Over the years, information sharing security has undergone a paradigm shift, especially among defense and intelligence organizations. Specifically, there has been a fundamental change from “need to know” to “need to share.”
We have seen this change explode into other industries such as finance, commerce, health care and transportation. Information Sharing Analysis Center, or ISAC, entities that govern information sharing throughout market segments are increasing in number.
Recent congressional efforts to refine and expand the federal government’s policies and activities focused on information sharing are culminating in recent bills that are working their way through the House and Senate.
These recent activities are in response to organizations that increasingly need to share their time-sensitive critical information, while ensuring the correct exchange of authorized data with authorized recipients to respond to threats or to operational pressures.
Unfortunately, in today’s environment, data is typically transferred manually on media devices to stakeholders. This is an inefficient process that makes data lose its value and interferes with timely mission-critical collaboration and analysis to respond to active threats or to situations that could have an adverse effect on organizations’ operations.
To ensure that can cross the chasm from “need to know” to “need to share” requires adopting a mindset of “assured information sharing.” Let’s take a closer look at the history and underlying concepts of assured information sharing.
An overview of assured information sharing
In 2004, the “9/11 Commission Report” and Director of Central Intelligence Directive “Intelligence Community Policy on Intelligence Information Sharing” started shaping the next generation of cross domain security technologies. The purpose was to reduce stovepipes in security infrastructure — ultimately, to align the need-to-know with the need-to-share.
Two years later, in 2006, the Unified Cross Domain Management Office was founded. Now the Unified Cross Domain Services Management Office, the office was established to centralize coordination and oversight of all Defense and intelligence community cross domain security initiatives.
In 2009, the Information Sharing and Access Interagency Policy Committee was formed to address information sharing needs and establish the Information Sharing Environment program. This past February, President Barack Obama issued executive order 13691 for Promoting Private Sector Cybersecurity Information Sharing.
From these early requirements came what we now know as assured information sharing. In layman’s terms, it means the mutually authorized exchange of “releasable” information between two or more organizations.
Ultimately, assured information sharing unites need to know with need to share. It permits organizations to communicate time-sensitive critical information between people, organizations, locations, communities of interest, and security domains. Equally importantly, it ensures the correct exchange of authorized data with authorized recipients.
This approach to the need to share involves a range of communities performing a range of missions. Communities include:
- Homeland security
- Foreign affairs
- International partners
- Law enforcement
- Nongovernmental organizations
- The public
Those with a stake in the process from each community include:
- Information owners
- Information custodians
- Risk managers
Five mission-critical areas addressed by assured information sharing
Assured information sharing addresses key problem areas for federal agencies.
Cybersecurity and Situational Awareness. Situational awareness is achieved through the delivery of reports, delivery of alerts/tips and discretionary access information (commonly referred to as C2). Consequently, it is essential to aggregate sensor, management, and monitoring data from diverse domains to mission and enterprise services.
Cloud Assurance. Obviously, data today must be safely shared between cloud environments — private-to-private clouds, public-to-public clouds, and so on. That requires the development of rules governing information flow.
Supply Chain Security. To improve the risk management process, it is important to control the exchange of intellectual property, contract data and sensitive system design secrets.
DOD and Intel Coordination. Government agencies require communications solutions that offer speed, security and flexibility, beyond the solutions currently approved for use in these environments.
Big Data Analytics. Today’s emphasis on big data has created large volumes of data, taking up vast amounts of storage space. Assured information sharing must supports the collection and analysis of large volumes of data without impeding system performance.
Public and private sector benefits
Assured information sharing is vital to organizations that need to ensure only “shareable” data is released to external entities and authorized data is received from authorized sources. It supports public and private sector policies that required cross domain solutions.
For business, mission and data owner stakeholders, assured information sharing reduces or eliminates the use of media and courier delivery systems. It also minimizes exposure of infrastructure by eliminating the way in which a system may be accessed externally (things like replicated repositories and shared keys, for example).
By embracing the notion of assured information sharing, collaboration is made easier — as is the distribution of information to consumers and other stakeholders.
Time-sensitive intelligence, command and control, or formal organizational messaging can be more easily disseminated as well.
Take time to understand the concepts behind assured information sharing. It is truly the bridge that allows your organization to cross the need to share chasm.
Shawn Campbell is vice president of product management at SafeNet Assured Technologies. He can be reached at Shawn.Campbell@safenetat.com.