Data Security Challenges for the Global A&D Supply Chain

By E.K. Koh, VP of Solutions, NextLabs, Inc.

An interview with Luis F. Dannenfels, Senior Principal Architect, Raytheon

NextLabs recently sat down with Luis F. Dannenfels, Senior Principal Architect at Raytheon, to discuss the challenges that A&D companies face in the age of globalization and access anywhere, from any device. Luis talks about the challenges and the solutions. Below is an excerpt of the interview:

  1. What are the IT security priorities/challenges for an A&D company?

[Luis] Increasingly, A&D companies are collaborating globally on product designs and working with overseas partners and subsidiaries to develop the best products with the shortest time to market. This globalization means A&D companies are subject to more regulations and is under increasing threat of loss of intellectual property. The challenges we face are how to share our data both securely and in compliance with regulatory requirements such as export control regulations, National Security, customer contractual obligations and internal corporate info-security mandates.

In addition, the drive towards identity federation, the migration of data to the cloud, and the ubiquitous adoption of mobile devices, are making it harder for A&D companies to securely collaborate while remaining compliant.

  1. What is driving your industry’s needs for data-centric security (for information sharing)?

[Luis] Cyber threats continue to increase daily and we no longer live in a world where “security at the perimeter” is adequate nor acceptable given the level of risk associated.

In addition, more and more data is being shared across various channels, such as via email, via your extranets and intranets, and via direct partner access to your PLM and ERP systems. Yet, we continue to rely on the users to “do the right thing”.   We need to be more diligent in preventing the users from inadvertently violating policies and/or regulations. Data-centric security can provide security at the data level, ensuring that users stay compliant with existing regulatory and corporate policies.

  1. How is the industry doing it today?

[Luis] The industry for the most part, at least in the A&D sector, continues to struggle with traditional methods of access management. Methods such as Role Based Access Control (RBAC) and Access Control Lists (ACL), which at one point “did the job” are no longer adequate.

RBAC and ACLs are often augmented with manual procedures to enhance compliance. Unfortunately these manual procedures are inefficient, error prone, and increase the risk of compliance violations.

  1. What are the challenges to the current approach?

[Luis] The current approach poses many challenges:

  • Current solutions are siloed and tend to have disparate ways of controlling access to data, resulting in inconsistencies and administrative overheads. Unfortunately, there are few solutions for access management that work across all enterprise apps.
  • There is a general lack of consistency and standards in policy management, in data classification, in attribute mappings, in fine-grained access control methods, and in document control methods such as visual markings. This lack of widely adopted standards makes interoperability between enterprise apps within company, and with the supply chain difficult.
  • There is lack of governance and best practices for information classification, information sharing and change management.
  • Last, there is lack of visibility and record keeping on data access across the enterprise and its supply chain.
  1. What are the alternatives?

[Luis] Fortunately industry groups such as the Transglobal Secure Collaboration Program (TSCP) are addressing these challenges through the definition of common frameworks. Below is the TSCP Information Labeling & Handling (ILH) Reference Architecture framework:

Platform 10_ ILH_Image_For_Luis_Interview
ILH is a reference architecture framework developed within TSCP which addresses enforcement of information protection policies consistently within and across organizations in the areas of: Export Control, Intellectual Property, National Security, and Program Requirements.

ILH is based on 3 pillars:

  • The first pillar, Digital Policy Management is about the translation of policies into what we call “computer readable form” which manifest into access rules.
  • The second pillar, Information Labeling, is about the identification of the data –or “giving the data its DNA” such that it can be identified (via labels and metadata).
  • The third pillar, Access Control, is about enforcing those access rules created in the first pillar –this is where technologies like Attribute-based Access Control (ABAC) and Information Rights Management (IRM) play a key role.
  1. How does an information labelling and handling framework help?

[Luis] Simply put, ILH drives consistency and interoperability. It provides a standard method for deriving business rules from policies and regulations, automates enforcement of policies and regulations, enforces access control at the document level, and protects data at rest, in transit, and in use. With ILH, you can protect data throughout its entire lifecycle: within the company and externally when it leaves the repository.

  1. What are the deployment considerations?

[Luis] Starting a project like ILH requires planning. Here are some pointers to consider:

  • Initiate the planning for the strategic solution “now” versus later.
  • Address the challenges “one day at a time” by adopting ILH. Do not try to “boil the ocean” on day one. Instead, adopt a phased approach.
  • Define the business rules associated with each of the policies & regulations well in advance, prior to deployment.
  • Do not forget to define your governance policies on how data standards and access rules are to be managed.
  • Obtain senior executive sponsorship and buy-in. You will need that executive buy in as you work through your governance policies and streamline your business processes.

About Luis Dannenfels

Luis Dannenfels, an IDS Sr. Principal Architect/Engineer, has been with Raytheon since June, 1992. His primary responsibilities are on globalization enablement in the areas of Identity and Access Management, export control, security architectures, and emerging technologies. Luis has spent most of his career in the technical arena serving as either a chief architect or a consultant to corporate and business management in strategic and high profile initiatives. Although not limited to, Luis has worked closely with Supply Chain within Raytheon where he was responsible for the development of their architecture landscape and insertion of solutions in the area of I&AM for global growth enablement. Currently, Luis is a Technical Lead Architect under the EXIM Strategic Initiative focused on delivering solutions in the area of Export Control regulations.

He also has represented Raytheon on related industry steering groups such as TSCP for the past 9 years on TSCP’s Architecture Board. Luis holds three degrees: a Bachelor and Masters in Electrical Engineering and Bachelor in Computer Science from Union College in Schenectady, NY. Luis can be reached at luis@raytheon.com.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s