Multi-Level Middleware Summary
Multi-Level Middleware Overview
Improved information sharing and collaboration are two of the primary priorities for transformational change in both the defense and intelligence communities. For Network Centric Warfare and All Sources Intelligence, the separation of content onto many different, disconnected networks is a significant challenge.
Cross-domain solutions (CDS) offer some assistance in connecting networks, but it is difficult to control content across the lifecycle as it flows between domains, and it is also difficult to suitably ‘lock down’ the data guards and other gateways, as well as preventing Trojan infection of higher zones. Like stateful firewalls, data guards are often not robust enough when dealing with a nation’s secrets, which is why most classified networks are not internet connected.
Multi-level security is often described as the ‘Holy Grail’ in the community, in which users operate at multiple security levels at the same time, with single views of data across multiple networks. However, deploying MLS systems is typically very difficult for several reasons:
For these reasons, implementations bridging security domains have so far been limited to infrastructure projects (cross-domain access technologies), e.g. using Solaris 10 TX with the Sun Ray MLS desktop to allow multiple separate Windows sessions over different networks. However, these systems have more in common with Multiple Independent Level Security (MILS) rather than true MLS – they operate more like a Keyboard, Video and Monitor (KVM) switch between completely independent virtual desktops. Achieving real MLS applications that provide a single view of data and interface that allows interaction with the data across multiple levels has proved to be very challenging.
BlueSpace has developed a multi-level middleware strategy and platform to help address this challenge, by allowing defense and intelligence organizations to rapidly develop and deploy MLS versions of both custom and COTS applications with a minimal accreditation footprint.
The BlueSpace Trusted Service Bus provides an administratively controlled, cross-domain message bus for application orchestration of multi-level systems. The BlueSpace Trusted Client Framework leverages the Trusted Service Bus to allow multi-level mashups, and end user interfaces that operate at multiple security levels at the same time while preserving mandatory access controls.
BlueSpace has contracted with Atsec, a Common Criteria Testing Laboratory (CCTL) in the US, to take the Trusted Service Bus through an EAL5+ evaluation process. According to Klaus Weidner, Principal Consultant at Atsec:
“The Trusted Client Framework uses a core trusted component which connects mutually isolated, single-level application services to provide what appears to the user to be an integrated multi-level application. This makes it feasible to pursue a high assurance level with minimized security testing and accreditation footprint.”
By isolating all MLS functions in a core trusted component, new MLS applications being developed using the Trusted Client Framework do not need new code with additional privileges, but rather introduce new message types on a Trusted Service Bus that has already been approved (expected to be both certified and accredited during 2009).
The Trusted Client Framework can be used to develop many different applications, such as:
With the Trusted Client Framework, organizations can ‘mash together’ data from different systems and networks into unified interfaces without sacrificing security and still supporting independent administration of the backend systems on separate networks.
“The customers we work with in the defense and intelligence communities are very excited about this capability. This approach will greatly reduce the cost of maintenance, certification and accreditation compared to cross-domain solutions. This lets us get more capability in the hands of intelligence analysts and warfighters, faster and cheaper, without compromising security.”
Jeff Moore, VP of Business Development, Sterling Computers
- Supports multi-level applications and systems
- Facilitates client-side MLS mashups
- Cuts the time for development and deployment
- Works with existing custom and COTS products
- Low accreditation footprint
Multi-Level Middleware Overview
Improved information sharing and collaboration are two of the primary priorities for transformational change in both the defense and intelligence communities. For Network Centric Warfare and All Sources Intelligence, the separation of content onto many different, disconnected networks is a significant challenge.
Cross-domain solutions (CDS) offer some assistance in connecting networks, but it is difficult to control content across the lifecycle as it flows between domains, and it is also difficult to suitably ‘lock down’ the data guards and other gateways, as well as preventing Trojan infection of higher zones. Like stateful firewalls, data guards are often not robust enough when dealing with a nation’s secrets, which is why most classified networks are not internet connected.
Multi-level security is often described as the ‘Holy Grail’ in the community, in which users operate at multiple security levels at the same time, with single views of data across multiple networks. However, deploying MLS systems is typically very difficult for several reasons:
- Development – there are very few people who understand both application development and low-level operating system kernels and infrastructure in enough detail to develop successful MLS applications.
- Accreditation – any software code that can touch multiple networks (or zones) at different classification levels requires a high level of scrutiny to ensure there are no backdoors or weaknesses that would allow content leakage between security levels.
- Deployment – there are very few people who have a proven track record in deploying MLS systems, as the privilege management and administration need a great deal of fine tuning.
- Maintenance – once an MLS application has been developed, any changes or patching of the code that has special privileges again requires very detailed scrutiny, whether that be custom code or code leveraged from COTS applications e.g. wikis or blogs.
For these reasons, implementations bridging security domains have so far been limited to infrastructure projects (cross-domain access technologies), e.g. using Solaris 10 TX with the Sun Ray MLS desktop to allow multiple separate Windows sessions over different networks. However, these systems have more in common with Multiple Independent Level Security (MILS) rather than true MLS – they operate more like a Keyboard, Video and Monitor (KVM) switch between completely independent virtual desktops. Achieving real MLS applications that provide a single view of data and interface that allows interaction with the data across multiple levels has proved to be very challenging.
BlueSpace has developed a multi-level middleware strategy and platform to help address this challenge, by allowing defense and intelligence organizations to rapidly develop and deploy MLS versions of both custom and COTS applications with a minimal accreditation footprint.
The BlueSpace Trusted Service Bus provides an administratively controlled, cross-domain message bus for application orchestration of multi-level systems. The BlueSpace Trusted Client Framework leverages the Trusted Service Bus to allow multi-level mashups, and end user interfaces that operate at multiple security levels at the same time while preserving mandatory access controls.
BlueSpace has contracted with Atsec, a Common Criteria Testing Laboratory (CCTL) in the US, to take the Trusted Service Bus through an EAL5+ evaluation process. According to Klaus Weidner, Principal Consultant at Atsec:
“The Trusted Client Framework uses a core trusted component which connects mutually isolated, single-level application services to provide what appears to the user to be an integrated multi-level application. This makes it feasible to pursue a high assurance level with minimized security testing and accreditation footprint.”
By isolating all MLS functions in a core trusted component, new MLS applications being developed using the Trusted Client Framework do not need new code with additional privileges, but rather introduce new message types on a Trusted Service Bus that has already been approved (expected to be both certified and accredited during 2009).
The Trusted Client Framework can be used to develop many different applications, such as:
- MLS instant messaging
- MLS blogs
- MLS wikis
- MLS federated search
- MLS command and control interfaces
With the Trusted Client Framework, organizations can ‘mash together’ data from different systems and networks into unified interfaces without sacrificing security and still supporting independent administration of the backend systems on separate networks.
“The customers we work with in the defense and intelligence communities are very excited about this capability. This approach will greatly reduce the cost of maintenance, certification and accreditation compared to cross-domain solutions. This lets us get more capability in the hands of intelligence analysts and warfighters, faster and cheaper, without compromising security.”
Jeff Moore, VP of Business Development, Sterling Computers