 |
 |
 |
 |
| |
|||||
|
|
|
MITRE works with teams made up of people from various internal organizations, commercial companies, and DOD services and agencies, all of whom must have compatible tools, networks, and security policies to collaborate. Standards that will enable interoperability among commercially available products are not mature, and few tools provide cross-platform support. Incompatible network policies hinder or prevent cross-organization collaboration. Firewall technology, used to protect Internet-connected sites, is often configured in a way that blocks collaborators' traffic. Enabling the use of collaborative tools through a firewall is technically possible, but may require changes to the network policy that could jeopardize the site's security. MITRE's current network policy prevents most users on the corporate network from using these tools to collaborate with users outside. We are using and piloting a number of collaborative capabilities internally, and are working toward solutions for improving collaboration among organizations. We use a network of video teleconferencing (VTC) facilities for communication among our various sites and for communication with non-MITRE locations that have compatible equipment. Lower-priced, desktop VTC units, based on Integrated Services Digital Network (ISDN), are also being used to connect remote team members. Like room-based systems, desktop units may be used for collaboration with outsiders. Additionally, MITRE is evaluating a number of synchronous collaboration tools that provide (among other things) remote desktop and application sharing. Though these tools provide useful capabilities, their security models presume a degree of openness among collaborators that is not always present. Security is minimal or absent from many of the products MITRE has examined, causing Information Security policy makers to question whether secure electronic collaboration is possible. Many of the popular collaborative tools implement an all-or-nothing policy toward access control, which could leave collaborators' local systems and networks exposed. In particular, tools that permit users to grant access to their local desktops (via remote desktop sharing or application sharing) jeopardize the privacy of data stored there. Networks connected to the local system may be at risk as well. When collaborating this way, the remote user has the same local and network access as the desktop owner; for all purposes, he or she is the desktop owner. Although users are usually willing to share information or grant access to other collaborators, certain information is off limits. Tools that support audio and video capabilities introduce opportunities for compromise as well. When using these tools, remote collaborators have eyes and ears into the workplace that could lead to eavesdropping or, at least, embarrassment. MITRE recognizes the need for improved collaboration, both internally and externally. Rather than prohibit the use of collaborative tools because they are a security risk, the company is exploring a combination of secure applications and network configurations, operational procedures, and security policies. Before rolling out a new application, MITRE establishes secure system configurations (locked down, where possible), and gives guidance on how to use the application securely. The corporate network is configured to support the new applications, and security policy guidelines are implemented to minimize the risk of compromise. Additionally, MITRE is developing an information policy that will determine what types of MITRE information can be shared and with whom. In support of cross-organization collaboration, MITRE is investigating a number of approaches that will enable heterogeneous teams to work better together. We are developing and piloting shared server and Extranet-based approaches that will enable teams to share resources (subject to an appropriate level of access control). In support of our primary Air Force customer, MITRE is deploying a shared publishing server that will be used by Air Force and MITRE personnel as a web-based document repository. Additionally, MITRE will make available information from its on-line phonebook. Users will be able to put data into shared project folders, which MITRE and its customers can access. Internet Protocol filtering will provide access control in the initial capability. Future releases will incorporate username/password and digital certificate-based authentication. Though the scope of the initial effort is relatively narrow, our goal is to add technical content and implement more advanced collaboration capabilities including discussion groups and shared calendars. Security enhancements will be incorporated to facilitate the use of public areas as well as private project spaces. MITRE is also piloting Extranet technology, which we see as the solution for our longer-term customer access needs. We are developing and piloting a home-grown Extranet solution as well as keeping abreast of commercial Extranet offerings that satisfy our operational and security requirements. MITRE's Extranet pilot is designed to implement external Web access to designated portions of our internal information infrastructure. A Netscape Enterprise Server (with an extension of code written by MITRE) serves as the external host that accepts and processes requests from external users. The Enterprise Server establishes a Secure Socket Layer connection with the requestor, providing a secure channel over which authentication credentials can be sent. Before internally stored web pages are returned to external users, MITRE's code parses them and checks access controls. The code also checks links before returning a requested page to a user. Links for which the user is not authorized are replaced with non-clickable HTML. Through piloting, MITRE will determine performance and security of this architecture, and will continue to investigate a commercial solution when mature products become available. For more information, please contact Christine Eliopoulos using the employee directory. |
Solutions That Make a Difference.® |
|
|
