Virtual directory serves as DOD's 'white pages'

As the Defense Department works to improve information sharing across the Global Information Grid, one program is facilitating that mission with a virtual “white pages” harvested from several offices, servers and communities across DOD.

The Joint Enterprise Directory Service (JEDS) is gearing up to be the big daddy of DOD contact information — some 4 million listings’ worth now that the program has been fully implemented, according to Robert Richardson, JEDS program manager.

“Directories are the backbones of any enterprise — it’s how you find things on the network,” Richardson said. “It facilitates net-centricity and information sharing.”

The information for the directory is culled from a number of sources, including the four services, human resources, accreditation records, enrollment system databases and the directories supplied by individual agencies. It also uses information from the existing Global Directory Service and the Public Key Infrastructure program, both of which provide access control and accreditation.

“This is truly a joint effort,” Richardson said. “To do this we need the commitment and support from all the components and offices,” including pertinent programs of record and associated communities of interest, including contractors.

Such a massive undertaking has its challenges. Creating JEDS, which began in 2007, means balancing the dire need for information sharing with privacy, security and ethical concerns, Richardson said.

“You have to weigh those concerns with the ability for people to find the people they need to talk to, especially because we have more joint needs, so we need to have this at an enterprise level,” Richardson added.

Building a repository of this magnitude has a number of logistical obstacles as well. Many DOD personnel have more than one e-mail address, for example. Then there’s the high rate of changeover as people move offices and assignments. “There’s a fair amount of churn in the military,” all of which needs to be updated in an individual’s JEDS file. When that’s all sorted out, it needs to be delivered in a format that is easy to work with.

“It’s a real challenge to gather all of that information, put it together and give it back in a fast, secure interface,” said Richardson.

In an era of cyber sabotage concerns, security is a top priority for the JEDS program. The service exists behind DOD firewalls and is accessible only by DOD-accredited parties who must provide two-factor (certificate and PIN) authentication for access. Additionally, files do not include personal information, but rather a basic work-related identity, such as e-mail address, work telephone and/or component assignment. And not all records include all information; some are very basic listings for which all of the information hasn’t been compiled.

There are also varying degrees of access within JEDS, based on a user’s access controls. Some users, such as contractors, are flagged to be prevented from seeing some information, and some data can be flagged as “do not publish.”

“My two real security concerns are unauthorized data mining and unauthorized data manipulation,” Richardson said. Possible threats include mining the directory for e-mail phishing targets or building an operational picture based on personnel information. “Unauthorized data mining is by far the greatest risk and challenge to identify and mitigate,” he said, particularly because the threat could emanate from an internal source that has the necessary credentials.

To help counter that threat, Richardson said DISA has implemented information assurance tool sets that flag any efforts to bypass the two-factor authentication system. Additionally, the office is integrating a log aggregation and analysis tool called SPLUNK, which maps user query patterns to identify any inappropriate activities and trace them back to the user.

According to Richardson, attempts to manipulate data, such as by a hacker, are unlikely since any changes to the information would be overwritten the next time JEDS automatically updated the entry in question. “This is why we have to refer users seeking to correct their JEDS information to their data source’s help desk. It is only at the source that it can be modified,” he said.

However, mobile directories and their infrastructure can still be frail or have compromised integrity, according to one analyst. And glitches in the authentication could be disastrous for users who need to access information.

Gartner research director Andrew Walls expressed concerns about relying so heavily on authentication. “The ability for these operations hinges on certifications. If a soldier in the field (gets locked out), that’s a big problem. Whether it’s in Afghanistan or in Omaha, people need to meet their objectives,” relying on a system that even Richardson admits isn’t perfect.

While he acknowledges that in a worst-case scenario there could be a security breach with an unauthorized or potentially malicious person gaining access, Walls is optimistic about DOD security. “Given the scale of military operations, we’re talking about hundredths of a percent of failure — but of course, they want zero,” Walls said.

In the future, follow-on capabilities could include a virtual “blue pages” as well, according to Mohammad Khattak, program manager for Booz Allen Hamilton, the contractor supporting JEDS.

For now, JEDS is looking to continue building its repository. “It’s an ongoing process,” Richardson said.