VIEWS: 5 PAGES: 2 POSTED ON: 4/4/2012 Public Domain
Sharing information securely through Layer 7’s Oracle Service Bus Appliance The US intelligence community has long been one of the most complex information processing organizations in the world. Its intelligence gathering and disseminating activities became even more complex in the post-911 world as the federal government prioritized the sharing of information across government, military, law enforcement and intelligence agencies.
US Intelligence Community Secure Information Sharing with Layer 7 Oracle Service Bus Appliance The US federal government is one of the largest and most complex organizations ESBs in the DMZ on the planet. By extension, the US Intelligence Community is one of the most The US Intelligence Community has complex information gathering, processing and disseminating organizations in the always operated as silo’ed world. By augmenting the power of the US’s military forces, the intelligence repositories of information. Post- 9/11, those silos had to come down. community has enabled the US to more effectively project the presence of the only conventional super power left on the globe. But in the post-911 world of Sharing information between agencies would require a SOA- nonconventional forces, that’s not enough. based approach to mediate September 11, 2001 brought intelligence sharing to the forefront. The sheer scale between disparate systems: an and complexity of the US military forces presents potential weaknesses that ESB. But to meet federal guidelines, those ESBs would need terrorists can take advantage of, so in an effort to coordinate against potential to be secured in the DMZ. threats, the US government formed the position of the Director of National Layer 7 OSB Appliance provided Intelligence. As publicly stated by Bob Jordan, head of the FBI's Information Sharing the perfect congruence of a Task Force, “Our missions and priorities are being redefined to better reflect the government-approved security post-9/11 realities… A substantial component of this approach is information vendor + a SOA integration solution sharing, not only at the federal level but also within the entire law enforcement in a security-hardened appliance. 1 and intelligence communities.” Goal: Cross Domain Information Sharing Each organization within the intelligence community has a number of intelligence sharing services that have long been made available within and across their own organization. To open these services to other entities of the greater intelligence sharing community means interconnecting disparate systems that were never created to be interoperable across organizational or jurisdictional boundaries. And that, of course, means opening them up to potential intrusion by third parties. Selectively exposing information services to partners while locking them down to others is a problem familiar to many commercial organizations, but on a vastly more complex scale than securing a supply chain, for example. So the US government turned to the experts. The federal Systems Integrator (SI) community is both wide and deep, encompassing a range of experienced organizations like Booz Allen Hamilton, Raytheon, General Dynamics, Lockheed Martin, SAIC, and a host of others that have been a key part of building the federal government’s electronic infrastructure for decades. “We have a lot of technology, but a lot of it is still point solutions focused on just one of those problems, not at the integration in an enterprise or at a national security level. We have a lot of crypto devices, firewalls, identity and access management, including biometrics, smart cards and audit software to see what is going on in the network. My real 2 concern is the integration of that technology.” Natalie Givans, Vice President, Booz Allen Hamilton. Problem: Securing ESBs in the DMZ The US Intelligence Community information sharing project required the implementation of a rapidly deployable, highly secure, perimeter-based solution for delivery of services protected within a high security enclave. Given the wide range of services provided by the intelligence community, as well as the diverse systems (both modern and legacy) on which those services depended, the solution initially required support for a variety of protocols and transports (including secure FTP, email, HTTP/S and JMS), while subsequent phases of the project would require the flexibility to expand support to include non-standard means. For this reason, a SOA integration solution like Oracle Service Bus (OSB) would need to be central to the solution in order to provide the messaging and connectivity support required. However, sharing silo’ed information securely across organizational boundaries means securing the DMZ – an area in which OSB is not traditionally deployed. Solution: Layer 7 Oracle Service Bus Appliance Proves Key Organizations that try to leverage middleware products within a DMZ often face significant resistance from their information assurance and operations departments due to the cost and risks associated with testing and certifying the solution. As a result, usually only pre-approved devices like routers, firewalls and web servers are allowed in 1 http://www.fbi.gov/congress/congress02/jordan041702.htm 2 http://gcn.com/articles/2008/04/24/natalie-givans--security-gets-into-the-mix.aspx 1 ppliance US Intelligence Community & L7 OSB Appliance the DMZ. A SOA environment exposing messaging and application-specific operations within the application enclave poses a security risk by potentially allowing forged/malicious requests from beyond the enterprise organization’s perimeter into the depths of the organization most vulnerable computing resources. offe The Layer 7 Oracle Service Bus Appliance (L7 OSB Appliance) from Layer 7 Technologies and Oracle offers the approved vendor leading security perfect congruence of a government-approved security vendo and a market-leading ESB in a security-hardened ready appliance format, creating a DMZ-ready SOA development platform. As a pre-integrated solution delivered in an appliance form factor, the customer’s SI was able to quickly install L7 OSB Appliance in the rack; connect power and network cables; assign an IP address, and make the platform quickly available for use. eration The L7 OSB Appliance provides acceleration of CPU-intensive operations like message parsing, data validation and DMZ-class XML transformation, while the integral Layer 7 XML Firewall provides DMZ class threat protection, advanced identity integration and message level security capabilities to address the broadest range of external threats. By appliance, performing these tasks in a hardware appliance L7 OSB Appliance ensures latency is reduced, applications aren’t hardware overloaded and service endpoints can offload computationally intensive operations to hardware. The OSB’s wide box “any-to-any” transport/protocol meant the solution range of out-of-the-box adapters and ability to translate “any would be able to connect to the diversity of legacy services offered by the Intelligence Community today, while bility retaining the flexibility to support future transports. ppliance Due to the security requirements of the US national computing infrastructure, L7 OSB Appliance is configured to message-level address Denial of Service (DoS), attached viruses and code injection attacks, as well as ensure message integrity and confidentiality. The L7 OSB Appliance also provides runtime control over federated authentication/authorization of external agencies and partners who seek connectivity to the composite application/messaging capabilities provided by the solution. The Results ore Given that this project was awarded as a firm, fixed price contract, the SI was forced to do more with less. In this changer, scenario the L7 OSB Appliance was a game changer providing the means to profitably deliver the project by alternatives leveraging an out-of-the-box SOA platform in order to build out a solution much quicker than any alternatives. integrated platform, As a pre-integrated SOA development platform L7 OSB Appliance provided the SI with a significant head start on Additionally, y the project by reducing installation, deployment and configuration work. Additional they were able to take ing accreditation advantage of the pre-existing appliance lockdowns making certification and accreditation much simpler. amatically As a result, L7 OSB Appliance dramatically decreased total cost of implementation and time to market, while OSB’s improving business agility through the OSB connectivity adapters and split/join orchestration capabilities. ogies Copyright © 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners. 2
Pages to are hidden for
"Case Study: US Intelligence Community - Secure Data Sharing"Please download to view full document