Federation for a Secure Enterprise
Abstract
Federated activity presents a challenge for enterprises with high-level security architectures. Federation involves information sharing among the services and with working partners, coalition partners, first responders and other organizations. Federation may be unilateral or bilateral with similar or dissimilar information sharing goals. Strong internal security controls often do not extend cleanly across enterprise boundaries, potentially leading to insecure shortcuts and workarounds that can become the rule instead of the exception. This paper presents methods for an enterprise to extend its strong security policies to include federation partners. It applies to federation partners that support the same security policies with compatible standards and services, and also to partners that provide a similar but incompatible security framework, a subset of required security services, or no security services. The partner may be fully trusted, partially trusted, or untrusted. Even in trusted partners the services may not meet required security standards. The solution presented combines selected partner security services, internal services, derived credentials, delegated authorities, and supplemental services to form the federation security architecture. This paper uses the Enterprise Level Security (ELS) architecture as the starting point for a secure enterprise and addresses the challenge of extending this model to federate with different types of partners. We review the security approach, the security properties, and several options for an enterprise to maintain the ELS security properties while enabling federated sharing with other enterprises that have different capabilities and levels of trust.
Document Details
- Document Type
- Technical Report
- Publication Date
- Sep 10, 2016
- Accession Number
- AD1017502
Entities
People
- Kevin E. Foltz
- William R. Simpson
Organizations
- Institute for Defense Analyses