NATO. Identity Management PKI and Strong Authentication

Transcription

1 NATO Identity Management PKI and Strong Authentication Snapshot May 2012

2 CONTENTS THE IDENTITY MANAGEMENT CHALLENGE...3 BACKGROUND INFORMATION ON NATO PKI...5 NATO PKI MANAGEMENT AUTHORITY...6 NPKI TIMELINE...8 NATO IDENTITY MANAGEMENT BACKGROUND...9 RELATED POLICIES, DIRECTIVES AND GUIDANCE

3 THE IDENTITY MANAGEMENT CHALLENGE The NATO Identity Management (IdM) vision is a federated, robust, trustworthy and interoperable Identity Management capability that supports the ability to correctly identify participants and Non- Human Entities of Alliance mission operations. But despite the numerous NATO efforts underway to establish and apply identification policies and mechanisms, NATO has not articulated the overarching requirement for and roadmap to implement and manage this activity as a whole. Implementing identity management implies establishment of frameworks, models, standards, protocols, processes and technology that enroll, register and un-register/retire identity assets across the enterprise. Managing these implementation efforts also requires a lead body with the ability and accountability to realize this potential within NATO. The following is a snapshot of current NATO efforts underway that exemplify the shortfalls within the Alliance on this issue. TECHNICAL & IMPLEMENTATION POLICY DEVELOPMENT The Bi-SC Secure Data Strategy (SDS) advocates moving along paths towards automated, protected and trusted core networking and data exchange leading to superior C2 arrangements. Key to pursuing these objectives is adaptation of policies and supporting directives and coordinated efforts among the Security Committee (IA), C3 Board, and the NPMA. The SDS shows that some technical policies and directives in their current state may hinder rather than enable the attainment of Alliance IdM goals. In some cases policies and roadmaps simply do not exist and will have to be drafted and approved. As an example, for trusted data exchange, metadata standards need to be finalized and metadata security standards and public key infrastructure need to be defined and implemented. With respect to identity management, minimum? identity attributes and privileges and the interoperability requirements must be established. Looking to the future, not only will NATO have to manage identities within its own mission and business environment, it must also be prepared to exchange identities across federated environments involving NATO nations, partner nations and non-nato nations and organizations. STRONG AUTHENTICATION & IDENTITY MANAGEMENT NATO s new cyber defense policy and an associated action plan contain the only actionable roadmap of IdM-related activities, namely the implementation of strong authentication to access NATO CIS. Nevertheless, the C3B (PS) has yet to provide clear guidance and tasking to its subordinate structure (Capability Panel and Teams) to carry out this work. This key challenge for the C3B (PS), - i.e., governance, management and oversight of enterprise wide technical implementations, is not limited to Identity Management. NATO is also struggling with the task of defining strong authentication in the context of the Cyber Defense Policy, a task for which the C3B exercises oversight. Most recently the Security Committee in IA format has tried to reconcile the DPPC-R (CD) developed requirement for strong authentication as an item to enhance NATO s cyber posture with a more specific meaning of the term.. Without a clear 3

4 understanding and definition of the term, relevant NATO bodies are reluctant to move forward and accept that stronger authentication or even multifactor authentication can be achieved. ELEMENTS FOR AN IDENTITY MANAGEMENT INFRASTRUCTURE While PKI is a fundamental element of an IdM infrastructure, the NATO PKI statement of requirements as approved in 2009 did not include, multifactor authentication nor strong authentication, nor is it predicated upon realizing a broader NATO identity management infrastructure. Neither were other elements such as the Cyber Defense Action Plan s call for strong authentication and the NATO enterprise directory service considered in a broader identity and access management context. These elements as a whole have not been organized into a coherent policy/management and technology/architecture roadmap. Assembling the identity-related information from existing NATO systems and joining them together so that the data associated with an individual is linked together, and then making that available to applications for authentication, access and privilege management, is precisely what constitutes an identity management infrastructure. These facts clearly expose the need for NATO to develop a prioritized timeline and tasking necessary to implement a robust NATO Identity Management service within a structure that provides oversight and governance, superior to but with ability to influence the execution and implementation of CDAP item #3. 4

5 BACKGROUND INFORMATION ON NATO PKI The initial NATO PKI SOR (Statement of operational Requirement) was approved in 1998, (static network implementation with 10k users). The capability package CP-0A155, NATO common funding source for INFOSEC, only identified funding for the PKI infrastructure not Enterprise Directory or functional area services, end-user application integration nor certificates or end entity user tokens. In 2006 mission/scope creep; SOR was re-written to support static and deployed implementation for 200k users. SOR was not finalized until mid Type-B cost estimate is yet to be completed. Although the SOR significantly expanded the scope, additional funding has not been identified; initial cost estimate 2.2M Euros re-scoped SOR TBCE ~11M Euros across all funding sources including full scope of new SOR and tokens/certificates which are included in CP0A0155. NC3A is currently working the TBCE to encompass the ACO re-scoped PKI requirement and encompass funding from CPA0155 and other sources, taking into consideration the existing interim solution as well as the additional requirement levied in CUR422 in support of the ISAF mission COMPOSITION OF NATO S PKI CAPABILITY Despite the numerous NATO efforts underway to establish and apply identification policies and mechanisms, NATO has not articulated the overarching requirement for, and strategy to, manage these activities as a whole. In June 2003, NATO developed a policy for the adoption of Public Key Infrastructure Technology by NATO Civil and Military Bodies. This policy states that NATO PKI shall be implemented by only one authority, the NATO PKI Management Authority (NPMA). The NMPA has only approved one NATO PKI which is described in NATO PKI Certificate Policy (AC/322(NPMA-PAC)WP(2005)0003). This approved NATO PKI can generate, distribute, and manage cryptographic keys, electronic certificates, and electronic Certificate Revocation Lists (CRL), which allows for securing the electronic IT environment for use in the NATO Alliance. Currently, NATO information is being protected at the system level. Trust to be based upon this information is out of (system) band and conducted in a procedural manner. The approved interim NATO PKI has been implemented at NATO Headquarters (NATO HQS entities), NATO C3 Agency (NC3A entities), and NATO CIS Services Agency (NCSA entities) on the NATO Unclassified/NATO Restricted 1domain. Additionally, the approved NATO PKI has also been implemented at NATO International Security Assistance Forces (ISAF entities) and NATO General Communication System Packet Transport Component Network 1 NATO Restricted, similar to but equal to the US U//FOUO. NR may not be transmitted over the internet in the clear. 5

6 Adaptation For Information exchange gateways (NGCS PTC NAFI 200 entities). Overall, approximately 600 hard tokens are in use. At the same time, other NATO organizations such as NATO Maintenance & Supply Agency (NAMSA) NATO Eurofighter & Tornado Management Agency (NETMA), NATO Battlefield Information Collection & Exploitation Systems (BICES), and NATO Information Assurance Technical Center (NIATC) have developed and implemented their own version of PKI. Due to their expanding operational environment, these organizations had an urgent need to establish a PKI solution rapidly; and could not wait for an enterprise wide NATO PKI capability. These version of PKI have a not been approved by the NPMA, therefore they are not compliant with NATO policy. NATO PKI MANAGEMENT AUTHORITY The NATO PKI Management Authority (NPMA) serves as the executive agent for the development and operation of the NPKI. Its primary focus is to establish and maintain the desired level of assurance when providing PKI services to NATO users and when defining the rules for interoperation with other PKIs, for example, when negotiating agreements with nations and other external certification authorities and PMAs. The NPMA acts as directed by, and under the control of, the NATO C3 Board (NC3B). When executing its mission, it remains responsive, through the NC3B, to the North Atlantic Council. MEMBERS Chairman: (NHQC3S Director) Secretary: NHQC3S IAB Staff Officer) Members: representatives from ACO, ACT, NATO HQ Executive Secretariat, NC3A, NCSA, NHQC3S, NOS, Infrastructure Committee, PAC Chairman. Representatives of other NATO agencies and national experts may also be invited to attend the meetings in an advisory capacity. NATO PKI ADVISORY Group The NATO PKI Advisory Group (NPAG) provides assistance and advice to the NPMA on legal issues, technical issues, and current NATO standard operating procedures. MEMBERS Chairman: (NHQC3S IAB Staff Officer) 6

7 Members: representatives from Strategic Commands, NATO Legal Advisor, NC3A, NCSA, NHQC3S, NOS, Nations (subject matter experts), DACAN, other NATO bodies. Representatives of other NATO agencies, national experts and industry representatives may also be invited to attend the meetings. MILITARY COMMITTEE DISTRIBUTION AND ACCOUNTING AGENCY The Military Committee Distribution and Accounting Agency (DACAN) arranges for the production, accounting, and distribution of all keying material used by NATO. DACAN serves as the trusted agent responsible for the management of keying material necessary to ensure the confidentiality, integrity, availability, and authenticity of NATO information, communications, and automated information systems. DACAN shall provide these services as the NPKI Root Certificate Authority and perform as the ultimate trust point in the NATO domain to enforce the NPKI Certificate Policies. EUROPEAN DISTRIBUTION AND ACCOUNTING AGENCY OF THE MILITARY COMMITTEE The European Distribution and Accounting Agency of the Military Committee (EUDAC) serves as the trusted agent, in co-operation with DACAN, for the distribution of NATO keying material. EUDAC shall serve as the NPKI Root CA backup site and shall assume the responsibilities of DACAN as the ultimate trust point in the NATO domain to enforce the NPKI Certificate Policies if necessary. DACAN will remain the primary point of contact for all issues related to the NPKI Root CA in the event that the backup site has been activated. NATO CIS SERVICES AGENCY The NATO CIS Services Agency (NCSA) and its subordinate elements manage operation and control, on behalf of all subscribers, the Communications and Information Systems (CIS) and installations assigned to it by the NC3B. In addition NCSA and its subordinate elements provide operational support comprising hardware and software maintenance, personnel training, installation and associated services including security for assigned CIS and authorized subscribers, NCSA is responsible for the management, operation and control of NPKI CA and RA systems supporting CIS assigned to NCSA (with the exception of the NPKI Root CA.) SECURITY ACCREDITATION AUTHORITY The Security Accreditation Authority (SAA) is the body responsible for approving the implementation of CIS within an organization. The SAA for the NPKI Root CA is the NATO Security Accreditation Board (NSAB). The NATO Office of Security (NOS) is the Compliance Auditor for the NPKI as defined by the NPKI Directive. The NOS is responsible for compliance audits and continued accreditation of the NPKI Root CA. 7

8 NPKI TIMELINE 8

9 NATO IDENTITY MANAGEMENT BACKGROUND The NATO Network Enabled Capability (NNEC) Feasibility Study (FS) endorsed by the NATO C3 Board highlights the challenges the Alliance faces with respect to the deployment of an Alliance-wide, interoperable Identity Management (IdM) scheme to support information sharing. FRAMEWORK - ORIGINS In response to the NNEC study and following coordination with the management teams of SC/4 and SC/5, NATO held a series of IdM Workshops in 2008 in order to develop a NATO IdM framework and to define a common structured IdM model and IdM plane within and across NATO and member nations. The NATO IdM Straw-man document produced did not address a holistic implementation of IdM but rather only addressed a narrowly focused aspect of messaging interoperability. A first version of this framework document is at Enclosure 1, and is now presented to SC/4, SC/5 and the NPMA on a request for comment basis. Despite the number of NATO efforts underway to establish and apply identification policies and mechanisms, NATO has not articulated the overarching requirement for, and strategy to, manage these activities as a whole. At the same time, the Alliance mission environment and associated identity management challenges are becoming more complex due to coalition operations in Afghanistan and elsewhere. Not only must NATO manage identities within its own mission and business environments, it must also exchange identities across federated environments involving NATO nations, partner nations and international organizations. NIDM GOVERNANCE, SCOPE CHALLENGES Discussions within SMI AHWG and the IdM Workshops led to a growing U.S. concern that NATO IdM was NOT TRACKING IN THE RIGHT DIRECTION. IN THE ABSENCE OF A GOVERNANCE FRAMEWORK OR EVEN AN AGREED SCOPE for IdM within the Alliance, any activities would essentially continue to move forward in parallel or even diverging directions. Within the U.S., this conclusion culminated in a break of silence on the draft IdM framework; relevant text from that document is below. US BREAK OF SILENCE 2009 "ID management goes way beyond security aspects. It means that there's frameworks, models, standards, protocols, processes and technology that enroll, register and un-register/retire assets across the enterprise, whether they are human or not." The U.S. therefore recommends standing up "a PKI Program Office that has a wider scope than the current NPMA and PAC because it could extend the role of the emerging PKI to take on a larger Identity Management role that will support both logical and physical access needs and therefore more effectively adapt the PKI to rapidly support emerging ID management needs." The U.S. proposals in the 2009 break of silence were a difficult sell in the current NATO resource environment. There were also concerns about focusing on a higher level strategic framework instead of 9

10 emerging, near-term operational requirements such as the TACTIC CUR for a common identity card in the ISAF Theater. Indeed, ACO J6 announced at the June 2010 SC/4 they had produced an IdM Strategy of their own addressing the how. NATO Identity Management will create the basis of a secure enterprise capability that will permit identity-sensitive applications to collect identity information, established & assign attributes to a digital identity, and connect that identity to an entity in support of mission objectives. 10

11 RELATED POLICIES, DIRECTIVES AND GUIDANCE NATO Cyber Defense Policy Cyber Defense Action Plan (AC/281-N(2012)0119-REV7, Cyber Defense Action Plan 12 Jan 2012) A DPPC working document current at REV 7 identifying actionable tasks to achieve the elements identified in the cyber defense policy. NPAG Terms of Reference (AC/322-D(2009)0048, 26 Nov 2009), written by NPAG and NHQC3S. The purpose of this document is to revise the NATO PKI Advisory Cell (PAC) Terms of Reference (TOR) and rename the PAC as the NATO PKI Advisory Group (NPAG). NATO Public Key Infrastructure (NPKI) HandBook (AC/322(NPMA)D(2006)0003-REV1, 28 Sep 2009) written by NPAG & NHQC3S. The purpose of this document is to establish the procedure for an applicant NATO entity to have its CA to be integrated in the NPKI architecture. The NATO Identity Management Framework (Multiref EAPC(AC/322-SC/4)N(2009)0002, EAPC(AC/322-SC/5)N(2009)0009, AC/322(NPMA)N(2009)0001, 11 Mar 2009) written by SC/5. This document describes a common, structured Identity Management Model and Identity Management Plane to be used within and across NATO and its member nations (federated approach, extending the specific definition of IDs within a single domain). ACP145 NPKI Supporting Document (AC/322(NPMA)WP(2008)0001, 15 Dec 2008) written by NC3A. This document defines the creation and management of Version 3 X.509 public-key certificates for use in supporting interoperability with ACP 145 Gateways and their associated PKIs. Certification Practice Statement For The NATO Root Certificate Authority (AC/322(NPMA)D(2006)0001-REV3, 27 Oct 2008) written by NC3A and DACAN. This document defines the practices under which the NATO PKI Root Certificate Authority (CA) operates. The NATO PKI (NPKI) implements a hierarchical trust model originating at this single Root CA operated by DACAN. This document defines the relationship of the NATO PKI Root Certificate Authority with other Certificate Authorities, both those that are sub-ordinate within its own domain, and those external to its hierarchy. Certification Practice Statement For The NATO Secret Certification Authority (AC/322(NPMA)D(2008)0001, 18 Sep 2008) written by NIATC. This document defines the 11

12 practices under which the NS CA operates and the manner in which the system complies with the NATO PKI Certificate Policy. NPKI Technical Characteristics (AC/322-N(2008)0004, 28 Jan 2008), written by NC3A and NPAG. The purpose of the Technical Characteristics document is to define the minimum requirements for the NATO Public Key Infrastructure required to support the protection of NATO CIS and NATO information processed or transmitted by the CIS. NATO Messaging System (AC/322(NPMA-PAC)L(2007)0002, 31 Jul 2007), written by Core Enterprise Services Working Group (CESWG) SC/5. The purpose of this document was to produce a strategy to map out the way ahead for high grade messaging' in response to an earlier tasking by the NC3B Certification Practice Statement For The NATO Unclassified/NATO Restricted Certification Authority (AC/322(NPMA)D(2006)0002, 09 Oct 2006), written by NC3A. This document is the Certification Practice Statement (CPS) for the NCSA NUNR CA. This document follows the structure defined in RFC2527, and defines CA functionality compliant with CertP V1.5. Revised NATO PKI Certificate Policy (RFC 3647 Framework, AC/322(NPMA-PAC)WP(2005)0003, 22 Sep 2005), written by NC3A. This document defines the creation and management of Version 3 X.509 public-key certificates for use in applications requiring security services. This Certificate Policy does not define a particular implementation of the NPKI, or the plans for future Certificate Policies. It is the intent of this Policy to identify the minimum requirements and procedures that are necessary to support trust in the NPKI, and to minimize imposition of specific implementation requirements on NPKI CAs, RAs, Subscribers, and relying parties. NPKI Root Certificate Authority Audit Checklists (AC/322(NPMA-PAC)WP(2005)0002, 09 August 2005), written by NC3A. The purpose of this checklist was to be used for the audit of the NPKI Root Certificate Authority. NATO Directive for NATO Public Key Infrastructure (NPKI) Interoperability with the Nations (AC/322(NPMA)WP(2005)0001, 04 Mar 2005), written by NPAG. The purpose of this directive is to define the necessary steps for the secure exchange of PKI information between NATO civil and military bodies, the nations, and partners for both classified and non-classified information. 12

13 NPKI Token Strategy Document (AC/322(NPMA-PAC)WP(2003)006-REV1, 19 Aug 2004), written by NPAG and NC3A. This document describes the technologies available for hardware tokens, the possible associated evaluation standards and proposes requirements for the implementation of hardware tokens in the frame of the NATO PKI. NATO Public Key Infrastructure (NPKI) Reference Architecture (AC/322(NPMA)WP(2003)002, 19 Dec 2003), written by NC3A. This document addresses public key technology functionality across the Operational, System, and Technical views of the NATO C3 Systems architecture at the Reference Architecture level of detail, per the guidance set down in the NATO Interoperability Management Plan (NIMP). Revised NPMA/PAC Program of Work (AC/322(NPMA-PAC)WP(2003)004, 28 Aug 2003), written by NHQC3S. The purpose of the document was to develop task sheets of the NPMA/PAC Program of Work. NATO Policy for the adoption of Public Key Infrastructure Technology by NATO Civil and Military Bodies (AC/322(NPMA)L(2003)001, 10 Jun 2003), written by NPAG and NHQC3S. The purpose of this document is to provide for effective management of all PKI initiatives within NATO by controlling and co-ordinating the implementation of a Public Key Infrastructure in support of NATO CIS. This document applies to all NATO civil and military bodies that implement, or are planning the implementation of, PKI techniques in NATO communication and information Systems. It is supported by implementation Directives and Guidance documents as required, approved by the NATO C3 Board. NATO Policy for the implementation of a PKI (C-M(2003)32, 03 Apr 2003), written by NPAG. The NATO C3 Board approved the NATO Policy for the Adoption of Public Key Infrastructure (PKI) Technology by NATO Civil and Military Bodies. This paper acts as an umbrella document for the implementation of the Public Key Infrastructure (PKI) within the Alliance that will be pursued and controlled by the NC3B. NPKI Concept of Operations (AC/322-D/0081, 18 Dec 2002), written by NPAG. The NATO Public Key Infrastructure (NPKI) Concept of Operations (CONOPS) provides the principles for NATO to deploy a PKI in order to enable PKI-derived security services. The NPKI CONOPS also describes the process to achieve interoperability between the NPKI and the PKIs of other organizations and countries, especially the NATO member nations. 13

14 Legal Aspects of the NPKI (AC/322-D/0080, 18 Dec 2002), written by NPAG and NHQC3S. The purpose of this task was to carefully examine the impact of NATO PKI implementation identifying legal aspects that needed to be solved prior to approving any policy, directive or guidance related to the fielding of NATO PKI. NPKI Awareness Strategy (AC/322(NPMA-PAC)-WP08, 21 Mar 2001), written by NPAG and NHQC3S. The purpose of this document is to select the targets of this awareness programme. In other words, to select the communities interested in the implementation of a PKI within NATO and to seek the best method to provide to each community the most efficient and effective information. NPMA Terms of Reference (AC/322-N-0641, 18 Dec 2000), written by NC3A and NHQC3S. The purpose of this document is to develop the NATO PKI Management Authority (NPMA) Terms of Reference (TOR). 14