within a domain<br />
where not all users have the security<br />
clearance to access all the data<br />
within the domain. MLS needs to<br />
permeate into the computing environment<br />
(workstations, servers and<br />
operating systems), the network,<br />
the database and the mission applications<br />
— all must work together<br />
to maintain trust. MLS systems<br />
must assure that users are granted<br />
access to all the data, systems and<br />
services for which they are authorized,<br />
while denying them access if<br />
they are not authorized.<br />
Figure 1 illustrates a traditional<br />
configuration using guards between<br />
security domains on the left and an<br />
MLS enclave on the right.<br />
Multinational<br />
Information Systems<br />
The next major research milestone<br />
is to tackle the issue of multination-<br />
Traditional: one domain per<br />
security classification Multi-level security (MLS)<br />
Secret<br />
Domain<br />
Data Store<br />
High Speed Guard<br />
Data Store<br />
High Speed Guard<br />
Computing<br />
Environment<br />
Switch/Router<br />
Computing<br />
Environment<br />
Switch/Router<br />
Data Store<br />
Top<br />
Secret<br />
Domain Computing<br />
Environment<br />
Switch/Router<br />
Figure 1. Traditional vs. MLS Enclaves<br />
Top Secret<br />
Data Store<br />
MLS Domain<br />
with<br />
Unclassified<br />
through<br />
Top Secret<br />
Secret<br />
Data Store<br />
Switch/Router<br />
Unclassified<br />
Data Store<br />
Computing<br />
Environment