National Security Spec Advances

Forthcoming Web services-based standard will let government agencies, first responders and other organizations exchange data securely in real time.

A group of technology companies and government agencies this week will unveil an open specification for securely sharing sensitive information across heterogeneous networks in times of crisis.

The framework already has been implemented in some locations and could eventually be rolled out internationally, giving participants a trustworthy channel for exchanging data with peers, according to project officials.

Developed by Regional Alliances for Infrastructure and Network Security, or RAINS, OSIS (Open Specification for Information Sharing) relies on Web services for the exchange of information. RAINS will operate a UDDI (Universal Description, Discovery and Integration) registry for participants and plans to accredit each system before it is brought into the program.

OSIS is an outgrowth of RAINS Connect and Protect project, which has linked schools, government agencies and other organizations. RAINS comprises mostly technology companies, universities, critical infrastructure providers and public agencies. The framework is designed to work in heterogeneous environments and can be deployed on existing systems, RAINS officials said. The group rejected the idea of basing the plan on a single vendors products, deciding that requiring participants to buy specific hardware or software would defeat the purpose of the program.

When it RAINS, it pours

Elements of OSIS

  • Vendor-neutral
  • No special hardware or software required
  • Deployed on existing systems
  • RAINS-operated UDDI registry
  • Based on Web services

"Single-vendor systems give you interoperability but not choice or security," said RAINS Chairman Charles Jennings in Portland, Ore. "This is about bringing innovation to the process. Its not just an abstraction."

The OSIS guidelines are designed mainly for use by government agencies, first responders, critical infrastructure providers and other organizations that need to exchange data securely in real time. RAINS officials say they hope the establishment of a standard format for information sharing will reduce complexity in the processes currently used by organizations such as the Information Sharing and Analysis Centers.

RAINS has had discussions with Department of Homeland Security officials about bringing the department into the program. No plans have been finalized yet, but Jennings said he believes RAINS will be working with DHS by the end of the year. The group already has worked with the Department of Defense on its annual Joint Warrior Interoperability Demonstration exercise.

Among services the group plans to implement are targeted alert notifications, secure e-mail, command-and-control functionality and a common operational picture. All this will be accomplished via secure Web services, Jennings said. To that end, OSIS complies with most current standards, such as Security Assertion Markup Language, Web Services Security, Web Services Security Policy and Web Services Trust.

Security experts say the RAINS approach is a sign of good things to come. "Anytime you can get all of these leaders together and address this problem, its a good thing. Were seeing more interest from governments on the state and local level," said Brian Grayek, a security strategist at Computer Associates International Inc., in Islandia, N.Y., who has worked with several government agencies on information sharing.

"Theyre interested in the technology," Grayek said. "But if theyre going to go forward, they want to do it securely. This is a step in that direction."

/zimages/4/28571.gifCheck out eWEEK.coms Security Center at for security news, views and analysis. Be sure to add our security news feed to your RSS newsreader or My Yahoo page: /zimages/4/19420.gif