Proc.

of the 2011 6th International Conference on System of Systems Engineering, Albuquerque, New Mexico, USA - June 27-30, 2011

Identity Management in System-of-Systems Crisis Management Situation

Abdullahi Arabo, Mike Kennedy, Qi Shi, Madjid Merabti, David Llewellyn-Jones, Kashif Kifayat School of Computing and Mathematical Sciences, Liverpool John Moores University, Byrom Street, Liverpool, L3 3AF, UK
[email protected], [email protected], {Q.Shi; M.Merabti; D. Llewellyn-Jones, K.Kifayat} @ljmu.ac.uk Abstract - In System-of-Systems coalitions scenarios there are always partners who are heterogeneous in terms of technology, skills, security requirements, sensitivity of information and trustworthiness. At the same time these partners normally come together in Communities of Interest (CoI) perhaps for a short period of time to achieve a common goal. All or some of these partners might have different roles in CoI, but sharing of information is of crucial importance. Hence, the ability to properly identify each partner within CoI and protect their identities while at the same time allowing them to utilise their devices in such situations requires the ability to negotiate interoperation between groups with different security polices and the ability to make security policy decisions in real-time. In this paper, we provide a scenario that involves different parties within CoI and present a proof of concept that will allow each member to join a CoI community while controlling how much of its information is being revealed based on its specified policies and role with CoI. We have also presented an outdoor experiment for the proposed methodology and our developed test bed. Keywords: Identity management, System-of-Systems, System-of-Systems Security, Partial identities. comes to agreeing on which principals to use personal identity information. This is more so when at the same time trying to allow users from different organisation to make use of their own devices. This is more problematic when it comes to natural or man-made crises where large scale financial, environmental and human losses can result in widespread damage to the information infrastructure. This can affect the emergency services (police, fire and medical) ability to communicate, with restrictions on the sharing of information making it difficult for them to provide emergency services to the population. The availability of important information can play a vital role in humanitarian assistance. Emergency ad-hoc communication networks could be established in order to operate and provide emergency services. However, any disruption, delay or loss of information between emergency departments (systems) during the crisis management process could result in significant damage to assets. This can happen when different departments have different security levels or requirements, and could also happen as a result of cyber attacks or threats. Therefore IM in SoS security is essential for secure communication between different organizations in order to achieve a high level of information availability. Identity management solutions typically consist of various functionalities. More details of such functionality are summarised in other publications [1]. We are mainly concerned with two main functionalities: identity provision & preservation and authorisation & authentication. So these attributes are of crucial importance in SoS for managing services such as access control of the environments and resources based on policy and criteria such as roles, device types, sensitivity of information etc within SoS. Life-cycle management of user profiles and other information with CoI in SoS is also essential in terms of who should access such information and share it with whom, what level of details is required, etc. In the context of this paper we use the term SoS to mean the following:

Introduction

In its simplest form, identity management (IM) deals with how users are identified and authorized across networks. Establishing an IM policy within a single entity is undemanding compared to situations of CoI. Therefore, establishing IM strategy can be a challenging task because of its heterogeneity in technology, standards, and identity management implementation. This takes a new dimension when we are dealing with Systems-of-Systems (SoS) because of the need to have interoperable IM across multiple systems. However, implementing it in a serviceoriented architecture (SOA) or SoS coalitions crisis management environment presents inimitable challenges. Coalition activities or events in regular day-to-day work and involvement always prove to be difficult when it

978-1-61284-782-5/11/$26.00 2011 IEEE

37

Each component of a SoS must be complex enough to be considered a system in its own right. The overall SoS must produce behaviour(s) beyond the capabilities of any one individual component system. Each individual component system must be capable of independent action. The purpose of each individual component system must exist beyond solely servicing the SoS [2]. Furthermore SoS Security Composition refers to the process of combining distinct systems or components with different security attributes to form a whole new secure system for specific tasks. The main contribution of this paper is to highlight issues related to SoS security and suggest possible solutions in order to achieve high productivity from technology in a secure and efficient way. We highlight possible challenges in terms of providing IM in such an environment. Recommend possible solutions and present a proof of concept using a test-bed with CoI security in such events to ensure that all organisations can securely and efficiently perform operational tasks during a crisis. Using our outdoor experiments, users within CoI will be able to protect their personal information via an authentication process.

identities. These demonstrate the need of ways and frameworks to help in mitigating this threat.

Figure 1. Identity and Authentication [3]. Few strategic maps have been proposed, and an example of such maps designed by the BSC designer [4]. As reported in the Computer Weekly Magazine [4], a top German Police Officer told the ISSE 2010 conference that fighting cyber crime will be the greatest challenge in years to come, identifying that computer fraud makes up 46% of the total crime, including 23% Internet crimes and a 64% increase of phishing. We expect a 70% growth in 2010 in the number of phishing cases, where access credentials and digital identities are stolen for criminal purposes," said Jrgen Maurer, a Vice-president of the German Federal Criminal Police Office. As seen above, establishing identity management within a single entity has proved to be difficult and challenging. This takes another dimension when we consider establishing and implementing identity management within SoS in ubiquitous environments. This is because it involves mutual contracts setup amongst various systems and systems boundary. It also involves agreements such that an identity in one organisation is recognised by another identity within CoI in SoS. This necessitates establishing a map among the different identities related to a user, which is otherwise called a single virtual identity domain [5]. Some of the challenges involved include: technology, security, regulatory requirements, privacy governance and legal issues. A seventh framework project Innovative and Novel First Responders Applications (Infra) [6] has also provided us the basic layers of interoperability and communication needed for a successful implementation of Identity management within SoS. The Infra projects main objectives focus on three main levels: providing first responders with reliable communication, interoperability of navigation systems based on three location sensors and standardization of the framework of communications and applications. Our work aims to make use of these fundamental principles and add a layer that will provide users within SoS (or first responders as referred to in Infra) with the ability to manage not only their identity information but any other information that is of crucial importance in terms of sharing with other users within SoS.

Related Work

IM in SoS is of crucial importance, especially when we are dealing with crisis management and emergency situations. However, there has been little research effort that has been directed to this area. Most of the research work seems to be from the point of view of Federated IM and general issues of IM. Some of the research work that we are able to identify within this similar area is summarised in the next few paragraphs. IM normally gives the impression of a traditional client server structure, where users can establish a handshake with a server for authentication and other purposes. These technologies have an enormous impact with implications for security such as packet forwarding and routing, network management etc., which are functions carried out by all available nodes within a network. The Hype Cycle Graph of Identity and Authentication related technologies and trends as of September 2003 are illustrated in Figure 1. The Figure highlights some of the issues in terms of technology visibility and maturity from inception to the stage that it has been generally accepted. The research of IM schemes is of crucial importance because of the underlying cause of identity thefts. Hence, it is an extremely difficult problem to solve or address. Most people's personal data is in literally thousands of systems, potentially accessed by tens or hundreds of thousands of people. Conversely, it is imperative to acknowledge that above and beyond the risks to individuals, government and business organizations have a newly emerging and substantial liability specifically for the theft of employee

38

Balasubramaniam et al [7] have also pointed out that establishing trust between identity providers, synchronization of such identities, agreeing on data ownership issues, minimising risks involved, compliance with regulations, privacy violation prevention and policies enforcement constitute some of the other challenges. Arabo et al [8] have initially proposed a User-Centred Identity Management for mobile ad-hoc networks (UCIM). This provides us with the starting groundwork on which to build the additional ability of allowing users within CoI to be able to properly have full control of their identities. The relevant issues of data mishandling within CoI environments, its potential problems and solutions have been discussed in [9]. However, as can be seen in the next section, a successful implementation of identity management within a SoS Crisis Management situation or SoS environment provides a number of benefits that outweigh the challenges mentioned above. Some of such benefits include: quicker development of SoS, minimisation of identity duplicates, diminishing of privacy and security violations, reducing data and profile misuse, the ability to make use of partial identities, etc. However, in order to be able to succeed in doing so, we need to make the systems more user-centric in nature.

security properties of every organisation are stored in a policy XML file. These policy files and the data flow topology are used to determine the overall security status.

Figure 2. A crisis management scenario

Proposed Architecture

Our proposed architecture is composed of two main components, a MATTS (Mobile Agent Topology Test System) [10] server application and a composition client application. The client-side software can represent any organisation that could participate in the crisis management process. These organisations could include police, fire, and medical services. Each member of an organisation is equipped with communication devices such as PDAs, smart phones or laptops as shown in Figure 2. Furthermore, each of these clients has a set of security properties and policies established according to the security needs of their respective organisations. The security properties (e.g., which firewall device is running; what encryption algorithm is being used; and what sensitivity level is assigned to the device) of organisations can differ from one to another. To tackle this, we have developed a property interface tool (as shown in Figure 3) that allows node properties to be defined and saved in a simple XML format. Using the interface in Figure 3, a user is able to select security properties (on the left portion of the interface), even create a new property set, or load properties from existing property files as shown in the lower left hand corner of the interface. These properties (see Figure 4) can then be automatically transferred between nodes to help identify the level of security in a specific scenario. A security policy describes the process of how, when and with whom information can be shared. It also specifies under which conditions, what actions can be taken when discovering threats or vulnerabilities. Technically the

Figure 3. Property Interface for defining node properties. The main analysis task of our proposed work runs on the server, once all knowledge about client nodes properties, connectivity (links with neighbouring nodes) and integration details has been received in XML files from the clients. All this information is necessary during composition analysis. The process of transferring this data begins as soon as a client has connected to the network. The interface for this server-side software is shown in Figure 7. The figure shows nodes from various interconnected organisations. In the upper right corner of the interface the X indicates a security problem has been identified in the network that involves multiple nodes simultaneously. This provides a notification, but we are currently working on systems to provide richer feedback to the user (e.g., highlighting the affected nodes). The dialogue on the left in Figure 7 shows how the user can modify the properties of a node in order to manage the model. This also provides a means of resolving security issues by making suitable changes to node properties (e.g., by increasing staff skills assigned to the node). The analysis is directed by an XML script file which describes the process to be followed for each property tested against.

39

The MATTS tools are able to interpret this script and follow the process, ultimately resulting in a verification or refutation of the property as it applies to the configuration of the services. Assuming a suitable script file is being adhered to the most important information needed by MATTS to undertake its analysis is an overview of the dependencies or links between the components of a system. During the analysis, it often transpires that additional information is needed to complete the analysis and provide an accurate result. This is because composition results invariably depend on both the composition structure and the specific properties of individual services. These latter properties may be queried at any time during the analysis. The result of the composition analysis stage identifies whether the security property being tested for is satisfied or not. The proposed tool gives freedom to the user to model all possible scenarios using different numbers of nodes with different security properties, and to run different vulnerability tests on the modelled scenarios. The later sections show a proposed scenario related to IM and its implementation using a mobile ad hoc network.

4.2

Outdoor experiment network testbed

using

mesh

4
4.1

Implementation
Scenario

In the first step of our implementation, we present an example scenario of a crisis incident. We assume in this event emergency services (police, fire and ambulance) are participating in the Bronze-Silver-Gold command structure developed by the UK Metropolitan Police [11]. This structure provides a cross-service command structure tied to the location of security personnel, whereby Bronze and Silver command centres are set up on-site for direct and strategic actions respectively, with overall control and monitoring of events at a Gold command centre located away from the incident. We assumed four individuals from various agencies and command structures are involved to help resolve the situation within the incident. In the case of this scenario we have a Gold command officer from the Police, a Silver command member from the ambulance service, a Bronze command member from a location where the incident has happened, and a volunteer who is there to help. We assume each of these individuals is equipped with computing device (e.g. a laptop or smart mobile phone) containing valuable information that is of crucial importance in helping with the sequence of events within the incident. Hence, it is of paramount importance that each user is able to make use of their own devices; their information should be kept as secure as possible; other members within this CoI should be able to request relevant information from other members; and individual identities within CoI need to be verified and authenticated. The fifth node within this scenario is the MATTS server that is used as a central focus for authenticating data and forwarding information as required.

In this experiment the MATTS application has been improved to allow testing of UCIM outlined in the second section in crisis management scenarios, by adding modules and applications together with other functionalities. Specifically the extension includes an integration of several tools: A secure sandboxed virtual machine, A mobile code framework allowing communication between agents running on different network nodes, A composition analysis tool and a formal analysis tool. Using these tools the user can model pre-crisis scenarios, define crisis management response emergency network using different nodes, assign security and nonsecurity properties to these nodes, and perform vulnerability analysis to the modelled network. MATTS is implemented as a single native C++ application. Within the single application it is possible to model multiple interacting components by executing a byte-code that can be compiled using a RISC-like Assembly language. To summarise the scenario above, we have the following: The partners have their own devices, e.g. laptops/netbooks, PDAs, or mobile phones. The devices have policies and property files (Figure 4) pre-loaded, i.e., each files contains a device type, the organisation of the device owner/user, the role of the user, the sensitivity level of the information to be shared, and the users authorization level. As they try to join the network using the AWDS protocol to be discussed further later, their policy and property files will be sent to define which of the other partners will be able to view their presence, share information with them, etc. This should be done dynamically. The profile or information from each CoI member is stored in a XML file created using the property interface application, which includes: Device type (laptop, netbook, PDA, or mobile phone) Organisation (police, military, hospital, emergency, or volunteer) Role (gold, silver, or bronze) Sensitivity level (0-9) Authorisation level (0-9)

40

managed infrastructure, or can be used in areas where the infrastructure may be unavailable.

Figure 4. XML File. Each user within CoI will only be allowed to join the network if its policy is in compliance with the systems policy. Each request of identity information will also need to be made after the initial authentication. The owner of the information has full control on the policy regarding how, whom and when such information should be used or forwarded to. In order to provide a proof of concept for this scenario, we have conducted an outdoor experiment using a testbed of 5 laptops/netbooks running the Ubuntu Operating System [12] with the capability of creating a mobile ad-hoc network. This is achieved through the use of the Ad-hoc Wireless Distribution Service (AWDS) [13] installed on the netbooks. AWDS is used due to the benefits it offers over other available mesh networking protocols, such as being open source software, running in the user space, and more importantly operating in the layer 2 of the network. This results in an Ethernet-based LAN like experience for connectivity requiring no IP addresses, meaning that Layer 3 is left free to deploy any required protocols. These features allow us to control the connectivity and communication rules within our scenario based on the individual devices XML property files. AWDS also provides a topology viewer (Figure 5) that allows the user to access a visualisation of the nodes in the network in real time. Figure 6 provides a 100 square metre representation of our outdoor experiment using a mobile ad-hoc network on five netbooks representing individuals from the CoI as discussed earlier. In this experiment four of the netbooks represent each of the four individual users within the CoI and the fifth netbook acts as the MATTS server. Each of these netbooks has defined their own policies using the policy interface shown in Figure 3, and has other identity information stored as XML files. This experiment has demonstrated a case where the volunteer node could access the information of the police node, which would violate the system security policy. This situation was identified by the MATTS node, so any request from the volunteer node for access to the police nodes information was rejected. This is shown in Figure 7 with the affected nodes highlighted in red. The mobile ad-hoc network testbed allows the simulation of the scenario with the benefit of executing in a real world. It provides the means of connecting multiple wireless nodes, avoids the need to have a consistent

Figure 5. AWDS Topology Viewer screen shot showing node connectivity.

Figure 6. Mobile ad-hoc network in a 100 square metre area using five netbooks.

Figure 7. MATTS Interface The mobile ad-hoc network capabilities make it an attractive choice for mobile devices because of the benefits it offers, which are self-healing, self-managing, and providing a quite reliable network because every node serves as a relay for the other nodes in the network.

41

These benefits will be of crucial importance in a crisis situation where the attendees are likely to have devices that offer network connectivity through wireless means such as PDAs, laptops and mobile phones, and the traditional static infrastructure based communications are damaged. The network connection mentioned previously will allow the sharing and gathering of information and data about the situation that can be used by the command and control structures to inform the decisions made [14]. 7.

5 Conclusions
The issue of identity management within a single system can be straightforward and less challenging. However, establishing an IM strategy in CoI can be a challenging task because of its heterogeneity in technology, standards, and identity management implementations. This takes a new dimension when we are dealing with SoS because of the need to have interoperable IM across multiple systems. Thus, implementing IM in a service-oriented architecture (SOA) or SoS coalitions crisis management environment presents inimitable challenges. In this paper we have provided a new proof of concept that tries to make IM within CoI more secure and less cumbersome. It allows users within CoI to interact as required while at the same time protecting their identity information. The new method has been tested using a testbed with five netbooks. For the future work, we aim to deploy such a framework in a real situation and incorporate contextual information to help in providing a more tailored and secure service for individuals within CoI. 8.

9.

10.

11.

References
1. Balasubramaniam, S., A.Lewis, G., Morris, E., Simanta, S., and B.Smith, D. Identity management and its impact on federation in a system-ofsystems context. in IEEE SysCon 2009 3rd Annual IEEE International Systems Conference, 2009. 2009. Vancouver, Canada: IEEE. Maier, M.W., Research Challenges for Systemsof-Systems. IEEE International Conference on Systems, Man and Cybernetics, 2005. 4: p. 3149 3154. Gartner, G., Emerging trends and Technologies scenario. 2003. Gartner Ashford, W., ISSE 2010: Police are playing catch-up as criminals embrace IT, in ComputerWeekly. 2010. p. 3. Jsang, A. and Pope, S. User Centric Identity Management. in AusCERT Conference 2005. 2005. Australia. Leen, G., Lewis, E., Timm, U., Dooly, G., O'Keeffe, S., Heffernan, D., Amanatiadis, A., Gasteratos, A., Athinelis, A., Giannaka, E., Bakopoulos, M., Tsekeridou, S., Markarian, G., Zvikhachevskaya, A., Perez, D.G., Anava, D., and

12. 13. 14.

2.

3. 4. 5. 6.

Moss, A., Novel personal digital support systems for Emergency Responders to a crises occurring in a Critical Infrastructure, in The Institute of Electrical and Electronics Engineers, Incorporated (IEEE) pervasive computing "Pervasive Computing in Hostile Environments". 2010. Balasubramaniam, S., A.Lewis, G., Morris, E., Simanta, S., and B.Smith, D. Identity management and its impact on federation in a system-ofsystems context. in IEEE SysCon 2009 3rd Annual IEEE International Systems Conference. 2009. Vancouver, Canada. Arabo, A., Shi, Q., and Merabti, M., A Framework for User-Centred and Context-Aware Identity Management in Mobile ad hoc Networks (UCIM). Ubiquitous Computing and Communication Journal -Special issue on New Technologies, Mobility and Security, 2009. NTMS - Special Issue Arabo, A., Shi, Q., and Merabti, M., Data Mishandling and Profile Building in Ubiquitous Environments, in IEEE International Conference on Privacy, Security, Risk and Trust. 2010, IEEE Computer Society: Minneapolis, Minnesota, USA. p. 1056-1063. Merabti, M., Shi, Q., Askwith, B., LlewellynJones, D., Reading, M., and Flynn, M., MATTS Instruction Manual. 2007, School of Computing and MAthematical Sciences, Liverpool John Moores University, UK. Zhou, B., Arabo, A., Drew, O., Llewellyn-Jones, D., Merabti, M., Shi, Q., Waller, A., Craddock, R., Jones, G., and Arnold, K.L.Y. Data Flow Security Analysis for System-of-Systems in a Public Security Incident. in The 3rd Conference on Advances in Computer Security and Forensics (ACSF 2008). 2008. Liverpool, UK. Shi, Q. and Zhang, N., An effective model for composition of secure systems. The Journal of Systems and Software, 1998. 43: p. 233-244. Shi, Q. and Zhang, N., A general approach to secure components composition, in IEEE Computer Society. 1996, p. 263 Portmann, M. and Pirzada, A.A., Wireless Mesh Networks for Public Safety and Crisis Management Applications, IEEE Internet Computing, 2008. 12(1): p. 18-25.

42