From System High to Zero Trust: The Impact of Security Requirements on a Multinational Standard with Technical Specifications for Data Dissemination

Technical and technological progress leads to new possibilities for information exchange systems. Particularly, the associated aspects of IT security are continuously evolving. In addition, information is nowadays most of the time stored decentralized and not close to the user working with it. Information is disseminated over different network nodes and geolocations. This leads to the necessity of integrating heterogeneous external and internal systems and applications. As a result of these conditions, new requirements as well as risks to the underlying systems are being identified. Technological progress also opens up new opportunities for attackers and provides additional targets. This is extremely challenging for systems that support data exchange based on a multinational standard such as Coalition Shared Data (CSD).CSD is a concept for the distribution of information in multinational Joint ISR (Intelligence, Surveillance and Reconnaissance) operations. The interfaces, data models and specifications to support this concept are described in the STANAG (STANdardization AGreement) 4559. In order to fulfill the security requirements of a current multinational environment, zero trust architecture is now enforced.In this paper we investigate the compatibility of the zero trust architecture with the current version of STANAG 4559 Edition 4. Here we focus on a specific part of the standard that deals with the storage and dissemination of Joint ISR products. We point out working fields in the areas of authentication, authorization, data integrity and legacy technologies. As the latter is a core problem, our main focus in this paper is the replacement of legacy technology through the communication architecture REST (Representational State Transfer). We highlight the challenges associated with such changes. We explain how the STANAG 4559 Custodian Support Team (CST) deals with these challenges. We also describe how we support these aspects by providing definitions, prototyping and participating in the test events with our implementation.