INFORMATION BASED SECURITY ARCHITECTURE
Conventionally, security classifications levels are applied to whole documents and documents with different classifications must be stored on separate networks, with strictly controlled interfaces between the networks. This leads to expensive duplication where, for example, a SECRET document may contain only a small amount of actual secret information: a redacted version of the same document, with the secret information removed, may need to be stored on the separate network and keeping the two copies in sync can introduce significant overhead and opportunity for error.
With IBSA, security classification is applied at the level of paragraphs, pictures or even individual words, with separation between the classifications being enforced using encryption. The separate parts (‘IBSA Objects’) are stored separately (on separate networks if required) and brought together only when a document is to be read or edited. Objects with lower classifications are common to the low-classification and high-classification versions of the document, so the duplication and synchronisation overhead is eliminated.
Exsel Electronics has been involved in the development of this technology, working on behalf of the UK Defence Science and Technology Laboratory (DSTL).
INFORMATION BASED SECURITY ARCHITECTURE KEY ATTRIBUTES
Storage space is saved because it is no longer necessary to store multiple nearly-identical copies of the same document. With the Information Security Management System, errors are reduced because these multiple copies no longer need to kept in sync with one another manually; instead the synchronisation is enforced automatically.
Security is enhanced because if a document is not being read or edited, then it doesn’t exist. Documents are brought together when needed, and broken into encrypted pieces when stored. The pieces themselves can be dispersed over multiple physical servers, if necessary with the most sensitive fragments stored behind extra layers of physical protection such as data diodes or cross-domain guards.