SWIF Mission
SWIF is a web-based framework that allows users to collaborate and share information in a secure environment. SWIF provides different layouts for lightweight applications, called widgets, via a web browser. Information residing in SWIF is available to users who are cleared for access, yet, restricted to those who are not. The Joint Staff Senior Leadership has endorsed SWIF as a potential solution to address the challenge faced by the Joint operational planning community: Information that was available to planners was not discovered and therefore not utilized – impeding the flow from data, to information, to knowledge, and typically leading to suboptimal results.
SWIF Architecture
SWIF was developed on top of the OWF. OWF provides a platform for the rapid development and deployment of web-based applications that have the ability to communicate with each other. OWF is a web-based application framework developed by the National Security Agency (NSA) for use in a secure environment. NSA has provided the framework to the open source community to foster further development and integration. Developed as a secure framework, OWF implements Discretionary Access Control (DAC) at the widget-level. This allows users and groups of users to access specific widgets they are authorized for depending on their role and responsibility. This provides some multi-level security but does not specifically implement security for access to the underlying data that will be utilized by the widgets.
The SWIF development team created several components to add the Mandatory Access Control (MAC) capability to OWF. MAC, the strictest of all levels of control, controls access to the data that differs for all resource objects on the system. Thus, under MAC, each unit of data is assigned a different security level allowing access to be controlled based on the data. The addition of MAC on the data itself in a multi-level security framework, will provide the security to allow for its use in a variety of multi-institutional settings. The SWIF development team also created an Application Programming Interface (API) to allow any developer to create widgets that are ‘MAC enabled.’ The extension of the OWF’s capability to enable security MAC enhances the sharing and coordination of multi-institutional activities and artifacts within different accesses and classifications.
SWIF Security Model
SWIF implements data access restriction by enforcing MAC on all of its data operations. A user can only access the data which he or she is cleared to view. MAC is implemented at multiple security levels and can be configured based on the security policy of the network on which the framework is deployed. SWIF also implements DAC inherited from OWF to manage permission of widgets based on a user’s roles. For example, a user with the Planner role will be granted access to the Plan Editor widget, the Capability Service Provider role to the Concept of Execution widget; this same user would not be granted access to widgets that were restricted to other roles.
In order to use this construct, all data must be assigned security labels, either from its original source or by users’ input. The system will verify the data labels against the user’s security accesses upon retrieval and saving of data. This will ensure a user cannot view (read) or label (write) data that are classified above his or her clearance level. This security implementation of MAC at the row (or record) level supports an environment where multi-level data access is required.
SWIF provides a core set of secure web services via a set of Representational State Transfer (REST) APIs. Developers who want to develop SWIF widgets would use the SWIF JavaScript Services to allow their widget(s) to communicate with the database and other widgets to display appropriate security banners for its content.
SWIF Dynamic Search
SWIF provides a dynamic search functionality that filters results based on a user’s security accesses. Users can perform searches based on attributes such as keywords, characteristics of the data, security labels, or clearance level, etc., depending on the type of data.
In a prototype developed for the experienced planners in fiscal year 2013, SWIF widgets with specific search requirements were implemented to aid the planners and intelligence analysts in target and capability selection. Depending on the type of information needed, users could dynamically pull information such as targets, capabilities, courses of action from a plan from the SWIF database based on their roles (via DAC) and clearance level (via MAC). The SWIF Search widgets allowed the planners to select target/capability matches based on fields such as expected effect and target type to incorporate into their plan. Results would only include those capabilities to which the planner had access thereby maintaining MAC.
The search algorithm used in the SWIF Search Capability Widget was a text-based search that could match on multiple fields of the target and capability. The prototype effort has demonstrated the viability of SWIF in the Joint planning community. Future plans to enhance the Capability Search function include cell-level MAC and an ontological hierarchy to normalize capability descriptions.
Widget developers utilize the SWIF built-in search services via the SWIF REST APIs in two forms: searching and querying. The Search API provides the ability to request exact matches explicitly for one or more fields within the collection. The Query API accepts a string of terms and returns results that match one or more terms, along with a score for each result, based on the total sum of occurrences of all terms in all indexed fields.