Upload
russell-chase
View
217
Download
0
Embed Size (px)
DESCRIPTION
Why does it matter? We rely on our information and information environment to: –Reduce decision-kill chain –Provide real-time access to mission relevant information –Facilitate functional integration of dispersed command, targeting, weapons delivery –Support operations with our Allies and other partners, government and non- government –Enable force projection and information reach back –Provide user defined common operational picture Compromised information and information environment can lead to devastating consequences Information assurance cannot be the Achilles heel of the DoD
Citation preview
Latest Strategies for IT Security
Margaret MyersPrincipal Director, Deputy CIO
United States Department of Defense
North American Day 2006
How does the DoD define information assurance (IA)?
Availability
Confidentiality
Integrity
Identification & Authentication
Non-Repudiation
Secure the information and the information environment
– Encryption and crypto keys– Computer network defense– Identify protection/PKI
Red team– Independent assessments
of vulnerabilities
Educate/train– Building the IA-
empowered workforce
How it HappensWhat it is
Information available to
authorized users when and where
they need it
Trust in the information
Confidence in the
information environment
Why does it matter?
We rely on our information and information environment to:
– Reduce decision-kill chain
– Provide real-time access to mission relevant information
– Facilitate functional integration of dispersed command, targeting, weapons delivery
– Support operations with our Allies and other partners, government and non-government
– Enable force projection and information reach back
– Provide user defined common operational picture
Compromised information and information environment can lead to devastating consequences
Information assurance cannot be the Achilles heel of the DoD
Reported Events on NIPRNet
0
20000
40000
60000
80000
2001 2002 2003 2004 2005
Information is foundational for all DoD missions
DoD depends on information sharing across the enterprise (warfighting, intelligence, and business mission areas) and with our external partners (government, coalition, commercial, and non-government organizations)
Our network infrastructure is vulnerable– Attacks are increasing and time to
exploitation is decreasing (shorter “flash to bang”)
– Reported security events on DoD networks are rapidly increasing
– There is HW / SW of unknown pedigree throughout the information value chain
Threat actors are increasingly sophisticated
– We believe sophisticated adversaries could exfiltrate information and disrupt operations
– We lack capabilities to detect and respond to many malicious activities
The underpinnings of our network are vulnerable
0
50
100
150
200
250
2001 2002 2003 2004 2005
Average Time to Exploitation
Days
Sources: Roundstone; Symantec
Events
As of April 1, 2005
1000+ serious incidents
An Information Age approach to net-centricity
Fundamental Shift: Requires ENTERPRISE, not stovepipes Requires ACCESS, not exclusivity Requires TRUST
Trust in the Environment (availability) Trust in the Information (assurability) Trust in the Participants (identity)
Confront Uncertainty with Agility
User “gets what he gets” User “takes what he needs” and “contributes what he knows”
Net-centric framework
• Data Strategy: – How to “share” the data
• Information Assurance: – How to keep it “dependable”
• Enterprise Services: – How to “access” the data
• Information Transport: – How to “move” the data
• Net Ops: – How to “manage” the environment
01NOV05/0050
Data: Discoverable, Accessible, Understandable
Information assurance (IA) strategy
• Protect information– Data protection requirements– Protection mechanisms– Robust mechanisms
• Defend the information environment– Engineered defenses– Ability to react and respond– Activities to assess and evaluate
• Provide situational awareness/IA command and control
– User-defined operating picture– Coordinated IA operations and decisions– Collaboration
• Transform and enable IA capabilities– IA integration into programs– Dynamic IA capabilities– Improved strategic decision-
making– Information sharing
• Create an IA-empowered workforce– Baseline skills– Enhanced IA skill levels– Trained/skilled personnel– Infusion of IA into other disciplines
Vision – Dynamic IA in support of net-centric operationsMission – Assure DoD’s information, information systems, and information environment
Our IA strategy has two thrusts – Securing today’s operations and tomorrow’s net-centric environment from evolving threats
• Security embedded into each transaction (e.g. individuals, discrete content and specific assets)
• Strong data content security both in storage and in-transit
• Authentication and near real-time monitoring and response
• Real-time risk management to the edge
Defense-in-Depth dominated by perimeter defense
Physical separation of sensitive networks and systems
Highly specialized connections between networks of different security levels
IA to Sustain Today’s Mission & Operating
Environment
IA to Enable Tomorrow’s Net-
Centric Operations
We are making good progress, but much work remains
Acc
ompl
ishm
ents
Cha
lleng
es
Enforceable enterprise IA policies
Strategic and operational metrics
IA awareness training ( 80%)
Joint Task Force (Global Network Operations)
Enforce IA policies across the Department
Obtain funding to build IA Architecture
Harden SIPRNet
Mitigate insider threat
Certify IA skills
Global Information Grid IA Architecture
IA investment portfolio structure
Identity management (PKI, biometrics)
Expand partnership with industry for IA R&D
Mitigate the risk of unknown hardware/software
Increased coordination and collaboration with federal, coalition, and allied IA partners
Today’s Enclaves
Tomorrow’s Enterprise