Embed Size (px)
DESCRIPTION
Is Your Data Secure? Odds are good that your data is extremely important to you. Now consider how one secures that data. Typical approaches address access, authentication, integrity, non-repudiation and confidentiality concerns at the domain and link layers, implicitly securing the data. The challenge and need is to move these security specifications to the data itself, and provide explicit security policies on each element of system-identified data. Why is this level of finesse needed? As you build out your systems, and systems of systems, how do you manage security when individually element of data, the communication links, and domain boundaries have different behaviors? With this level of complexity and risk, it's critical to have awareness at the level that matters – the data level – so you can make the right design and implementation decisions. At this webinar, learn how to achieve an assured and predictable security footprint by minimizing the leak of information or exploitation of data through unintended consequences. Secure DDS offers data-centric configuration policies for content and behaviors. Recognizing that security isn't one-size fits all, a standards-based optional plugin SDK allows developers to create custom security plugins. Connext Secure DDS is the world's first turnkey DDS security solution that conforms to the OMG specification and provides an essential security infrastructure that is data-focused for DDS and legacy systems. Watch On-Demand: http://ecast.opensystemsmedia.com/478
Citation preview
Your systems. Working as one.
Is Your Data Secure?
June 24 – RTI Sponsored WebinarGordon Hunt, [email protected]
Agenda
• What is Data?
• What is Security?
• How to Bring it all Together?
• Why does it Matter?
What is Data?
Data-At-Rest?• Where is it• Single view of the ‘answer’• Heterogeneous views• How do I get to it• State is centralized
Data-In-Motion?• How to send/share it• Shared view of the ‘answer’• Homogeneous views• How we say it• State is distributed
Example: Clinical Decision Support Systems
Workstations, Storage, Historical
HL7/EMR Gateway, Enterprise, 3rd Party
Room
Devices
Care Area
Administration
Example: Where and What is the Data?
Workstations, Storage, Historical
HL7/EMR Gateway, Enterprise, 3rd Party
Room
Care Area
Administration
Location: Room 247B
Data: HomerSimpson
Example: Blue Force Tracker Systems
6
TSG TSG
TSG
JNNKu-Band
ARMYBFT1
BFT1L-Band
VSAT
JCRNOC
L-Band Ground Stations
EPLRSEPLRS
EPLRS EPLRS
ARMY EPLRS
EPLRS EPLRS
USMC
GCSS-J – GCSS-A - DDS
Rea
chb
ack
TSG
TSG
TSG
DISAVPN
JBCPNOC
Messages and Routing versus Actionable Data
• Message-Centric NOC Architecture– Point to Point– State is Implicit– Intermediate messages
are not actionable
• Data-Centric NOC Architecture– Observable databus– State is Explicit– Intermediate state is
actionable
ComtechSide A
ComtechSide B
CUI Network Gateway Satcom 1
CUI Network Gateway Satcom 2
SE
C
Re
gio
n
Se
rve
r 3
SE
C
NO
C
Cn
tlr
SE
CM
yS
QL
Se
rve
r
SE
C
NT
P
SE
C
CD
I
CU
I R
eg
ion
S
erv
er
1
CU
I N
OC
C
ntr
lr
CU
IM
yS
QL
Se
rve
r
CU
I C
DI
CU
I N
DS
CU
I N
AS
Network Switch Network Switch
NIP
R
NT
P
NIP
R
CD
I
SE
CC
2R
D
DS
CUI NOC Secret NOC
Rad
iant
Merc
ury
CUI ASA 5510
ComtechLBAND
NIPRNET
SEC Router
SEC Isolation Router
CUI Isolation Router
CUI Isolation Router
BF
T1
NE
H
Cisco 2924XL
SEC Legacy Gateway
SEC JCR Gateway
SECSatcom Gateway
SIPRNET
SE
C
ND
SS
EC
N
AS
Cisco 2924XL
CU
I A
ux
Tra
ns
CU
I N
TP
SE
C
Au
x
Tra
ns
CU
I M
TS
-E
S
CU
I R
eg
ion
S
erv
er
2
SE
C
Re
gio
n
Se
rve
r 4
1
2
3 4
5 6 7
8
9
10
11
12
Dell PowerEdge 815
RTI DDS
SEC Enclave
RadiantMercury
CP Conduit G
SIPRNet
CP Conduit H
Cross Domain Conduit J
SA Process
C2 Process
SDSA Process
KGV-72 x 4CUI
SA Process
C2 Process
SDSA Process
SA Process
C2 Process
SDSA Process
JCR NOC
NOC SA Display Conduit K
SA Process
C2 Process
SDSA Process
Type 1 Conduit I
SA Process
C2 Process
SDSA Process
SIPRNet
PersistenceServer
SDSA/C2 Routing
ConfigurationManagement
Logging
Health Monitoring
DataStore
NOC Addressed C2 Display
ASCOPE ASCOPEDatastore
Results of Making Data Actionable
• BeforeI. Custom implementation for
the ArmyII. Centralized, monolithic and
tightly coupledIII. Under development for 8 yearsIV. 500,000 SLoCV. Required 21 quad-core serversVI. Supported 10,000 sustained
tracksVII. Suffered reliability and uptime
challenges
• AfterI. Standards based, COTS and
Open ArchitectureII. De-centralized, modular and de-
coupledIII. PoC completed in 1 week, full
system in 1 yearIV. 50,000 SLoCV. Only requires a single core
systemVI. Supports 500,000 sustained
tracksVII. Inherently supports full
redundancy
8
Where is the Data?
Point-to-point, sockets, RPC, RMIData and its state is in the applicationsEach application maintains its view
Centralized, DB, ESBsData and its state is in the DatabaseManaged interactions with data and state
Decentralized, Data CentricData and its state is in the busStateless clients/servicesData needs explicit properties to manage its behavior
BrokerESB
DBMS
Where is the Data?Centralized Analytics and Control
• Limits scalability and performance– Capacity of individual links and switch ports– CPU and resource limits on servers
• Diminished robustness– Tied to server maintenance and failures– Single point of “vulnerability”
• Lessens capabilities and utility– Single centralized “brain”– No autonomy or Intelligence at the edge.
• Brittle security. All intelligence is “in a box”
Centralized ESB, Database,or Message Broker
Where is the Data?Distributed Analytics & Control
• Analyze orders of magnitude more data• Lower latency control for faster response• Highly resilient, no single point of failure• Fine-grained access control and security• More capable and flexible Intelligence at the edge
Decentralized, fully Distributed DDS DataBus
What is Security?• Authentication:
– The bank knows who you are; you must show ID.
• Access Control: – The bank only lets those on an access list into your box.
• Confidentiality: – You are alone in the room Nobody can see the contents of the box.
• Integrity: – The box is sealed. If anybody touches it you will know.
• Non repudiation: – You sign when you come in and out so you can’t claim that you
weren’t there.
• Availability: – The bank is always open.
How to Implement Security?Security Related Infrastructure
• Intrusion Detection and Actions• Malware Detection and Prevention• Secure Boot & Trusted Platforms• Secure Comms and Data Links• Key and Identity Mgmt.• Cryptologic Functions• …
Very Domain specific – may need all of these
e.g.
Where is Security?Multiple Security Boundaries• Boundary Security
• Transport-Level – Network (layer 3) security– Session (layer 4/5) security– Endpoint-based access
• Fine-grained Data-Centric Security– Queue/table-based access– Decentralized or centralized?Ultimately you need to implement all of them
RPC over DDS
2014DDSSecurity
2014Web-EnabledDDS
2013
15
DDSImplementation
App
DDSImplementation
App
DDSImplementation
DDS Spec
2004
DDSInteroperablity
2006
UML DDS Profile
2008
DDS forLw CCM
2009
DDS X-Types
2010 2012
DDS-STD-C++DDS-JAVA5
How to Bring it all Together?The Interoperability Standard:
App
Network / TCP / UDP / IP / SharedMem / …
Data Identityin the Global Data Space• Domain:
– The world you are talking about
• Topic: – A group of similar objects
• Similar structure (“type”)• Similar way they change over time (“Quality of Service”)
• Instance: – An individual object in the topic group of similar objects
• Like the “key” fields in a database table
• Domain Participant: – A connection to the Domain in order to source/observe observations
• Data Writer: – The source of observations about a set of data objects (Topic)
• Data Reader:– Observer of a set of data-objects
• Sample:– An update of an instance
Domain
Topic “A”
Topic “B”Logical
Physical
Data Behaviorin the Global Data Space
• Aside from the actual data to be delivered, users often need to specify HOW to send it …
… reliably (or “send and forget”)… how much data (all data , last 5 samples, every 2 secs)… how long before data is regarded as ‘stale’ and is discarded… how many publishers of the same data is allowed… how to ‘failover’ if an existing publisher stops sending data… how to detect “dead” applications… …
• These options are controlled by formally-defined Quality of Service (QoS)
Deadline
Reliability
HistoryLiveliness
Time Based Filter
Content Filtering
Durability
Ownership
Partition
Presentation
LifespanDestination Order
Resource Limits
Latency Budget
Flow Control
User, Group,
Topic Data
Batching
Transports
Multi-Channel
Async Publisher
DDS Quality of Service
Deadline
Reliability(optional)
HistoryLiveliness
Time Based Filter
Content Filtering
Durability
Ownership
Partition
Presentation
LifespanDestination Order
Resource Limits
Latency Budget
Flow Control
User, Group,
Topic Data
Batching(optional)
Transports
Multi-Channel
Async Publisher
Use Case: Streaming Data
Deadline
Reliability
HistoryLiveliness
Time Based Filter
Content Filtering
Durability
Ownership
Partition
Presentation
LifespanDestination Order
Resource Limits
Latency Budget
Flow Control
User, Group,
Topic Data
Batching
Transports
Multi-Channel
Async Publisher
Use Case: Alarms / Events
Deadline
Reliability
History
Liveliness
Time Based Filter
Content Filtering
Durability
Ownership
Partition
Presentation
Lifespan
Destination Order
Resource Limits
Latency Budget
Flow Control
User, Group,
Topic Data
Batching
Transports
Multi-Channel
Async Publisher
Use Case: Large Data
Deadline
Reliability
HistoryLiveliness
Time Based Filter
Content Filtering
Durability
Ownership
Partition
Presentation
LifespanDestination Order
Resource Limits
Latency Budget
Flow Control
User, Group,
Topic Data
Batching
Transports
Multi-Channel
Async Publisher
Use Case: Last Value Cache
Data Security in the Global Data Space
• Access control per Topic– And all that that implies
• Read versus-write permissions– But enable fully distributed enforcement
• Source-specific permissions and tagging– Fine-grained specificity of policies
TopicsDomain
Topic “B” Topic “A”
Topic “C”
Data Securityin the Global Data Space• Authentication:
– The Domain knows who you are, you must show ID
• Access Control: – Only those on the Topics’ access list are allowed (r/w)
• Confidentiality: – Data payload and meta-data individually encrypted.
• Integrity: – Data samples include destination specific signatures/MACs.
• Non repudiation: – Specified behavior and associated quality of service for
acknowledgements
• Availability: – DDS managed and specified behavior, rich fault/failure management
Data SecurityHow is it Done?
• Security Model– What to Protect
• Security Plugin APIs– How/where to protect– Interchangeability of the plugins
• DDS RTPS Wire Protocol– Data encapsulation and
discovery interoperability
• Default Builtin Plugins– Out-of-box implementation– Interoperable implementations
OMG DDS Security Specification
RTI Connext™ DDS Implementation
Data SecurityThreats in the Global Data Space1. Unauthorized subscription2. Unauthorized publication3. Tampering and replay 4. Unauthorized access to data by infrastructure services
Alice: Allowed to publish topic ‘T’Bob: Allowed to subscribe to topic ‘T’Eve: Non-authorized eavesdropper Trudy: IntruderMallory: Malicious insiderTrent: Trusted infrastructure service
AliceBob
EveTrudy
TrentMallory
Data SecurityUsing Secure DDS (per OMG spec)• Start with a Domain Configuration
– Signed document that sets policies for the Domain
• Specifies– What Topics are discovered using
Secure Discovery– Encrypt or Sign for Secure Discovery– What Topics have controlled access– Encrypt or Sign for each secure Topic
• User data and payload• Metadata and routing information
– What to do with unauthenticated access requests
Data SecurityUsing Secure DDS per OMG specification• For each Participant
– Its an identified point of access– Enables fully distributed
authentication– Enables local access enforcement
• Specifies– What Domain IDs it can join– What Topics it can read/write– What Topics it can relay– What Partitions it can join– What Tags are associated with the
Readers and Writers
What’s Happening Inside DDS?
Create Domain
Participant Authenticate
DP?
Create Endpoints
Discover remote
Endpoints
Send/Receive data
Discover remote DP
AuthenticateDP?
Yes
Domain Participant Create Fails
No
Access OK?Endpoint
Create FailsNo
AuthenticateRemote DP?
Ignore Remote DP
No
Yes
Access OK?Ignore remote
endpoint
Message security
DP = Domain ParticipantEndpoint = Reader / Writer
No
What’s Happening on the Wire?
• RTPS Protocol Supports– Rigorous identity, source and
destination indication – Sequence numbers for state
recreation– Content awareness for
efficient delivery– Timestamps for data and state
integrity – Efficient use of transports– Proxy & routing support– Reliability & synchronization
handshaking
…encode_serialized_data()encode_datawriter_submessage()encode_datareader_submessage()encode_rtps_message()…
Why does it Matter?Connext DDS Secure Benefits• Decentralized
– High performance– No single point of failure
• Runs over any transport– Including low bandwidth, unreliable– Multicast for scalability, low latency
• Select encryption or message authentication
– Only encrypt private data– Up to 100x faster
• Customizable plugin architecture• Data Distribution Service (DDS) compliant• Works with unmodified existing apps
Connext DDSlibrary
Authentication
Access Control
Encryption
Data Tagging
Logging
Application
Any Transport(e.g., TCP, UDP, multicast,
shared memory, )
Control Station
DNP3 MasterDevice
Transmission Substation
DNP3 Slave
Device
Why does it Matter?RTI and PNNL Grid Security Retrofit
RTI Routing Service
ComProcessor
RTI Routing Service
Gateway
DNP3 Slave
Device
DNP3 overRS232/485
DNP3 overEthernet DNP3 over DDS
RTI Routing Service
Gateway
DDSLAN
DDSLAN
RTI Routing Service
ComProcessor
IPRouter
IPRouter
DDS over WAN
DDS
over UDP/WAN
Effective DNP3 connection
Details at http://blogs.rti.com
Control Station
DNP3 MasterDevice
Transmission Substation
DNP3 Slave
Device
Why does it Matter?RTI and PNNL Grid Security Retrofit
DNP3 Slave
Device
DNP3 overRS232/485
DNP3 overEthernet DNP3 over DDS
RTI Routing Service
Gateway
IPRouter
IPRouter
DDS over WAN
Secure DDS
over UDP
Effective DNP3 connection
Details at http://blogs.rti.com
RTI Routing Service
Gateway
RTI Routing Service
ComProcessor
RTI Routing Service
Gateway
RTI Routing Service
ComProcessor
Control Station
DNP3 MasterDevice
Transmission Substation
DNP3 Slave
Device
Why does it Matter?RTI and PNNL Grid Security Retrofit
DNP3 Slave
Device
DNP3 overRS232/485
DNP3 overEthernet DNP3 over DDS
RTI Routing Service
Gateway
IPRouter
IPRouter
DDS over WAN
Secure DDS
over UDP
Attack Detector
Display
ScadaConverter
AnomalyDetector
Effective DNP3 connection
Details at http://blogs.rti.com
RTI Routing Service
Gateway
RTI Routing Service
ComProcessor
RTI Routing Service
Gateway
RTI Routing Service
ComProcessor
Why does it Matter?
Secure, flexible, scalable, and performant system integration.
• Decoupled access to data via the Global Data Space– This does not mean loss of access control to the information and data– It means that the Data Space must have an associated security model
• DDS can use standard PKI and cryptographic techniques to enforce the security policies
• DDS can use domain-specific system technologies and capabilities to address security
The key is to use a data-centric security model
DDS Secure
Connext DDS Professional
RTI Connext™: A Next Generation Infrastructure
DDS-RTPS Wire Interoperability Protocol
DDS & JMS Libraries
Routing Service
Database Integration
Connext DDS Micro
Connext DDS Cert
Administration
Monitoring
Microsoft Excel
Recording
Replay
Wireshark
Persistence
Logging
Prototyper
General PurposeReal-Time Apps
Remote Apps
Disparate Apps
Adapter
RDBMS Small Footprint Apps
Safety critical Applications
DDS-RTPS Wire Interoperability Protocol
Next Steps & Questions
• Evaluation Available Today• Contact
– [email protected] Or your local Account Manager
www.rti.com
community.rti.com
www.facebook.com/RTIsoftware
www.slideshare.net/RealTimeInnovations
www.twitter.com/RealTimeInnov
blogs.rti.com
www.youtube.com/realtimeinnovations
www.omg.org
dds.omg.org
