Home' Defense Systems : June and July 2013 Contents signi cant portion of JIE, which seeks
to enhance network security by em-
ploying an SSA to better protect DOD
networks, while giving war ghters
easier access and allowing for better
information sharing among all mis-
e SSA is designed to enable
DOD s cyber operators at every level
to see the status of their networks for
operations and security and enable
commonality in how cyber threats are
countered. By implementing a stan-
dardized security architecture, the U.S. military wants the
ability to know who is operating on its networks and what
they are doing and be able to attribute their actions with a
high degree of con dence.
" e single security architecture is one of the major com-
ponents of JIE," said Mark Orndor , DISA s chief information
assurance executive and program executive o cer for mis-
sion assurance and NetOps. " e No. 1 most important ad-
vantage is the ability to actively defend the DOD networks in
a time frame that we need to execute cyber defensive opera-
tions. What I mean by that is the single security architecture
will allow us to understand what s going on across the entire
DOD network with global cyber situational awareness to a
level that we can t do today."
According to Orndor , the SSA will minimize complexity
for a synchronized cyber response, maximize operational ef-
ciencies, and reduce the risks while also reducing the num-
ber of organizationally owned rewalls and unique routing
algorithms and the ine cient routing of information that
currently exists. In addition, a standardized security archi-
tecture will better protect the integrity of information from
unauthorized access while increasing the ability to respond to
security breaches across the system and improving how DOD
operates and secures its networks globally, he said.
e SSA "will allow us to implement security controls and
countermeasures across the entire network in real time,"
Orndor said. "Today we ve got a lot of decentralized imple-
mentations of some pretty sophisticated and robust capabili-
ties. But they re implemented in pockets, so we don t share
information across all the pockets and don t have the ability
to simultaneously change policies or controls across all those
pockets instantly or at the same time."
ELIMINATING OVERLAP AND DUPLICATION
e problem is that mission assurance services are currently
implemented via a complex set of overlapping and duplica-
tive roles and responsibilities. JIE s SSA is a multiphase ap-
proach that solves that problem by collapsing the network
security boundaries, reducing the external attack surface, and
standardizing the management, operational and technical
security controls to ensure the con dentiality, integrity and
availability of DOD s information assets within all required
mission contexts while also facilitating rapid attack detection,
diagnosis, containment and response.
"We had in a lot of cases more security layers than we actu-
ally need," Orndor said. "As we design this under the single
security architecture, we feel like we can get the right security
controls in the right places in the network and eliminate a
lot of the duplicate layers that exist in the architecture today.
We re going to pick the key places to control network tra c
and the key places to implement security capabilities. And
then the security layers that exist today over and above the
ones that need to be there for this design...will be eliminated."
SSA provides for a common approach to the structure and
defense of computing and the networks across all DOD or-
ganizations. For example, the SSA describes how core DOD
data centers and the server computing resources they contain
must be structured, what cyber defenses are required on those
computers, and what cyber rebreaks are necessary as part of
the internal networks of the data center. In addition, the SSA
also describes how remote management and automation of
data centers is to be structured and secured, and what cyber-
attack detection, diagnosis and reaction capabilities the data
center and the remote management system must have.
"We are shi ing a bit in the approach so that more security
will be wrapped around the data centers and the applications,"
Orndor said. "So we re getting a shi in terms of trying to
do security at the network boundaries to look at where the
applications and data are and better aligning our security
architecture to that, which will free up some of the network
boundary base defenses."
Another high-priority objective for the SSA is to enable
dynamic information sharing with DOD and its mission
partners by shi ing the focus from securing systems and net-
DefenseSystems.com | JUNE/JULY 2013 21
Single security architecture
will allow us to understand
what's going on across the
entire DOD network...to a
level that we can't do today.
--- MARK ORNDORFF, DISA
Links Archive April and May 2013 August and September 2013 Navigation Previous Page Next Page