Australia’s Defence Strategic Review and Data Centric Security

Australia recently released the 2023 Defence Strategic Review (DSR) which identifies investments required to deliver the Australian Defence Force posture required by 2032-33. In this blog, we explore the new DSR requirements and the impact on Defence and industry security practices.

Data Security Ramifications of the Defence Strategic Review (DSR)

A key theme of the report is that the Australian Defense Force is “not fully fit for purpose” to combat modern threats. It outlines a robust plan to make improvements across multiple areas to ensure Australia’s ability to defend itself against traditional military threats and growing cyber and geo-strategic threats in the Indo-Pacific region.

The new AUKUS agreement between Australia, the United Kingdom and the United States is also a focus with a path to facilitate both information and technology sharing efforts between the three allies.

This change of national security posture from fewer land-based platforms to long-range force projection capabilities has many ramifications across Defence.

DSR Key Requirements and Strategies

The DSR calls out a number of key requirements and strategies, including:

• The need to rapidly translate disruptive new technologies into ADF capability
• Robust cyber security, data networks and space capabilities
• Close partnership with Australian industry
• Supply chain diversity
• Strengthening the AUKUS partners’ industrial bases
• Breaking down barriers to Australian industry participation
• Eliminating barriers to information sharing

The Review notes the absolute importance of Defence’s command, control, communications, computers (C4) networks and architectures in collecting and integrating a diverse range of information to enhance situational awareness and facilitate resilient sensor-to-effector networks.

At the heart of all these requirements is the need to securely share data.

Military advantage has always hinged on the ability to exploit data at scale and deliver it with timeliness and accuracy to the appropriate forces.  In 21st century timeframes this requires real-time secure highly granular information sharing in friendly and hostile environments.

This can only be achieved through what is now called Data Centric Security or DCS, which through Attribute Based Access Control can securely deliver the right data, at the right time, to the right receiver. Data Centric Security is now recognized as the next layer of security that addresses the limitations and weaknesses of perimeter-based security and role-based access control. archTIS built its first DCS solution for the Australian Department of Defence in 2006, and has been building, productising and commercialising evolutions of that system for the past 15 years.

Data-centric Security for Military Advantage

Traditional data security methodologies seek to secure the perimeter or the container that holds the sensitive data such as servers, networks or applications. It offers limited control over the data once it is in motion or being used for sharing and collaboration. It is extremely difficult to control access to data in motion or in use using traditional approaches.

For that reason, Data-centric Security is key. It focuses on securing the data itself – not the network or the storage location. It allows for highly granular control when information is at rest, in motion or in use, as access controls and access security are applied to the data layer.

Unlocking Defence Information Exchange Barriers

archTIS’ mission is to unlock the potential of an information-driven world by developing data-centric security models to empower government, defense, allies, and supply chain partners to share and collaborate on their most valuable and sensitive information.

The company’s products are underpinned by policy-driven attributed-based access control (ABAC) that provides the ability to control access to individual pieces of data – and what users can do with that data if access is granted. Using policies based on attributes (e.g., security clearance, classification, nationality, data sensitivity, etc.) provides granular and dynamic control over sensitive and classified data access and sharing rights.

The archTIS ABAC products extend the zero trust approach of “verify and validate everything’ to each and every access request and sharing attempt at the data layer creating trusted sharing pathways. This delivers the foundations of an enterprise Data-Centric Security Architecture.

archTIS Australian sovereign products include Kojensi, a Defence-accredited platform for the secure access, sharing, and collaboration of sensitive and classified information; and NC Protect for enhanced information protection of sensitive files, messages, and emails in Microsoft 365, SharePoint On-premises, Nutanix Files, and Windows file shares.

The data-centric access and protection delivered through archTIS’ products, make it possible for Defence to implement the key capabilities required to safely exchange information through discovery, labelling, enforcement and protection.

archTIS Capabilities to Support the DSR

Below are some of the key problem areas where archTIS’ products deliver game changing features that are ready to support changes described through the DSR:

• Tagging of data (by source/type, computer enriched – AI, context-driven)
  • Volume and variety of data classification and meta-data required
  • Assurance of tagging (e.g., cryptographic)
• Securing data based on business rules
  • Single Access Management Plane
  • Business definable access rules
  • Dynamic and context-driven (access decision dimensions such as device, location, cyber-worthiness, etc.)
  • Encryption (logical sovereignty, rules-based encryption, etc.)
• Ability for Warfighter to manage business rules effectively
  • Decentralised management
  • Global rules (security classification) vs. local rules (specific characteristics of operations team)
  • Disconnected operation
  • Fine-grained access driven by context (role, location, devices, time of day, etc.)
  • Define business rules that support applying data protection treatments and actions (secure reader, redact, etc.)
• Interoperability of data between systems and across organisations
  • Standards (STANAGs, AUS_Def)
  • Data structure and metadata validation
  • Interorganisation data mapping
  • Setting of terms of use (what can it be used for, who can use it, when can it be used, in what format)
• Flexible integration and implementation patterns
  • Legacy adaptation (wrapper/proxy legacy access control with ABAC)
  • Internet of Things and Sensor integration
  • Data orchestration and streaming
• Appropriate access to data on the move
  • Apply the same access rules across streaming
  • Replication and access to data across the network
  • Resilience of data movement (consistent access control across the network)

Read the white paper Securing Multinational Coalition Collaboration with Data-Centric Security to explore the advantages of dynamic ABAC-secured information sharing for Mission Partner Environments and accomplishing the objectives in the DSR.