Oasis demonstration - secure information exchange between military and civilian systems

In the fall of 2008 the FFI project 1086 Secure Pervasive SOA participated in a demonstration during the Oasis final event. Oasis (Open Advanced System for dISaster & emenergency management) was a four year research project funded by the EU funded project under the FP6 Information Society Technologies program that ended in December 2008. FFI was not a part of the Oasis consortium but was invited by one of the partners, Thales Norway AS, to take part in the demonstration. This document describes this demonstration where the main focus was information exchange between military systems and civilian emergency response management systems. At a high level the challenge of such an information exchange can be divided into two, translation between data models and secure exchange cross security domains. The need to do translation comes from the fact that the systems did not use identical data models. The need to have secure exchange of information is based on the requirement to minimise the risk of information leakage. The solution outlined in this document, and showed during the demonstration, makes use of confidentiality labels that are bound to the information by a digital signature. The label is used to signalise the sensitivity of the information, which is checked against a policy by a guard before leaving the security domain. In addition this document and the demonstration described here involved use of a security infrastructure for identity management and tools for policy specification and for complying with these. The concept of role based access control was also introduced in this demonstration. This document provides a description of the challenges and solutions demonstrated during the Oasis final event. This includes a description of the technical solutions that were designed and implemented for the demonstration. The technical solution created was a cooperative effort between FFI and Thales Norway AS. This document also provides an evaluation of the solutions. A brief description of the work and artefacts produced by the Oasis project is also included. It is assumed that the reader of this document has basic knowledge of Service Oriented Architecture (SOA) and Web Services.