Defence overhauls data access controls

The Department of Defence has overhauled the way its information security to ensure information can be shared with the people who need it most.

The agency has adopted what is termed an "attribute-based access control" (ABAC) model for the last three months, a model developed with BSTTech Consulting.

Speaking at the CA Expo in Melbourne yesterday, BSTTech Consulting director Daniel Lai said that Defence needed to change the way information was protected from a national security perspective.

“The outcomes of 9/11, the Bali bombings and the reviews conducted by internal departments, clearly identified the threat could've been minimised by connecting the dots of information held by various agencies,” Lai told attendees.

“The risk could've been reduced - [it] may not have been stopped - but certainly could've been reduced  - if some of this information had been made available instead of being held [by individual departments or agencies]."

Lai said Defence was looking for a "single information environment", but with information and access contained within multiple, secure compartments.

“They [wanted to] control access to whoever needed it," he said. "They only wanted information served up that was relevant and on a 'need-to-know' basis according to a user's security profile. [The system] also needed to be location aware.”

Lai said Defence built a more “human” security framework - which integrates identity, information, workflow and systems management into access to systems.

This issue was addressed using enterprise architecture practices, rather than developing a new system, according to BSTTech Consulting principal enterprise architect Tony Howell.

Information is being tagged with metadata (data that describes other data) which a rules engine then uses to assess whether a given individual can access it.

“Defence had the requirement to really assess aspects of the user, security clearance, who they are, the position they occupy, where [device] they're meant to be working from," Howell said.

“Combine that with things like the workstation they're logging onto, all the way back to network and server aspects, [and the system can] really build an idea of the session of that user making the request.”

Howell said it was critical the attribute-based access control model was vendor neutral. It was backed by products from CA Technologies, Microsoft and Oracle.

He said the ABAC model could be used more widely across the government in the future.

The same method may be used to secure access to cloud applications, he said.