Assured Counter-Terrorism Information Sharing Using Attribute Based Information Security (ABIS)

Abstract

For counter-terrorism information sharing, just like for many other government and military operations in the post-9/11 world, the traditional mindset of "need to know" is being overtaken by the "need to share" among dynamic communities of interests (COIs). The problem with current IT environments and security mechanisms forces equal sharing of all information at the lowest common denominator, often requiring setting up new physical networks to protect the information boundaries, which is often time-consuming, costly, and not interoperable. The recent technology evolution towards service oriented architectures (SOAs) helps establish a loosely coupled, interoperable "system of systems" platform, however they also bring about their own security challenges. This paper outlines the inefficiency of conventional network boundary based, protection-oriented information security mechanisms as well as the new security challenges for the emerging SOA technologies, and proposes attribute based information security (ABIS) as a new approach for addressing these challenges. Center to this new approach is a generic attribute based access control (ABAC) model, which is based on subject, object, and environment attributes and supports both mandatory and discretionary access control needs. To realize the potentials of the ABAC model, the paper introduces a high level ABIS reference architecture, which reflects the proposed technical approaches to achieve an attribute-centric security methodology: First of all, to establish such an environment that facilitates the seamless flow of information between collaborating parties, the capability to provision and manage attributes for subjects and resources needs to be established. Secondly, attribute-binding mechanisms need to be in place to support the integrity and data assurance of the information objects. Next, the architecture should provide identification, authentication and authorization mechanisms based on the attributes. Building upon these tasks will lead to the establishment of "trusted information domains" within a shared network infrastructure, providing the ability to establish logical COIs seamlessly, created as needed or modified as policy dictates. The paper explores the possibilities of extending the ABAC model to across trust domains, allowing multiple levels of policy enforcement and policy federation