Government-industry security group expands

Transglobal Secure Collaboration Program seeks to add systems integrators and software developers to roster of major government bodies and contractors

The Transglobal Secure Collaboration Program (TSCP), an IT security standards consortium that includes heavyweights such as the U.S. Department of Defense (DoD) and many of the largest government contractors in the world, is looking to broaden its ranks.

The TSCP -- founded in 2002 with the goal of bringing together government entities and members of the aerospace and defense industries to establish guidelines for secure collaboration -- said on Aug. 14 that is now looking to bring in systems integrators and software developers.

Along with the DoD, the TSCP counts the U.S. General Services Administration, the U.K. Ministry of Defense, and the Netherlands Ministry of Defense among its existing government participants. Vendors involved in the effort include BAE Systems, Boeing, EADS/Airbus, Lockheed Martin, Northrop Grumman, Raytheon, and Rolls-Royce. 

The TSCP's charter calls for its members to establish specifications for secure online collaboration, identity federation, and digital rights management technologies to build common ground across those areas as they work together on sensitive projects.

TSCP leaders maintain that by getting all the parties involved to the same table to establish security standards for issues such as e-mail encryption, the governments and contractors will save vast amounts of time and money that may have otherwise been spent working on proprietary systems.

"Involvement in the group is sort of like binding arbitration, in the sense that the members have promised to contribute to these specifications and establish central guidelines to adhere to," said Jeff Nigriny, outreach director for TSCP and chief operating officer of CertiPath, which provides PKI management technology to the group.

"The only way to foster interoperability among these large players is to get them to agree on standards," he said. "We have some real technological fights, and some companies involved have been forced to throw things out that they've used in the past, but there's value in bringing this group together to address secure communications and collaboration."

In 2007, TSCP has focused primarily on building guidelines for secure e-mail and federated document sharing. Creating the standards will help the participants address both security and compliance issues, said Nigriny, in particular as the involved parties continue to embrace greater levels of outsourcing and shared infrastructure.

Once the policies have been approved, they will also be shared with the public.

At present, the group is in the process of implementing its secure e-mail guidelines, which are aimed at helping the various parties involved agree on common policies for handling messaging encryption.

Digital certificates and PKI systems have long suffered from a lack of central repositories, making it hard for workers to communicate across multiple organizations, Nigriny said.

By eliminating the need to move information over individual classified networks operated by the participants through use of a Web-based specification that handles behind-the-scenes processing of different PKI and LDAP systems, he said, the groups have been able to streamline communications considerably.

The TSCP secure e-mail guideline is expected to be adopted by all consortium members by the fourth quarter of 2007, after more than 18 months of joint work on the standard.

"We've definitely seen that it takes a while to get all the involved companies to put something like this into production; we've essentially been forced to sit on it for almost a year as companies try to implement it, but this is real progress," Nigriny said.

"The name of the game is interoperability, and all the members view this as a sound way to deal with supply chain security," he said. "Today the only way to address this is to have a prime contractor centralize data or share it via traditional e-mail and buy insurance policies against leaks, which doesn't do anything to protect the data itself."

The TSCP will continue to work on its federated document and ID management projects, with releases for both efforts planned for 2008, he said.

Labeling the consortium as an effective manner for validating security strategies and technology investments, officials with Chicago-based Boeing said they are already working to adopt the group's guidelines and plan to continue doing so.

"Being able to work with the subject matter experts from within each company directly is of tremendous value, and the pilots and interoperability testing also helps validate security approaches in a cooperative lab environment, which helps reduce risk," said Jim Cisneros, deputy chief information officer in the Future Combat Systems unit at Boeing.

"It's the right thing to do, and doing it in this type of forum allows us to understand where information exchange problems occur in common and work together to introduce adjustments that will work across our multiple programs and minimize the need for program-unique solutions," he said.

Developing secure collaboration and communications systems in-house has proven costly in the past, the executive admitted.

In addressing the issue of whether or not adoption of centralized standards among the involved parties might make it easier for attackers to infiltrate the entire group of participants when successful, Cisneros said there is always a risk of such events, but he doesn't feel that the collaboration will have that effect.

"There will always be challenges no matter what we do because the technology constantly changes, but once again, working in this cooperative manner should provide an ongoing forum for us to work with to constantly upgrade our defenses to minimize that from occurring," he said.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies