Add to collection(s) Add to saved
  1. Business
  2. Management

NATO PKI ADVISORY Group

advertisement 
NATO
Identity Management
PKI and Strong Authentication
Snapshot May 2012
NATO and Identity Management
CONTENTS
THE IDENTITY MANAGEMENT CHALLENGE .............................................................................................. 3
BACKGROUND INFORMATION ON NATO PKI ........................................................................................... 5
NATO PKI MANAGEMENT AUTHORITY ..................................................................................................... 6
NPKI TIMELINE .......................................................................................................................................... 8
NATO IDENTITY MANAGEMENT BACKGROUND ....................................................................................... 9
RELATED POLICIES, DIRECTIVES AND GUIDANCE.................................................................................... 11
2
NATO and Identity Management
THE IDENTITY MANAGEMENT CHALLENGE
The NATO Identity Management (IdM) vision is a federated, robust, trustworthy and interoperable
Identity Management capability that supports the ability to correctly identify participants and NonHuman Entities of Alliance mission operations. But despite the numerous NATO efforts underway to
establish and apply identification policies and mechanisms, NATO has not articulated the overarching
requirement for and roadmap to implement and manage this activity as a whole.
Implementing identity management implies establishment of frameworks, models, standards, protocols,
processes and technology that enroll, register and un-register/retire identity assets across the
enterprise. Managing these implementation efforts also requires a lead body with the ability and
accountability to realize this potential within NATO. The following is a snapshot of current NATO efforts
underway that exemplify the shortfalls within the Alliance on this issue.
TECHNICAL & IMPLEMENTATION POLICY DEVELOPMENT
The Bi-SC Secure Data Strategy (SDS) advocates moving along paths towards automated, protected and
trusted core networking and data exchange leading to superior C2 arrangements. Key to pursuing these
objectives is adaptation of policies and supporting directives and coordinated efforts among the Security
Committee (IA), C3 Board, and the NPMA. The SDS shows that some technical policies and directives in
their current state may hinder rather than enable the attainment of Alliance IdM goals. In some cases
policies and roadmaps simply do not exist and will have to be drafted and approved. As an example, for
trusted data exchange, metadata standards need to be finalized and metadata security standards and
public key infrastructure need to be defined and implemented. With respect to identity management,
minimum? identity attributes and privileges and the interoperability requirements must be established.
Looking to the future, not only will NATO have to manage identities within its own mission and business
environment, it must also be prepared to exchange identities across federated environments involving
NATO nations, partner nations and non-NATO nations and organizations.
STRONG AUTHENTICATION & IDENTITY MANAGEMENT
NATO’s new cyber defense policy and an associated action plan contain the only actionable roadmap of
IdM-related activities, namely the implementation of strong authentication to access NATO CIS.
Nevertheless, the C3B (PS) has yet to provide clear guidance and tasking to its subordinate structure
(Capability Panel and Teams) to carry out this work. This key challenge for the C3B (PS), - i.e.,
governance, management and oversight of enterprise wide technical implementations, is not limited to
Identity Management.
NATO is also struggling with the task of defining strong authentication in the context of the Cyber
Defense Policy, a task for which the C3B exercises oversight. Most recently the Security Committee in IA
format has tried to reconcile the DPPC-R (CD) developed requirement for ‘strong authentication’ as an
item to enhance NATO’s cyber posture with a more specific meaning of the term. . Without a clear
3
NATO and Identity Management
understanding and definition of the term, relevant NATO bodies are reluctant to move forward and
accept that stronger authentication or even multifactor authentication can be achieved.
ELEMENTS FOR AN IDENTITY MANAGEMENT INFRASTRUCTURE
While PKI is a fundamental element of an IdM infrastructure, the NATO PKI statement of requirements
as approved in 2009 did not include, multifactor authentication nor strong authentication, nor is it
predicated upon realizing a broader NATO identity management infrastructure. Neither were other
elements – such as the Cyber Defense Action Plan’s call for strong authentication and the NATO
enterprise directory service – considered in a broader identity and access management context. These
elements as a whole have not been organized into a coherent policy/management and
technology/architecture roadmap. Assembling the identity-related information from existing NATO
systems and joining them together so that the data associated with an individual is linked together, and
then making that available to applications for authentication, access and privilege management, is
precisely what constitutes an identity management infrastructure.
These facts clearly expose the need for NATO to develop a prioritized timeline and tasking necessary to
implement a robust NATO Identity Management service within a structure that provides oversight and
governance, superior to – but with ability to influence the execution and implementation of – CDAP item
#3.
4
NATO and Identity Management
BACKGROUND INFORMATION ON NATO PKI
The initial NATO PKI SOR (Statement of operational Requirement) was approved in 1998, (static
network implementation with 10k users). The capability package CP-0A155, NATO common
funding source for INFOSEC, only identified funding for the PKI infrastructure not Enterprise
Directory or functional area services, end-user application integration nor certificates or end
entity user tokens. In 2006 mission/scope creep; SOR was re-written to support static and
deployed implementation for 200k users. SOR was not finalized until mid 2009. Type-B cost
estimate is yet to be completed. Although the SOR significantly expanded the scope, additional
funding has not been identified; initial cost estimate 2.2M Euros re-scoped SOR TBCE ~11M
Euros across all funding sources including full scope of new SOR and tokens/certificates which
are included in CP0A0155.
NC3A is currently working the TBCE to encompass the ACO re-scoped PKI requirement and
encompass funding from CPA0155 and other sources, taking into consideration the existing
interim solution as well as the additional requirement levied in CUR422 in support of the ISAF
mission
COMPOSITION OF NATO’S PKI CAPABILITY
Despite the numerous NATO efforts underway to establish and apply identification policies and
mechanisms, NATO has not articulated the overarching requirement for, and strategy to,
manage these activities as a whole. In June 2003, NATO developed a policy for the adoption of
Public Key Infrastructure Technology by NATO Civil and Military Bodies. This policy states that
NATO PKI shall be implemented by only one authority, the NATO PKI Management Authority
(NPMA). The NMPA has only approved one NATO PKI which is described in NATO PKI
Certificate Policy (AC/322(NPMA-PAC)WP(2005)0003). This approved NATO PKI can generate,
distribute, and manage cryptographic keys, electronic certificates, and electronic Certificate
Revocation Lists (CRL), which allows for securing the electronic IT environment for use in the
NATO Alliance. Currently, NATO information is being protected at the system level. Trust to be
based upon this information is out of (system) band and conducted in a procedural manner.
The approved interim NATO PKI has been implemented at NATO Headquarters (NATO HQS 100 entities), NATO C3 Agency (NC3A - 150 entities), and NATO CIS Services Agency (NCSA - 450
entities) on the NATO Unclassified/NATO Restricted 1domain. Additionally, the approved NATO
PKI has also been implemented at NATO International Security Assistance Forces (ISAF - 200
1 NATO Restricted, similar to but equal to the US U//FOUO. NR may not be transmitted over the internet in the clear.
5
NATO and Identity Management
entities) and NATO General Communication System Packet Transport Component Network
Adaptation For Information exchange gateways (NGCS PTC NAFI – 200 entities). Overall,
approximately 600 hard tokens are in use.
At the same time, other NATO organizations such as NATO Maintenance & Supply Agency
(NAMSA) NATO Eurofighter & Tornado Management Agency (NETMA), NATO Battlefield
Information Collection & Exploitation Systems (BICES), and NATO Information Assurance
Technical Center (NIATC) have developed and implemented their own version of PKI. Due to
their expanding operational environment, these organizations had an urgent need to establish
a PKI solution rapidly; and could not wait for an enterprise wide NATO PKI capability. These
version of PKI have a not been approved by the NPMA, therefore they are not compliant with
NATO policy.
NATO PKI MANAGEMENT AUTHORITY
The NATO PKI Management Authority (NPMA) serves as the executive agent for the
development and operation of the NPKI. Its primary focus is to establish and maintain the
desired level of assurance when providing PKI services to NATO users and when defining the
rules for interoperation with other PKIs, for example, when negotiating agreements with
nations and other external certification authorities and PMAs. The NPMA acts as directed by,
and under the control of, the NATO C3 Board (NC3B). When executing its mission, it remains
responsive, through the NC3B, to the North Atlantic Council.
MEMBERS
Chairman: (NHQC3S Director)
Secretary: NHQC3S IAB Staff Officer)
Members: representatives from ACO, ACT, NATO HQ Executive Secretariat, NC3A, NCSA,
NHQC3S, NOS, Infrastructure Committee, PAC Chairman. Representatives of other NATO
agencies and national experts may also be invited to attend the meetings in an advisory
capacity.
NATO PKI ADVISORY Group
The NATO PKI Advisory Group (NPAG) provides assistance and advice to the NPMA on legal
issues, technical issues, and current NATO standard operating procedures.
MEMBERS
Chairman: (NHQC3S IAB Staff Officer)
6
NATO and Identity Management
Members: representatives from Strategic Commands, NATO Legal Advisor, NC3A, NCSA,
NHQC3S, NOS, Nations (subject matter experts), DACAN, other NATO bodies. Representatives
of other NATO agencies, national experts and industry representatives may also be invited to
attend the meetings.
MILITARY COMMITTEE DISTRIBUTION AND ACCOUNTING AGENCY
The Military Committee Distribution and Accounting Agency (DACAN) arranges for the
production, accounting, and distribution of all keying material used by NATO. DACAN serves as
the trusted agent responsible for the management of keying material necessary to ensure the
confidentiality, integrity, availability, and authenticity of NATO information, communications,
and automated information systems. DACAN shall provide these services as the NPKI Root
Certificate Authority and perform as the ultimate trust point in the NATO domain to enforce the
NPKI Certificate Policies.
EUROPEAN DISTRIBUTION AND ACCOUNTING AGENCY OF THE MILITARY COMMITTEE
The European Distribution and Accounting Agency of the Military Committee (EUDAC) serves as
the trusted agent, in co-operation with DACAN, for the distribution of NATO keying material.
EUDAC shall serve as the NPKI Root CA backup site and shall assume the responsibilities of
DACAN as the ultimate trust point in the NATO domain to enforce the NPKI Certificate Policies if
necessary. DACAN will remain the primary point of contact for all issues related to the NPKI
Root CA in the event that the backup site has been activated.
NATO CIS SERVICES AGENCY
The NATO CIS Services Agency (NCSA) and its subordinate elements manage operation and
control, on behalf of all subscribers, the Communications and Information Systems (CIS) and
installations assigned to it by the NC3B. In addition NCSA and its subordinate elements provide
operational support comprising hardware and software maintenance, personnel training,
installation and associated services including security for assigned CIS and authorized
subscribers, NCSA is responsible for the management, operation and control of NPKI CA and RA
systems supporting CIS assigned to NCSA (with the exception of the NPKI Root CA.)
SECURITY ACCREDITATION AUTHORITY
The Security Accreditation Authority (SAA) is the body responsible for approving the
implementation of CIS within an organization. The SAA for the NPKI Root CA is the NATO
Security Accreditation Board (NSAB). The NATO Office of Security (NOS) is the Compliance
Auditor for the NPKI as defined by the NPKI Directive. The NOS is responsible for compliance
audits and continued accreditation of the NPKI Root CA.
7
NATO and Identity Management
NPKI TIMELINE
8
NATO and Identity Management
NATO IDENTITY MANAGEMENT BACKGROUND
The NATO Network Enabled Capability (NNEC) Feasibility Study (FS) endorsed by the NATO C3 Board
highlights the challenges the Alliance faces with respect to the deployment of an Alliance-wide,
interoperable Identity Management (IdM) scheme to support information sharing.
FRAMEWORK - ORIGINS
In response to the NNEC study and following coordination with the management teams of SC/4 and
SC/5, NATO held a series of IdM Workshops in 2008 in order to develop a NATO IdM framework and to
define a common structured IdM model and IdM plane within and across NATO and member nations.
The NATO IdM Straw-man document produced did not address a holistic implementation of IdM but
rather only addressed a narrowly focused aspect of messaging interoperability. A first version of this
framework document is at Enclosure 1, and is now presented to SC/4, SC/5 and the NPMA on a ‘request
for comment’ basis.
Despite the number of NATO efforts underway to establish and apply identification policies and
mechanisms, NATO has not articulated the overarching requirement for, and strategy to, manage these
activities as a whole. At the same time, the Alliance mission environment and associated identity
management challenges are becoming more complex due to coalition operations in Afghanistan and
elsewhere. Not only must NATO manage identities within its own mission and business environments, it
must also exchange identities across federated environments involving NATO nations, partner nations
and international organizations.
NIDM GOVERNANCE, SCOPE CHALLENGES
Discussions within SMI AHWG and the IdM Workshops led to a growing U.S. concern that NATO IdM was
NOT TRACKING IN THE RIGHT DIRECTION. IN THE ABSENCE OF A GOVERNANCE FRAMEWORK OR EVEN
AN AGREED SCOPE for IdM within the Alliance, any activities would essentially continue to move
forward in parallel or even diverging directions. Within the U.S., this conclusion culminated in a break of
silence on the draft IdM framework; relevant text from that document is below.
US BREAK OF SILENCE 2009
"ID management goes way beyond security aspects. It means that there's frameworks, models, standards,
protocols, processes and technology that enroll, register and un-register/retire assets across the enterprise,
whether they are human or not." The U.S. therefore recommends standing up "a PKI Program Office that has
a wider scope than the current NPMA and PAC because it could extend the role of the emerging PKI to take on
a larger Identity Management role that will support both logical and physical access needs and therefore
more effectively adapt the PKI to rapidly support emerging ID management needs."
The U.S. proposals in the 2009 break of silence were a difficult sell in the current NATO resource
environment. There were also concerns about focusing on a higher level strategic framework instead of
9
NATO and Identity Management
emerging, near-term operational requirements such as the “TACTIC” CUR for a common identity card in the
ISAF Theater. Indeed, ACO J6 announced at the June 2010 SC/4 they had produced an IdM Strategy of their
own addressing the “how”.
NATO Identity Management will create the basis of a secure enterprise capability that will permit
identity-sensitive applications to collect identity information, established & assign attributes to a digital
identity, and connect that identity to an entity in support of mission objectives.
10
NATO and Identity Management
RELATED POLICIES, DIRECTIVES AND GUIDANCE
NATO Cyber Defense Policy
Cyber Defense Action Plan (AC/281-N(2012)0119-REV7, Cyber Defense Action Plan 12 Jan
2012) A DPPC working document current at REV 7 identifying actionable tasks to achieve the
elements identified in the cyber defense policy.
NPAG Terms of Reference (AC/322-D(2009)0048, 26 Nov 2009), written by NPAG and NHQC3S.
The purpose of this document is to revise the NATO PKI Advisory Cell (PAC) Terms of Reference
(TOR) and rename the PAC as the “NATO PKI Advisory Group (NPAG).”
NATO Public Key Infrastructure (NPKI) HandBook (AC/322(NPMA)D(2006)0003-REV1, 28 Sep
2009) written by NPAG & NHQC3S. The purpose of this document is to establish the procedure
for an applicant NATO entity to have its CA to be integrated in the NPKI architecture.
The NATO Identity Management Framework (Multiref EAPC(AC/322-SC/4)N(2009)0002,
EAPC(AC/322-SC/5)N(2009)0009, AC/322(NPMA)N(2009)0001, 11 Mar 2009) written by SC/5.
This document describes a common, structured Identity Management Model and Identity
Management Plane to be used within and across NATO and its member nations (federated
approach, extending the specific definition of IDs within a single domain).
ACP145 NPKI Supporting Document (AC/322(NPMA)WP(2008)0001, 15 Dec 2008) written by
NC3A. This document defines the creation and management of Version 3 X.509 public-key
certificates for use in supporting interoperability with ACP 145 Gateways and their associated
PKIs.
Certification Practice Statement For The NATO Root Certificate Authority
(AC/322(NPMA)D(2006)0001-REV3, 27 Oct 2008) written by NC3A and DACAN. This document
defines the practices under which the NATO PKI Root Certificate Authority
(CA) operates. The NATO PKI (NPKI) implements a hierarchical trust model originating at this
single Root CA operated by DACAN. This document defines the relationship of the NATO PKI
Root Certificate Authority with other Certificate Authorities, both those that are sub-ordinate
within its own domain, and those external to its hierarchy.
Certification Practice Statement For The NATO Secret Certification Authority
(AC/322(NPMA)D(2008)0001, 18 Sep 2008) written by NIATC. This document defines the
11
NATO and Identity Management
practices under which the NS CA operates and the manner in which the system complies with
the NATO PKI Certificate Policy.
NPKI Technical Characteristics (AC/322-N(2008)0004, 28 Jan 2008), written by NC3A and NPAG.
The purpose of the Technical Characteristics document is to define the minimum requirements
for the NATO Public Key Infrastructure required to support the protection of NATO CIS and
NATO information processed or transmitted by the CIS.
NATO Messaging System (AC/322(NPMA-PAC)L(2007)0002, 31 Jul 2007), written by Core
Enterprise Services Working Group (CESWG) SC/5. The purpose of this document was to
produce a strategy to map out the way ahead for high grade messaging' in response to an
earlier tasking by the NC3B
Certification Practice Statement For The NATO Unclassified/NATO Restricted Certification
Authority (AC/322(NPMA)D(2006)0002, 09 Oct 2006), written by NC3A. This document is the
Certification Practice Statement (CPS) for the NCSA NUNR CA. This document follows the
structure defined in RFC2527, and defines CA functionality compliant with CertP V1.5.
Revised NATO PKI Certificate Policy (RFC 3647 Framework, AC/322(NPMA-PAC)WP(2005)0003,
22 Sep 2005), written by NC3A. This document defines the creation and management of
Version 3 X.509 public-key certificates for use in applications requiring security services. This
Certificate Policy does not define a particular implementation of the NPKI, or the plans for
future Certificate Policies. It is the intent of this Policy to identify the minimum requirements
and procedures that are necessary to support trust in the NPKI, and to minimize imposition of
specific implementation requirements on NPKI CAs, RAs, Subscribers, and relying parties.
NPKI Root Certificate Authority Audit Checklists (AC/322(NPMA-PAC)WP(2005)0002, 09
August 2005), written by NC3A. The purpose of this checklist was to be used for the audit of
the NPKI Root Certificate Authority.
NATO Directive for NATO Public Key Infrastructure (NPKI) Interoperability with the Nations
(AC/322(NPMA)WP(2005)0001, 04 Mar 2005), written by NPAG. The purpose of this directive
is to define the necessary steps for the secure exchange of PKI information between NATO civil
and military bodies, the nations, and partners for both classified and non-classified information.
12
NATO and Identity Management
NPKI Token Strategy Document (AC/322(NPMA-PAC)WP(2003)006-REV1, 19 Aug 2004), written
by NPAG and NC3A. This document describes the technologies available for hardware tokens,
the possible associated evaluation standards and proposes requirements for the
implementation of hardware tokens in the frame of the NATO PKI.
NATO Public Key Infrastructure (NPKI) Reference Architecture (AC/322(NPMA)WP(2003)002,
19 Dec 2003), written by NC3A. This document addresses public key technology functionality
across the Operational, System, and Technical views of the NATO C3 Systems architecture at
the Reference Architecture level of detail, per the guidance set down in the NATO
Interoperability Management Plan (NIMP).
Revised NPMA/PAC Program of Work (AC/322(NPMA-PAC)WP(2003)004, 28 Aug 2003),
written by NHQC3S. The purpose of the document was to develop task sheets of the
NPMA/PAC Program of Work.
NATO Policy for the adoption of Public Key Infrastructure Technology by NATO Civil and
Military Bodies (AC/322(NPMA)L(2003)001, 10 Jun 2003), written by NPAG and NHQC3S. The
purpose of this document is to provide for effective management of all PKI initiatives within
NATO by controlling and co-ordinating the implementation of a Public Key Infrastructure in
support of NATO CIS. This document applies to all NATO civil and military bodies that
implement, or are planning the implementation of, PKI techniques in NATO communication and
information Systems. It is supported by implementation Directives and Guidance documents as
required, approved by the NATO C3 Board.
NATO Policy for the implementation of a PKI (C-M(2003)32, 03 Apr 2003), written by NPAG.
The NATO C3 Board approved the ‘NATO Policy for the Adoption of Public Key Infrastructure
(PKI) Technology by NATO Civil and Military Bodies.’ This paper acts as an “umbrella”
document for the implementation of the Public Key Infrastructure (PKI) within the Alliance that
will be pursued and controlled by the NC3B.
NPKI Concept of Operations (AC/322-D/0081, 18 Dec 2002), written by NPAG. The NATO
Public Key Infrastructure (NPKI) Concept of Operations (CONOPS) provides the principles for
NATO to deploy a PKI in order to enable PKI-derived security services. The NPKI CONOPS also
describes the process to achieve interoperability between the NPKI and the PKIs of other
organizations and countries, especially the NATO member nations.
13
NATO and Identity Management
Legal Aspects of the NPKI (AC/322-D/0080, 18 Dec 2002), written by NPAG and NHQC3S. The
purpose of this task was to carefully examine the impact of NATO PKI implementation
identifying legal aspects that needed to be solved prior to approving any policy, directive or
guidance related to the fielding of NATO PKI.
NPKI Awareness Strategy (AC/322(NPMA-PAC)-WP08, 21 Mar 2001), written by NPAG and
NHQC3S. The purpose of this document is to select the ‘targets’ of this awareness programme.
In other words, to select the communities interested in the implementation of a PKI within
NATO and to seek the best method to provide to each community the most efficient and
effective information.
NPMA Terms of Reference (AC/322-N-0641, 18 Dec 2000), written by NC3A and NHQC3S. The
purpose of this document is to develop the NATO PKI Management Authority (NPMA) Terms of
Reference (TOR).
14
Related documents
WorldQuest New York 2011 Sample Questions Series 2
WorldQuest New York 2011 Sample Questions Series 2
Key Note Speech by PhD MATYASIK, Jagiellonian University
Key Note Speech by PhD MATYASIK, Jagiellonian University
NATO`s Response to New Security Challenges
NATO`s Response to New Security Challenges
THE 1950s: Background factors of the cold war
THE 1950s: Background factors of the cold war
CIMIC - CCOE
CIMIC - CCOE
North Atlantic Treaty Organization (NATO)
North Atlantic Treaty Organization (NATO)
Mobile apps for NATO-oriented language learning: A beginning
Mobile apps for NATO-oriented language learning: A beginning
Western Bloc
Western Bloc
NATO and Warsaw Pact
NATO and Warsaw Pact
Document
Document
Download
advertisement