Link to the home page.
Print from PDF version
 

The Justice Interconnection Services Network (JISN) Model

Introduction

The Justice Interconnection Services Network Model (JISN) starts with a number of related justice information sources (i.e., databases) that are generally scattered across a geographic region. The network owners provide a way to interconnect these sources and make them available to a large audience of subscribers. The owners of the network are generally not the owners of the information sources. However, the network owners may provide value-added services of their own. These services may include maintaining indices to the information sources; providing a common, simplified user interface; and/or supporting the transmission of free-form messages between subscribers. The JISN model is illustrated at a high level in Figure 3-9: The Justice Interconnection Services Network Model. This model is sometimes described as a “virtual system” or “system of systems.”

Figure 3-9: The Justice Interconnection Services Network Model

The JISN owners generally set the security policies and practices that must be adhered to by information providers and subscribers. The policy for the JISN must convince the information providers that the security of their resources will not be compromised. Conversely, the JISN subscribers must not be overly burdened with security requirements that overwhelm the utility of accessing the information.

The establishment of this consensus security policy and associated requirements is a key challenge for the JISN owners. A simple way to approach this challenge is to pass through the security requirements of each information provider to JISN subscribers. In other words, if a subscriber wants access to a specific database through the network, that subscriber must adhere to the unique security procedures prescribed by the owners of that database. While that makes security management easier for the JISN, it complicates life for the subscribers who now must be aware of and comply with the security practices of each information resource for which they want access.

The JISN owners can (and often do) eliminate this complexity for subscribers by negotiating with all of the information providers and establishing a single JISN policy that meets all of their needs yet does not overburden subscribers. The negotiation process typically results in a memorandum of understanding, with each information provider specifying how the JISN owner will protect information resources and how information providers will ensure the integrity of provided information and not compromise JISN security. Similarly, the JISN owners must issue a security policy document and requirements to subscribers. All parties should establish security audit and reporting procedures to maintain the electronic trust between owners and subscribers.

There is a growing movement to merge existing JISNs to provide even broader access for subscribers and expand information sharing. This movement elevates and complicates the security policy negotiation process. The final objective is to establish common, agreed-upon procedures among the JISN owners.

The flow of information in to and out of the JISN model involves the following:

  • A subscriber queries an information source—In this basic information flow, a subscriber is using the facilities of the JISN to query a connected database. This query may involve an access to the JISN index file to obtain information on where to look for information. For example, a local police officer may be looking for information on vehicles of a given make/model involved in a crime. The JISN must identify and authenticate the subscriber and protect the information in transit.
  • An information source causes an index to be updated—The information resources connected to the JISN are likely to be dynamic. If the JISN maintains an index to these resources to assist in subscriber searches, the index must be updated on a periodic basis. The integrity of the index is a JISN security requirement.
  • A subscriber sends a message to another subscriber—In some networks, simple subscriber-to-subscriber messaging is used as a means to collect information. The subscribers may use messaging to send informal information requests to other subscribers who are not formal information providers on the JISN. Reliable and secure messaging requires that each communicating party is certain who they are sending information to and guarantees that the contents of the message will not be compromised in transit.

As in all of the previous information sharing models, the JISN owners/managers must maintain written information security policies and practices with the objective of protecting these information flows. In addition, the data owners offering services on the network must be confident that the implementation of the JISN policies are sufficient to protect the information that they are providing to subscribers and the systems on which that information is stored.

Security Guidelines for Justice Interconnection Services Network (JISN) Model

The proper security approach for justice interconnection services network information sharing will depend upon the scope and nature of the value-added services provided. Figure 3-10: Security Practices to Support Brokered Information Flow Into the Justice Interconnection Services Network Model shows two possible levels of value-added service represented in side-by-side drawings. The drawing on the left side of the figure represents a JISN that serves primarily as a connectivity medium. On the right, the drawing represents a network that provides brokered connectivity to the information sources that are available through the JISN.

Figure 3-10: Security Practices to Support Brokered Information Flow Into the Justice Interconnection Services Network Model

In the left-hand drawing, the subscriber uses the JISN to identify and connect to an appropriate information source. Once that connection is made, the owner of the information source has primary responsibility for the security procedures that govern the subscriber-to-information source session and information transfer. These procedures are similar to those that apply to the CIR model for subscriber-to-database information flow.

In the right-hand drawing, the JISN server takes a more active role in the subscriber-to-information source session. The JISN server brokers the session. The JISN server passes subscriber information requests on to the source database over a host-to-host connection. In this case, the security procedures that govern the subscriber-to-information source session are primarily set by the managers/owners of the JISN server. These procedures can be similar to those that apply to the CIR model for the subscriber-to-database information flow. The security procedures that govern the JISN server-to-information source session are agreed upon by the managers/owners of the JISN server and the information source. These procedures can be similar to those that apply to the CIR model for database-to-information source flow.

In both drawings, end-to-end encryption is included to protect the confidentiality of a subscriber’s session. Since the JISN is likely to contain information sources with varying access requirements, it is important to ensure that traffic over the network is encrypted from endpoint to endpoint to reduce the risk that one user session can be intercepted by another user connected to the network. Protocols such as the secure socket layer protocol (SSL) can provide low-cost, low-overhead, end-to-end security and are particularly applicable in situations where the user-client software is a standard Internet browser.

The remainder of this section provides guidelines under each of the security disciplines.

Justice Interconnection Services Network (JISN) Model Disciplines

Firewalls, VPNs, and Other Network Safeguards

The JISN model arises from strategic alliances of law enforcement entities that have recognized commons goals and are looking to leverage data they may have or may hold for others by creating sharing initiatives among themselves. The connectivity in this model tends to involve groups of professionals from each participating organization that do formal analysis before any data can be exchanged. The policies for each organization are typically analyzed to determine acceptable sharing strategies that meet each entity’s security needs. Each participant in this model must agree on how much to open their firewalls to allow the exchange of information, who is responsible for supporting the connections, and how vulnerabilities or breaches will be addressed. The use of a DMZ to isolate data sources to be shared from secure internal systems and from external networks would be typical in this firewall configuration. Logging becomes very important in this data sharing model, as there may be specific reporting requirements to the owners of data if a JISN provider is hosting information for another law enforcement agency. VPN technology may be employed depending on the sensitivity of the data. However, VPN-client access should be limited to the specific resources that are needed by the user to perform their authorized duties.

Critical Incident Response

Since there is a single management organization responsible for the JISN infrastructure, many of the guidelines for implementing a Computer Security Incident Response Capability (CSIRC) in the centralized sharing model apply. The difference is that the response team for the JISN must coordinate with the teams that serve each of the databases and information systems that the shared network interconnects.

Physical Security

The JISN model is similar to the other models in the necessity to establish physical security policies and procedures to protect the information. Each user organization has a responsibility to protect passwords, to restrict physical access, and to protect secure information obtained from the JISN model.

Identification and Authentication

The subscriber that gains access to the JISN will have access to many information sources. In general, the I&A procedure should be quite rigorous, as much as the most rigorous of I&A procedures of the native information source systems. As a minimum, strong passwords should be used, but as budget permits, the addition of a “something-you-have” factor, such as a hardware token or smart card, is recommended.

Figure 3-10 includes an authentication server. Authentication servers are a good way to implement “single logon” procedures (See Section 2-1). Single logon allows JISN subscribers to gain access to all authorized information sources with a single password. In general, single logon systems provide higher assurance than systems that require subscribers to remember multiple passwords.

Authorization and Access Control

It is likely that the information sources connected to the JISN will carry varied levels of access privilege restrictions. Further, each individual information source system may have several levels of access privileges. In the left-hand drawing in Figure 3-10, authorization and access control is governed by the information source system in much the same way as the CIR model. In the right-hand drawing in Figure 3-10, authorization and access control is managed by the authentication server. The authentication server can implement an RBAC model for managing privileges of JISN subscribers. The JISN roles must be mapped into the levels of access privileges defined by each of the information source system managers/owners—there must be agreement and consistency between the JISN and information source managers on access roles.

Data Classification

The JISN model may have a security policy that creates consistent definitions that all information owners agree upon for each confidentiality, integrity, and/or availability level. For example, all open criminal investigation data might be labeled confidential, high-integrity, and high-availability. The policy should also include procedures for handling each of the different levels of sensitive or critical information. For example, confidential information might require encryption during storage and data transfer. However, the indices of open criminal investigation data might be public and may not require encryption. Information must be labeled to indicate the applicable levels. This method typically results in a memorandum of understanding, with each information provider specifying how the JISN owner will protect information resources and periodic security audits.

The JISN may alternatively choose to leave the security classifications to the specific database owners. Subscribers must adhere to unique security requirements for each database they access.

Public Access, Privacy, and Confidentiality

The JISN model must have a security policy that includes procedures for handling information subject to privacy laws. Information collected must be labeled as it is transmitted to indicate its privacy requirements, such as obtaining the subject’s consent before disclosure outside the justice system. An authorization check must be performed to verify the subscriber meets requirements for use and dissemination of the information.

Intrusion Detection

Unlike the PG model that frequently involves allowing access to internal network resources, the CIR and JISN models are often configured to place data to be shared in locations outside of the firewalls that serve to protect sensitive internal resources. Data can be stored in locations separate from the core networks (DMZ), based upon its sensitivity. These areas are often protected by a second firewall that controls access to these shared resources. These models reduce the need to be concerned over the security profiles of subscriber agencies.

The size and scope of interconnectivity associated with the JISN model usually provides good rationale for implementing a comprehensive IDS. The focus of the IDS will be to monitor network resources, since each of the interconnected information system owners will generally be responsible for intrusion detection within their own systems.

Disaster Recovery and Business Continuity

The guidelines provided in Section 3-4, Disaster Recovery and Business Continuity, apply to each of the organizations participating in the JISN model. Each JISN participant should have its own Disaster Recovery and Business Continuity plan. The plan may include having spare equipment in stock or signing agreements between organizations for hot- or warm-site support in the event of a disaster. The plan may also include alternate methods for transferring the information to subscribers, such as secure e-mail, couriers, registered mail, and phone support, depending on the time requirements.