Connect2Share Execu)ve Overview. Introduc)on

Transcription

1 Connect2Share Execu)ve Overview October, 2017 THE CYBER SECURITY CHALLENGE FOR U.S. DEFENSE CONTRACTORS: A Cost-Effec)ve Solu)on for New DFARS Compliance If any businesses are not in compliance with these requirements, or are substantially out of compliance, the impact on those entities may be significant. Security Oversight Office, NARA Introduc)on When people hear about cyber-a1acks, they normally think of hackers stealing personal data or crea:ng a menace by temporarily stopping or closing businesses. These are serious problems for all concerned, but when it comes to the federal government, in par:cular the US Department of Defense, the stakes are infinitely higher. The thec or accidental release of defense informa:on, including weapons systems, would poten:ally allow adversaries of the United States, to counter our offensive and defensive capabili:es or clone systems for their own nefarious purposes. The na:onal security implica:ons of this are enormous, ranging from endangering the lives of our military personnel to the impact higher defense spending, required to stay ahead of our adversaries, has on our increasing na:onal debt. The DoD has long imposed extensive security requirements on its contractors to prevent the loss of classified weapons informa:on. With the rising scourge of hackers and cyber a1acks, the DoD recognized the host of controlled unclassified informa:on maintained by defense contractors which also has substan:al value to adversaries was Cyber Connec:ons Confiden:al All Rights Reserved Table of Contents 1 Introduc)on 2 Protec)ng Controlled Unclassified DoD Informa)on & The DFARS Compliance Challenge Confron)ng DoD Contractors 3 Introducing Cyber Connec)ons Connect2ShareSecure Document & Data Transport (C2S SD2T) 4 PlaIorm Solu)on Set and High Level Architecture 5 Line of Business Integra)on Architecture Affirma)ve Logging BlockChain Subsystem 6 A Prime Use Case: Wireless Paperless Manufacturing 7 Conclusions 8 Connect2Share Patents at much greater risk of loss. The DoD published the Defense Federal Acquisi:on Regula:on Supplement Clause, DFARS in November 2013, which imposed strict security and compliance requirements on how all defense contractors handle and store what it defined as Unclassified Controlled Technical Informa:on (UCTI). In August 2015, the DoD expanded the range of informa:on subject to controls under DFARS to include the newly defined category of Covered Defense Informa:on (CDI) of which UCTI is now a subset. 1

2 Protec)ng Controlled Unclassified DoD Informa)on The recent interim rules, published by the DoD in August 2015 which update and extend DFARS, demonstrate the DoD is rapidly pushing the envelope on informa:on security. Among other things, the interim rule defines a new term Covered Defense Informa:on (CDI) which encompasses a broader range of informa:on than UCTI now requiring protec:on under DFARS security controls; replaces the table of required security controls based on NIST SP with the newly issued NIST SP ; modifies and expands the requirements for contractors to report cyber incidents affec:ng their systems and requires contractors to comply with DoD policies and procedures for acquiring commercial cloud services. It also sets the expecta:on for addi:onal DFARS regula:on changes based on cyber incident informa:on collected from the newly expanded repor:ng by contractors. Lastly, it requires contractors bidding on new contracts to be in compliance with NIST SP controls or receive wri1en approval for compensa:ng controls from an authorized representa:ve of the DoD CIO prior to contract award. The DFARS Compliance Challenge Confron)ng DoD Contractors Few, if any, defense contractors have the necessary controls in place to meet the DFARS requirements. Most are at a loss on how to comply based on the pervasive way CDI is embedded in their business processes, related legacy socware applica:ons and other IT systems. In a Law360 ar:cle dated September 2015, Cairnie and Gainer of Baker Hostetler concluded, Contractors have been provided a clear indica)on of the direc)on the DoD is going to protect covered defense informa)on... This may not be an inexpensive undertaking but in the long haul it will likely save the company many )mes over from incurring far greater cost for damages caused by cyber incidents. As stated by the Informa:on Security Oversight Office of NARA on the proposed rule for securing controlled, unclassified informa:on, If any businesses are not in compliance with these requirements, or are substan8ally out of compliance, the impact on those en88es may be significant. A typical DoD contractor rou:nely generates, processes, stores, exchanges and transmits sensi:ve informa:on within the defini:on of CDI in connec:on with providing goods or services to the DoD. Much of the CDI in contractor organiza:ons originates and is handled through procurement, sales and materials management ac:vi:es (purchase orders, drawings, specs, images, etc.) suppor:ng normal back office processes including purchasing, Cyber Connec:ons Confiden:al All Rights Reserved 2

3 sales, manufacturing, project management and contract administra:on. DoD contractors generally have substan:al commercial business opera:ons providing the same or similar goods and services to non-dod customers. Contractors generally use the same IT systems, communica:on methods and business processes to conduct unclassified DoD and non-dod business opera:ons. This presents a number of major challenges for contractors rela:ve to DFARS compliance. Enterprise Resource Planning systems, such as Oracle E-Business Suite and SAP, or other best of breed applica:ons u:lized to execute these processes and transac:ons, were not designed to handle the unstructured content in an integrated fashion. Contractors have either customized these systems to accommodate this informa:on, u:lize a combina:on of manual processes and to manage these documents or some combina:on of both. Regardless of the approach, individual contractors have taken to address the system limita:ons, their solu:ons were not designed for the DFARS level of security including: FIPS compliant encryp:on of transmi1ed and stored content, Access controls which differ from those applicable to commercial transac:ons and informa:on, Restric:ons on the copying and prin:ng of controlled content, and The extensive access monitoring and excep:on repor:ng required. The reality for most contractors is that CDI is being freely ed among the many par:cipants in these business processes, behind the corporate firewall and ocen with third par:es, including suppliers and subcontractors, without encryp:on. The informa:on is being stored on servers, share drives, in mul:ple content management systems and ad hoc databases without encryp:on or any record of its existence. Access controls are typically inadequate and poorly administered and access logging is rarely monitored. The lack of differen:a:on in these processes rela:ve to commercial transac:on content allows much wider access to CDI than proscribed by DFARS. The lack of full automa:on and visibility of these business processes leaves contractors incapable of iden:fying if CDI is being misappropriated during the execu:on of the processes. In short, most contractors are not DFARS compliant and don t have a cost-effec:ve means to achieve compliance in the near term. Misappropria:on of CDI is a very real issue, with the DoD es:ma:ng there are 10,000 contractors handling and storing CDI in their organiza:ons. For hackers and others a1emp:ng to access CDI, it is simpler to a1empt breaching the systems of these contractors than breaching the DoD s own systems. In response to these challenges, Cyber Connec:ons has developed a solu:on which provides DoD contractors with a comprehensive, cost-effec:ve, turnkey DFARS compliant system for CDI handled and stored as part of rou:ne business processes. Introducing Cyber Connec)ons Connect2Share Secure Data Transport (C2S SD 2 T) Connect2Share Secure Document & Data Transport provides contractors a fast track for ini:al compliance with DFARS regula:ons and a costeffec:ve plajorm for maintaining compliance as regula:ons con:nue to evolve. C2S SD 2 T grew out of early efforts by Steve Buth (Buth), founder of Cyber Connec:ons (Cyber) an Oracle Gold Partner, to assist Oracle E-Business Suite (EBS) customers gain secure, transparent electronic access to documents via links with EBS transac:ons. In exploring the feasibility of developing such a solu:on, two major impediments became clear. First, acquiring and storing documents needed to be integrated into the EBS-based business processes to Cyber Connec:ons Confiden:al All Rights Reserved 3

4 have an effec:ve means of ini:ally gekng documents into a repository for subsequent retrieval. Second, inefficient and error-prone manual and quasi-automated processes for execu:ng the EBS transac:ons needed to be fully automated to make electronic document handling reliable and cost effec:ve. Further, it was clear addressing these underlying business process issues would also benefit companies through significant cost efficiencies, faster :me to market and sustained audit compliance. Buth coined the term Business Process Accelera/on to describe this business process automa:on via secure workflow technology, with integrated document management, which is at the core of the C2S plajorm. SD 2 T PlaIorm Solu)on Set and High Level Architecture Connect2Share Secure Document & Data Transport (SD 2 T) is a comprehensive plajorm to build, deploy and operate workflow-enabled applica:ons which extend Oracle EBS business processes to provide DFARS compliant handling of CDI and related process improvements for defense contractors. The following illustra:on (Figure 1.) depicts the high-level solu:on elements of the Connect2Share Secure Document & Data Transport plajorm. Connect2Share s proprietary technology includes an innova:ve, patented communica:ons architecture u:lizing encryp:on to secure data transmi1ed among the C2S system components behind the corporate firewall and with users both inside and outside the firewall. This communica:ons technology, named the Connect2Share Secure WorkflowBus, combined with encryp:on of all documents and related data stored via SharePoint and SQL Server, ensures data in transit or in storage cannot be intercepted or accessed, including accessing data or processes within ERP solu:ons. Cyber Connec:ons was approached by an aerospace company familiar with the C2S design for help with their DFARS compliance. In studying the DFARS regula:ons, including consul:ng with defense industry and security experts inside and outside of government, it became clear the C2S design was ideal for defense contractors struggling with DFARS compliance offering and ensuring: FIPS compliant encryp:on end-to-end & at rest, Tagging content as CDI for differen:ated treatment as appropriate, Provide the addi:onal access security features required for CDI, BlockChain provides enhanced audit capability and repor:ng as required by regula:on Figure 1: C2S Solu8on Elements The plajorm consists of various workflow enabled applica:ons (each a Business Process Accelerator or BPA) for individual business processes handling CDI supported by common plajorm opera:ng elements. These common elements include administra:ve tools for managing plajorm opera:ons and a secure communica:ons infrastructure and a Cloud Access/Applica:on Security Gateway (Gateway) for controlling access to the C2S applica:on and informa:on stored in the data repository. BPAs securely integrate with EBS workflows and data to provide fully automated, seamless business process execu:on and DFARS compliant handling and storage of the related documents and content. The high-level architecture of C2S SD 2 T, how it integrates in the customer s IT infrastructure and key security elements are shown in [Figure 2] below. C2S DFARS workflows, process and enable just in :me access to need to know ERP & Legacy structured data and related unstructured documenta:on files. C2S SD 2 T wireless shop floor access enables need to know just in :me paperless manufacturing work orders. Cyber Connec:ons Confiden:al All Rights Reserved 4

5 C2S SD 2 T Line of Business Integration Architecture Figure 2: C2S Secure Document & Data Transport High Level Architecture SD 2 T LOB Integra)on Architecture Affirma)ve Logging BlockChain Subsystem The C2S Affirma:ve Logging Subsystem (Figure 2 BlockChain) is the immutable log & distributed transac:onal trust center for the C2S Secure Document & Data Transport plajorm which logs relevant plajorm ac:vi:es as well as gathering and maintaining logs from other system components to support opera:on of the plajorm, its aler:ng and repor:ng func:ons and for audit trail purposes. The C2S Affirma:ve Logging Subsystem is built on BlockChain to create a distributed CDI Providence and Integrity control subsystem which ensures compliance with strict DFARS access controls and breach monitoring requirements. Affirma:ve logging ensures that BPAs will not execute work steps or permit access to CDI or perform related ac:vi:es un:l the event has been successfully logged and affirmed by the Logging Subsystem. Consistent with NIST SP controls mandated by DFARS, C2S Secure Document & Data Transport protects and preserves the Logging Subsystem along with its logged data, against unauthorized access, erasure, modifica:on and accidental disclosure. In addi:on to DFARS repor:ng compliance, these logs provide the audit trails for the company s financial controls and SOX compliance for the C2S -supported business processes. Cyber Connec:ons Confiden:al All Rights Reserved 5

6 The Logging Subsystem provides a key control func:on in the opera:on of BPAs which con:nuously log their access, update, execu:on and run:me workflow persistence system state into this subsystem throughout their execu:on lifespan. Individual BPA workflows may be in flights for days or weeks and hundreds of workflows may be inflight at any point in :me. The hand off of workflow steps to Oracle for execu:on also presents challenges from a workflow control standpoint that are addressed by the Logging Subsystem which provides the visibility to workflow status to ensure end to end workflow persistence. A Prime Use Case: Wireless Paperless Manufacturing C2S will deliver Secure Document & Data Access via wireless networks. This new C2S wireless technique meets the DFARS security requirements for securing unclassified, unstructured CDI, with a patent pending in the U.S. and as previously noted, a Canada patent has been issued for secure, wireless workflow to workflow integra:on. Paperless manufacturing con:nues to be seriously considered by various manufacturing organiza:ons including DoD weapons manufacturing contractors/ sub-contractors Based on expert opinions, the primary feature of paperless manufacturing is the elimina:on of printed manufacturing documents sent to the shop floor. C2S will eliminate and replace uncontrollable paper documents with wireless electronic document access including, but not limited to, drawings, assembly instruc:ons, tes:ng instruc:ons, etc. contained in a work order book/job order book delivered to the shop floor when the ERP system schedules the manufacture of a given DFARS controlled part. C2S will wirelessly send DFARS controlled CDI documents, upon a request mee:ng both hardware authoriza:on and user security creden:als MicrosoC Surface devices along with other hardware plajorms are cer:fied FIPS compliant. U:lizing a wireless device will allow shop floor personnel to access documents in :ght crawl spaces in aircrac, tanks, ships, etc. This is difficult if not impossible to do with uncontrollable paper documents C2S will verify the MAC address, serial number, and any other user defined hardware device cer:fica:on. C2S will u:lize a hybrid user security solu:on defined by the customer to iden:fy which documents shop floor personnel can access. One scenario is to separate document access by job func:on. The following example to some degree defines the steps to build a fuel pump for a military applica:on. Each assembly func:on Rou:ng) would have drawings, instruc:ons, specifica:ons, etc., defined by func:on: CNC opera:ons, Ini:al Assembly, Electrical assembly, SoCware Installa:on, Final Assembly, Tes:ng, Rework, Final Tes:ng, and Packaging. C2S would segment document access by individual by job func:on, i.e., the CNC operator would have no reason to see the wiring schema:cs or socware load procedures. C2S can segment documents by item/part number - certain individuals may be able to build a fuel pump for a Bradley tank, but would be prohibited from viewing documents associated with building a drone fuel pump. Cyber Connec:ons Confiden:al All Rights Reserved 6

7 Conclusion There is no ques:on cybera1acks are a growing menace. The Department of Defense is leading the charge among federal agencies in requiring its contractors to meet rigorous security standards to prevent the loss of unclassified but sensi:ve informa:on processed through or stored in their systems. These new security standards, contained in DFARS regula:ons, place a heavy compliance burden on defense contractors. Most contractors are at a loss with how to comply as their legacy systems and business processes are not designed to provide the type and granularity of security elements required and are very expensive to modify. The consequences of non-compliance include poten:al monetary fines, loss of exis:ng DoD contracts and disqualifica:on for bidding on new contracts. Since contractors are now required to affirm they are DFARS compliant in conjunc:on with bidding new contracts, individual liability is increasingly likely in the event of inten:onal misrepresenta:on. The Connect2Share Secure Document & Data Transport plajorm from Cyber Connec:ons provides DoD contractors running the Oracle EBS ERP system with a cost-effec:ve, turnkey DFARS compliance solu:on for CDI captured and handled in key business processes. The greatest volume and most challenging CDI for companies to secure in compliance with DFARS is associated with several key procurement, sales and manufacturing/materials management processes. The C2S plajorm is unique in the market, using a combina:on of widely u:lized, off-the-shelf applica:ons and Cyber proprietary technology to fully automate these key business processes. This eliminates manual work steps that are prone to human error, lack visibility and are virtually impossible to secure, and enables DFARS compliant transmission and storage of structured and unstructured content. The full automa:on and visibility of the business processes, together with the host of security controls designed into the C2S plajorm, greatly increase intrusion detec:on capabili:es through ac:ve monitoring of access devia:ons that may be indica:ve of hacking ac:vity. The benefits of employing Connect2Share Secure Document & Data Transport extend far beyond DFARS compliance. It provides business process automa:on, opera:ng efficiencies, quicker :me to market, be1er decision-making and other measurable business benefits which rapidly recoup the cost of deployment. The leadership team within defense contractors must be proac:ve in ensuring DFARS compliance is a priority for the organiza:on given the poten:al major nega:ve consequences of failing to comply. Appendix A contains a list of ques:ons company execu:ves need to ask their IT, security and key business leaders to facilitate an open discussion regarding the status of the company s DFARS compliance. This will likely iden:fy serious compliance gaps but will be a major first step to developing an effec:ve compliance plan to protect the company and its business. Trademarks & Agribu)ons Oracle and E-Business Suite are Oracle Corpora:on registered trademarks. MicrosoC, SQL Server and SharePoint are MicrosoC registered trademarks. Connect2Share, Business Process Accelera:on and Secure WorkflowBus are registered trademarks of Cyber Connec:ons Corpora:on. Cyber Connec:ons Confiden:al All Rights Reserved 7

8 Appendix A: Connect2Share Patents The Connect2Share patent journey began with our earliest integra:on tes:ng between Oracle s E- Business Suite and SharePoint We had been hearing for years from our Oracle EBS customers needed actual document access from Oracle EBS which resulted in significant produc:vity improvements and provide compelling ROI. In our ini:al integra:on tests to provide read/write access between Oracle EBS and SharePoint 2010, the quickest way to provide such integra:on was to u:lize the power of each applica:on s workflow engine harnessing the power and elegance elf each. This approach provided several very important benefits: The workflow engines were proven technology and completely stable. U:liza:on of the workflow engines drama:cally shortened our C2S development cycle elimina:ng the need to write a custom applica:on integra:on module. U:lizing the applica:on s workflow engines enabled us to rapidly deploy an integrated solu:on. The vast majority of enterprise applica:ons include workflow engines which provided the ability to quickly integrate other applica:ons outside of Oracle EBS and SharePoint, i.e. Oracle Transporta:on Management. The integra:on of workflow engines provides real- 8me data access between disparate enterprise applica:ons, i.e. Oracle EBS and SharePoint. Our first U.S. patent, US 9,286,146 B2, essen:ally covered the concepts associated with integra:ng workflow engines. Our second U.S. patent, US 9,477,539 B2 included language defining the u:liza:on of a socware applica:on designed to create, manage, monitor and troubleshoot integrated workflow processes. We call this tool the Secure WorkflowBus, and we call these processes Business Process Accelerators. Our third U.S. Patent US 9,594,609 B2 expanded on the func:onality included in our socware applica:on for the crea:on and management of integrated workflows, the Secure WorkflowBus (SWFB), and this patent expanded on the cryptographic encryp:on associated with these integrated workflows. The SWFB u:lizes FIPS cer:fied AES 256-bit encryp:on for data in-transit between socware applica:ons created and monitored by SWFB func:onality. We have a fourth U.S. patent pending which further defines the security features of the SWFB, and most importantly, this patent covers the DFARS delivery of secure data and/or documents via a wireless network. The Canadian government granted patent 2,881,597 on 6/6/2017 which covers the three U.S. patents granted and the fourth U.S. patent pending. In conclusion, our integrated workflow engine technology delivered via the Secure WorkflowBus provides the least expensive; the most secure; the most stable; and the most flexible approach to securely integra:ng data and documents between a wide array of disparate enterprise class applica:ons. Cyber Connec:ons Confiden:al All Rights Reserved 8