It started as a relatively simple business-to-business hub. It became an industry-altering secure collaboration platform.
That's perhaps the best way to describe Exostar's effort to develop an external collaboration environment. But it wasn't just any collaboration project. ForumPass 2.0, as it was later named, was deemed so secure that five of the world's largest aerospace and defense companies use it to store and share their most sensitive data.
The first version, developed in 2001, was based on Parametric Technology's ProjectLink software and designed to facilitate collaboration among companies involved in joint development projects. However, the concept met substantial resistance from a user community that has historically been dead set against placing sensitive intellectual property in a third-party environment with little or no control over who can access the data.
Enter Exostar, an e-business founded jointly by BAE Systems, The Boeing Co., Lockheed Martin, Raytheon and Rolls-Royce with the mission of connecting those companies and their suppliers and facilitating more efficient collaboration on major projects. Security was their top concern from the start.
"The CIOs from each company (said), 'Unless our chief security officers all sign off on this, we absolutely have no intention of putting our intellectual property outside of our firewall and behind yours and all commingled together,' " says Jeff Nigriny, chief security officer at Exostar, who was responsible for engineering the new virtual collaboration environment.
That first meeting led to a two-day conference of technical experts from each of the five aerospace companies. They ultimately developed a list of 87 baseline requirements that they agreed would make the collaboration platform secure enough to handle their data. "For the first time, five of the largest aerospace companies agreed on what secure collaboration is and what it should look like," says Nigriny.
The key to success was enabling users from different companies to control the data they owned, regardless of where it was stored.
"We had to set up a system from scratch by which the owners of the data could encrypt the data with keys that they possessed so that not even the Exostar site administrators could recover the data," says Andrew Jaquith, program director at @Stake, who worked with Nigriny on the encryption technology. "So you're essentially substituting encryption using your own keys for the infrastructure that you would ordinarily control."
They came up with the revolutionary idea of using hardware storage modules to encrypt databases and digital certificates from VeriSign to authenticate users. Project managers at each company were given key servers so they could upload documents and generate unique keys on their browsers for each document.
The trick was enabling the other users' browsers to decrypt the symmetric key, which had already been encrypted with a public key.
The solution, says Nigriny, was Security Assertion Markup Language, an XML-based ticket emitted by ForumPass that travels with a document. The user trying to decrypt the document presents that ticket and the encrypted document to the key server, which validates the ticket and the individual's identity.
"Now the document is in ForumPass, and only the people who have been granted access can see it," says Nigriny. "If you don't have access to the document, there's nothing even there to click on."
"Aerospace companies have a long, rich history of robust perimeter defense," says Jaquith. "The notion that they would let somebody else store their data on a network that isn't their own is close to revolutionary."