The Centralized Information Repository (CIR) Model

Introduction

A common approach to information sharing on a wide scale is the establishment of a Centralized Information Repository (CIR) model. Information is generally held in a large database, and justice professionals connected through public or private networks subscribe to the database. With this subscription comes the ability to formulate queries against the database and perhaps generate reports based on the information therein. This model is represented conceptually in Figure 3-3: The Centralized Information Repository Model.

Figure 3-3: The Centralized Information Repository Model

The repository owner has the ability to define all of the security policies, requirements, and practices for information access and use. However, with this flexibility comes the responsibility to implement policies that subscribers can practically implement to enforce the security policy and to safeguard the integrity and availability of the information.

The flow of information within the central repository involves:

Feed from information sources—The central database must be populated and continually updated. Source information generally comes from “the field.” For example, fingerprint information comes from booking stations; incident information comes from local and state reporting sources. The integrity of the information stored in the repository is dependent upon the integrity of the sources.

Queries from subscribers—The reason the repository exists is to provide timely and accurate information to its subscribers. The security practices must ensure access is limited to authorized subscribers and that information remains protected once it leaves the repository, transits the network, and arrives at the subscriber workstation.

There should be a written set of information security policies and practices to protect these information flows and maintain the security and integrity of the data stored in the repository.

Security Guidelines for the Centralized Information Repository (CIR) Model

The CIR system supports information sharing by collecting justice information from its sources, processing and storing it, and subsequently distributing it to subscribers. Figure 3-4: Security Practices to Support Information Flow Into the Centralized Information Repository Model shows some of the mechanisms used to protect these information flows.

Figure 3-4: Security Practices to Support Information Flow Into the Centralized Information Repository Model

There are two networks shown in Figure 3-4: a private network for information collection and distribution of highly sensitive information (to high-assurance subscribers) and a public network of distribution of less sensitive information (to low-assurance subscribers). The private network may consist of point-to-point lines connecting directly between source computers, subscribers, and the central repository. Alternatively, the private network may consist of a switched network that routes information over many links to transfer it between the source/subscriber and the repository. The security applied by the CIR managers is dependent upon the encryption capabilities offered by the network itself. Even in networks built on dedicated communications lines, telecommunications providers may merge provided lines onto shared resources. To ensure the protection of the information in transit, the CIR system managers can implement endpoint-to-endpoint encryption between information sources and the repository system. A good way to implement this might be by using IPsec—the secure version of the IP protocol (reference). IPsec provides both encryption and integrity features.

A distinction is drawn in Figure 3-4 between information access by high- and low-assurance subscribers. Low-assurance subscribers connect to the information repository through public networks. The information transfer may be protected by end-to-end encryption protocols, such as secure sockets layer. In order to safeguard the information stored in the primary database, the subset of information that is accessible to the low-assurance subscribers is replicated to a database server that is located on the “DMZ.” In contrast, the high-assurance subscribers connect to the private network in much the same way as the information source systems. The CIR managers may insist that subscriber workstations connect solely to the CIR network. Figure 3-4 illustrates this by indicating that the high-assurance subscriber workstations are “logically isolated” from other computer systems and/or networks in the subscriber’s facilities. This requirement prevents unauthorized access to the CIR network from subscribers that are in some way connected to the subscribers’ workstation through local networks.

Centralized Information Repository Disciplines

Physical Security

The CIR model is based upon a central database from which subscribers are able to feed information into the database and also access information. The physical security measures should be designed to protect the database at the database site, and each subscriber should also adopt physical security measures to protect the information fed into and accessed from the database.

All users should implement policies that instruct employees how to detect signs of physical intrusion. Policies and procedures should also address appropriate reactions to intruders and advise how to respond to incidents where an intrusion has been detected.

Physical security measures should also address masquerading or impersonation by persons who obtain a false identity by obtaining a user ID and password. Someone may be misled about the identity of the party he is communicating with for the purpose of obtaining sensitive information. An intruder can also use masquerading to connect to an existing connection without having to authenticate himself.

A proven method of enhancing physical security is to secure desktop workstations. Effective policies and procedures to secure desktop workstations should be a significant part of any physical security strategy because of the sensitive information often stored on workstations and their connection to the rest of the networked world. Many security problems can be avoided if the workstation and network are appropriately configured.

Identification and Authentication

Since the CIR managers own the shared data, they can independently define the I&A process for all subscribers. The process can be made more rigorous based on the value of the information in the CIR database. For example, low-assurance subscribers may only be required to enter a user ID and a strong password. High-assurance subscribers may be required to use a smart card and enter a PIN to gain access.

As owners of the information resource, the CIR managers can use a very simple approach to motivate subscribers to adhere to the CIR I&A policy. If subscribers adhere, they may access the data. If they do not adhere, access is denied. However, the CIR managers must have some way to audit subscribers to determine if I&A policies are being followed in practice. For example, the CIR policy may specify that there is a one-to-one correspondence between username/password and specific individuals. While the subscribing organization may agree to this policy in theory, practice may show that users share IDs and passwords as a matter of convenience. It is important to institute some degree of auditing (see Section 3-3) to maintain electronic trust in the area of I&A.

Authorization and Access Control

The authorization and access control requirements for this model are generally enforced through the database system software that houses the CIR information. Authorization and access control can use RBAC techniques as described in the Security Guidelines for Joint Task Force Model, Authorization and Access Control section. Since the CIR managers own the shared information resource, they have a great deal of freedom and flexibility in defining access roles, privileges, and qualification requirements.

Data Classification

The CIR should have a security policy that includes procedures for handling sensitive or critical information. Information collected must be labeled as it comes in to indicate the appropriate confidentiality, integrity, and/or availability levels. Special labels should be created to distinguish between the low- and high-assurance subscribers. When subscribers request information, an authorization check must be performed to verify the subscriber meets requirements for access to the information as indicated by the classification levels.

Since the CIR is made up of information from a wide variety of home organizations, each with different information classification rules, it is the responsibility of the contributors to ensure that any information they supply from their home organization receives the appropriate security classification in the CIR database.

Public Access, Privacy, and Confidentiality

The CIR should have a security policy that includes procedures for handling information subject to privacy laws. Information collected should be labeled as it comes in to indicate its privacy requirements, such as obtaining the subject’s consent before disclosure outside the justice system. When subscribers request private information, an authorization check should be performed to verify the subscriber meets requirements for use and dissemination of the information.

To ensure the confidentiality of the information as it is transmitted, endpoint-to-endpoint encryption such as IPsec should be used. Also, the CIR management should perform periodic audits of high-assurance subscriber workstations to ensure they are kept “logically isolated” from other computer systems and/or networks to prevent unauthorized disclosure.

Firewalls, VPNs, and Other Network Safeguards

The CIR model was the first information sharing model put into practice. In the situation where a user is accessing resources located in a central repository, there is typically dedicated staff at a data center with adequate training to make certain that the central database is secured by a well-configured and well-monitored firewall. However, a less obvious need for a firewall in the use of resources in a CIR would be the implementation of a personal firewall on a personal computer used to access resources located in the CIR. If a remote user’s computer were compromised, it could potentially expose a vulnerability that would allow access to data in the central repository. Typically in this scenario, policies are in place addressing what traffic is allowed, who is responsible for supporting the system, and how vulnerabilities or breaches should be addressed. VPN technology may be employed depending on the sensitivity of the data. However, VPN-client access should be limited to the specific resources that are needed by the user to perform their authorized duties. Client-based VPNs should have realistic time-out parameters to close network sessions that are not in use.

Critical Incident Response

Critical incident response deployment within this model provides a centralized and coordinated response with a uniform rule set, as well as good lines of communication, command, and control. A modification of scale is the primary adaptive measure required for deployment in this model. These adaptive measures are necessary when critical incident response is deployed in a small criminal justice agency with limited resources. In that event, the basic principles of response are still applicable, but the structure of the organization may reduce the coordination steps necessary for successful deployment of the capability.

Disaster Recovery and Business Continuity

The CIR must have a security policy that includes disaster recovery and business continuity procedures. This becomes vitally important as the number of subscribers dependent upon the information grows. A central repository could become a high-target priority because of the large number of users it could disrupt and the widespread damage its loss could cause.