Case Study: US Intelligence Community - Secure Data Sharing by Layer7Tech


More Info
									  US Intelligence Community
  Secure Information Sharing with Layer 7 Oracle Service Bus Appliance

                                        The US federal government is one of the largest and most complex organizations
      ESBs in the DMZ                   on the planet. By extension, the US Intelligence Community is one of the most
The US Intelligence Community has       complex information gathering, processing and disseminating organizations in the
always operated as silo’ed
                                        world. By augmenting the power of the US’s military forces, the intelligence
repositories of information. Post-
9/11, those silos had to come down.
                                        community has enabled the US to more effectively project the presence of the only
                                        conventional super power left on the globe. But in the post-911 world of
Sharing information between
agencies would require a SOA-
                                        nonconventional forces, that’s not enough.
based approach to mediate               September 11, 2001 brought intelligence sharing to the forefront. The sheer scale
between disparate systems: an
                                        and complexity of the US military forces presents potential weaknesses that
ESB. But to meet federal
guidelines, those ESBs would need       terrorists can take advantage of, so in an effort to coordinate against potential
to be secured in the DMZ.               threats, the US government formed the position of the Director of National
Layer 7 OSB Appliance provided          Intelligence. As publicly stated by Bob Jordan, head of the FBI's Information Sharing
the perfect congruence of a             Task Force, “Our missions and priorities are being redefined to better reflect the
government-approved security            post-9/11 realities… A substantial component of this approach is information
vendor + a SOA integration solution     sharing, not only at the federal level but also within the entire law enforcement
in a security-hardened appliance.                                        1
                                        and intelligence communities.”

      Goal: Cross Domain Information Sharing
      Each organization within the intelligence community has a number of intelligence sharing services that have long
      been made available within and across their own organization. To open these services to other entities of the
      greater intelligence sharing community means interconnecting disparate systems that were never created to be
      interoperable across organizational or jurisdictional boundaries. And that, of course, means opening them up to
      potential intrusion by third parties. Selectively exposing information services to partners while locking them down
      to others is a problem familiar to many commercial organizations, but on a vastly more complex scale than
      securing a supply chain, for example. So the US government turned to the experts.
      The federal Systems Integrator (SI) community is both wide and deep, encompassing a range of experienced
      organizations like Booz Allen Hamilton, Raytheon, General Dynamics, Lockheed Martin, SAIC, and a host of others
      that have been a key part of building the federal government’s electronic infrastructure for decades. “We have a
      lot of technology, but a lot of it is still point solutions focused on just one of those problems, not at the integration
      in an enterprise or at a national security level. We have a lot of crypto devices, firewalls, identity and access
      management, including biometrics, smart cards and audit software to see what is going on in the network. My real
      concern is the integration of that technology.” Natalie Givans, Vice President, Booz Allen Hamilton.

      Problem: Securing ESBs in the DMZ
      The US Intelligence Community information sharing project required the implementation of a rapidly deployable,
      highly secure, perimeter-based solution for delivery of services protected within a high security enclave. Given the
      wide range of services provided by the intelligence community, as well as the diverse systems (both modern and
      legacy) on which those services depended, the solution initially required support for a variety of protocols and
      transports (including secure FTP, email, HTTP/S and JMS), while subsequent phases of the project would require
      the flexibility to expand support to include non-standard means. For this reason, a SOA integration solution like
      Oracle Service Bus (OSB) would need to be central to the solution in order to provide the messaging and
      connectivity support required. However, sharing silo’ed information securely across organizational boundaries
      means securing the DMZ – an area in which OSB is not traditionally deployed.

      Solution: Layer 7 Oracle Service Bus Appliance Proves Key
      Organizations that try to leverage middleware products within a DMZ often face significant resistance from their
      information assurance and operations departments due to the cost and risks associated with testing and certifying
      the solution. As a result, usually only pre-approved devices like routers, firewalls and web servers are allowed in

      2                                     1
US Intelligence Community & L7 OSB Appliance

the DMZ. A SOA environment exposing messaging and application-specific operations within the application
enclave poses a security risk by potentially allowing forged/malicious requests from beyond the enterprise
perimeter into the depths of the organization most vulnerable computing resources.
The Layer 7 Oracle Service Bus Appliance (L7 OSB Appliance) from Layer 7 Technologies and Oracle offers the
                                     approved           vendor                 leading          security
perfect congruence of a government-approved security vendo and a market-leading ESB in a security-hardened
appliance format, creating a DMZ-ready SOA development platform. As a pre-integrated solution delivered in an
appliance form factor, the customer’s SI was able to quickly install L7 OSB Appliance in the rack; connect power
and network cables; assign an IP address, and make the platform quickly available for use.
The L7 OSB Appliance provides acceleration of CPU-intensive operations like message parsing, data validation and
XML transformation, while the integral Layer 7 XML Firewall provides DMZ class threat protection, advanced
identity integration and message level security capabilities to address the broadest range of external threats. By
performing these tasks in a hardware appliance L7 OSB Appliance ensures latency is reduced, applications aren’t
overloaded and service endpoints can offload computationally intensive operations to hardware. The OSB’s wide
                      box                                 “any-to-any” transport/protocol meant the solution
range of out-of-the-box adapters and ability to translate “any
would be able to connect to the diversity of legacy services offered by the Intelligence Community today, while
retaining the flexibility to support future transports.
Due to the security requirements of the US national computing infrastructure, L7 OSB Appliance is configured to
address Denial of Service (DoS), attached viruses and code injection attacks, as well as ensure message
integrity and confidentiality. The L7 OSB Appliance also provides runtime control over federated
authentication/authorization of external agencies and partners who seek connectivity to the composite
application/messaging capabilities provided by the solution.

The Results
Given that this project was awarded as a firm, fixed price contract, the SI was forced to do more with less. In this
scenario the L7 OSB Appliance was a game changer providing the means to profitably deliver the project by
leveraging an out-of-the-box SOA platform in order to build out a solution much quicker than any alternatives.
         integrated                     platform,
As a pre-integrated SOA development platform L7 OSB Appliance provided the SI with a significant head start on
                                                                         Additionally,   y
the project by reducing installation, deployment and configuration work. Additional they were able to take
                           ing                                             accreditation
advantage of the pre-existing appliance lockdowns making certification and accreditation much simpler.
As a result, L7 OSB Appliance dramatically decreased total cost of implementation and time to market, while
improving business agility through the OSB connectivity adapters and split/join orchestration capabilities.

         Copyright © 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
         trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.   2

To top