Enterprise Strategy Group | Getting to the bigger truth.TM

Posts Tagged ‘Federal Government’

Worthwhile Cloud Computing Security Resources for CIOs

Tuesday, November 23rd, 2010

I recently participated in a Cloud Innovation Council CIO roundtable discussion focused on cloud computing in the insurance industry. As expected, the CIOs said that they were concerned about cloud computing security in areas like identity management, data security, and network security.

There was another issue, however, that came as a bit of a surprise to me. These IT executives said that cloud computing was so new that they really didn’t have a standard methodology to assess and audit cloud computing providers’ security. Yes, they had a general idea of what they wanted to know but were uncomfortable with informal evaluations and longed for some best practice guidelines.

This situation falls into the “I don’t know what I don’t know” category. Industry hype around cloud computing is off the charts, but when insurance industry CIOs really need some guidance, cloud computing noise makes it difficult to find help. For these and others in the same boat, I suggest they look into two different efforts focused on cloud computing security requirements and assessment processes.

The first is the great work being done by the Cloud Security Alliance (CSA). Now normally I am a bit skeptical of IT industry consortia, but the CSA really has looked thoroughly at cloud security and written several detailed documents around best practices. CSA has even looked beyond basic security and now offers several guidelines on cloud GRC as well.

In addition to the CSA, it is also worth looking into the cloud security work being done at the National Institute of Standards and Technology (NIST). While this has a federal government focus, NIST recently published its Federal Risk and Authorization Management Program (FedRAMP). According to the CIO.gov website, FedRAMP “has been established to provide a standard approach to Assessing and Authorizing (A&A) cloud computing services and products.” There are links to assessment guideline documents here.

With all of the money being spent on cloud computing marketing, you’d think there would be more focus on CSA and FedRAMP but this is not the case. As always, the IT industry loves to solve future, not current, problems. I hope that this blog calls attention to CSA and FedRAMP and provides some assistance to IT and security professionals in the process.

Friday, September 3rd, 2010

Anyone remotely interested in identity management should definitely download a copy of the National Strategy for Trusted Identities in Cyberspace (NSTIC) document. It can be found at this link: .

A a very high level, the strategy calls for the formation of a standards-based interoperable identity ecosystem to establish trusted relationships between users, organizations, devices, and network services. The proposed identity ecosystem is composed of 3 layers: An execution layer for conducting transactions, a management layer for identity policy management and enforcement, and a governance layer that establishes and oversees the rules over the entire ecosystem.

There is way more detail that is far beyond this blog but suffice it to say the document is well thought out and pretty comprehensive in terms of its vision. This is exactly the kind of identity future we need to make cloud computing a reality. Kudos to Federal Cyber coordinator Howard Schmidt and his staff for kicking this off.

I will post my feedback on the official website, but a few of my suggestions are as follows:

  1. Build on top of existing standards. The feds should rally those working on things like Project Higgins, Shibboleth, Liberty, Web Services, Microsoft Geneva, OpenID, etc. Getting all these folks marching in the same direction early will be critical.
  2. Get the enterprise IAM vendors on board. No one has more to gain — or lose — than identity leaders like CA, IBM, Microsoft, Novell, and Oracle. Their participation will help rally the private sector.
  3. Encourage the development of PKI services. PKI is an enabling technology for an identity ecosystem but most organizations eschew PKI as too complex. The solution may be PKI as a cloud service that provides PKI trust without the on-site complexity. This is why Symantec bought the assets of Verisign. The Feds should push Symantec and others to embed certificates in more places, applications, and devices.

There will be lots of other needs as well. The document recommends identity and trust up and down the technology stack but it doesn’t talk about the expense or complexity of implementing more global use of IPSEC, BGPSEC, and DNSSEC. There is also the need for rapid maturity in encryption, key management, and certificate management. Good news for RSA, PGP, nCipher (Thales), IBM, HP, Venafi, and others.

The key to me is building a federated, plug-and-play, distributed identity ecosystem that doesn’t rely on any central authority or massive identity repository. This is an ambitious goal but one that can be achieved — over time — if the Feds get the right players on board and push everyone in the same direction.

Interesting Audience Data from the Symantec Government Symposium

Friday, June 25th, 2010

Earlier this week, I participated in the Symantec Government Symposium, an event dedicated to IT and security professionals in the U.S. Federal government. As part of her kickoff presentation, Symantec Federal GM, Gigi Schaum, asked for audience responses to three questions. Here are the questions and the interesting responses:

  1. Has the state of cybersecurity improved over the last 12 months?
    55% of the audience responded “no”
    45% responded “yes”

    • Which of the following represents the biggest cybersecurity threat?
      40% responded “hostile foreign nations”
      39% responded “lack of federal security standards”
      21% responded “organized crime”

      • Who has the most impact on cybersecurity?
        38% responded “industry”
        26% responded “DHS/DOD”
        21% responded “the white house”
        15% responded “congress”

        My take is as follows: Cybersecurity is worse than it was 12 years ago — there are more threats and the threats have become more sophisticated. The nation has been effectively treading water in that time frame so the gap continues to grow. President Obama’s focus on cybersecurity and his appointment of Howard Schmidt were positive moves but not enough.

        I agree that hostile foreign nations represent the biggest potential threat but on a day-to-day basis, organized crime is picking our pockets. To some extent, this response concerns me because it casts security into a military category. It is also interesting that 39% said “lack of federal security standards.” These people were either looking myopically at the Federal space alone, or believe that the Feds haven’t stepped up with cybersecurity leadership. The former answer reflects insular Washington, the latter is absolutely true.

        As for the final question, I couldn’t agree more. If 80% of the critical infrastructure is in the private sector as the President suggests, then industry must be a major part of the solution. This “public/private” partnership has also been lagging.

        In total, these answers tell me that things are getting worse and we aren’t doing enough. Pretty scary stuff.

        Venture Capitalists MUST Invest More in Cybersecurity

        Friday, April 16th, 2010

        There is a glimmer of good news on the venture capital front. In Q1 2010, venture funding rose 38% from a year ago to $4.7. What’s more, the pool of VC money is spread over 681 companies–a 7% increase from Q1 2009.

        Good, but not great news. Most of the dough is going to biotech companies while investment in clean technology tripled.

        The bad news? Investment in software declined 1% year over year. Remember that in Q1 2009, we were preparing for runs on banks and Hoovervilles.

        While I have no data, there is anecdotal evidence suggesting additional bad news. I speak with security companies all the time and I simply don’t see VCs investing heavily in this space.

        Perhaps they got burned investing in the 5th NAC, anti-spyware, or UTM vendor. Maybe they think that Cisco, Check Point, Juniper, McAfee, Symantec, and Trend Micro have everything covered. It could be that many believe that the whole tech space is mature, so they are chasing the new new thing in other technical areas.

        I’m not sure why the VCs are eschewing security investments, but I do know that this is a problem. Why? At a time when attack volume is steadily increasing, cybercriminals operate like Fortune 500 companies, and FBI directors characterize cybersecurity attacks as “an existential threat to our nation,” the VCs are moving on to perceived greener pastures. In other words, there is serious demand for next-generation security skills and technology, but the supply-side continues to invest elsewhere. Bad economics and bad for the digital assets we all depend upon.

        Okay, I understand that the VCs are in it for the money and nothing else, but something is wrong with this picture. It seems to me that when demand exceeds supply, there is money to be made. I’d like to see the VCs invest in security as a patriotic act, but I’m not optimistic. Therefore, I have a few ideas for the “smartest guys in the valley” on Sand Hill Rd.

        1. Co-invest with In-Q-Tel. In-Q-Tel is a VC firm that came directly out of the CIA. On its web site, the firm’s mission statement reads as follows, “In-Q-Tel identifies and partners with companies developing cutting-edge technologies to help deliver these solutions to the Central Intelligence Agency and the broader U.S. Intelligence Community (IC) to further their missions.” The key here is to find the smartest security firms whose technology is good enough for the CIA, DOD, and NSA and can be adapted for commercial use. Given the recent string of private attacks, the private sector would welcome military-grade protection.
        2. Explore other direct federal funding. It’s likely that DARPA, NSF, DOE, and other agencies will have money to spend on cybersecurity research and development. Smart VCs will figure out ways to hedge their risks by getting these agencies involved.
        3. Partner with Universities. UC-Berkeley, Carnegie-Mellon, MIT, Purdue, Johns Hopkins, and Cornell are all doing advanced research in various security disciplines. The VCs need to buddy up to these prestigious institutions and find investments that provide mutual benefits.
        4. Seek out Israeli money. Educated at Tel Aviv University and Technion and then saturated in security in the IDF, Israel produces some of the smartest security minds in the world. I’d like to see more American investment in Israel and more outreach to Israeli VCs from Sand Hill Rd.

        The lack of VC investment in security could have broad implications moving forward, so the VCs can’t sit on the sidelines. It’s time for the rich guys to get more involved and proactively champion security innovation and investment rather than sit back, drink Merlot, and wait for business plans to come in. Our digital security may depend upon this.

        Why Are There Still So Many Problems with The Federal Cybersecurity Effort?

        Thursday, April 15th, 2010

        On May 29th of 2009, President Obama declared: “It’s now clear that this cyber threat is one of the most serious economic and national security challenges we face as a nation.” At FOSE this year, FBI Deputy Assistant Director, Stephen Chabinsky gave this ominous statement, “Cybercrime and cyber terrorism could be a game changer and thus represent an existential threat to our nation.”

        With such strong words, you’d think that the Feds would have their act together on all things cybersecurity. Unfortunately, you’d be wrong. Speaking at the Interagency Resource Management Conference this week, Cybersecurity Coordinator Howard Schmidt reinforced this bad news. Schmidt’s wake up call pointed to the fact that the Federal government:

        1. Is way behind on intrusion detection. Schmidt stated, “as far as enterprise-wide intrusion detection goes, it falls under the category of, ‘Why haven’t we done that already?’”
        2. Has not put its money where its mouth is. The federal government hasn’t done enough to fund cybersecurity training programs or scholarships.
        3. Has so far failed to coordinate Cybersecurity efforts across federal agencies.

        If you aren’t scared and angry right now, you should be. Since 2001, the Federal government has spent billions of dollars on cybersecurity yet these basic problems remain. Heck, we’ve spent hundreds of millions on the Einstein project, an uber network security monitoring technology effort, yet we aren’t doing basic intrusion detection. Ay, ay, ay!

        Schmidt, a security veteran is clearly frustrated by what he is finding. The rest of us should be outraged.

        Let’s hope that the President, Congress, DHS, DOD, and NSA can get its act together and fix these problems under Schmidt’s capable leadership. If not, we may be in serious trouble.

        Interesting Data about Data Breaches

        Friday, April 2nd, 2010

        In a recent ESG Research survey, we asked security professionals at enterprise organizations (i.e., 1,000 employees or more) whether their organization had suffered a data breach within the last year. Here are the results:

        Yes, several incidents: 11%
        Yes, one incident: 23%
        No: 63%
        Don’t know: 3%

        My analysis:

        1. In total, 34% of these enterprise organizations suffered at least one breach. This is consistent with other ESG Research surveys over the past 5 years, indicating that the data breach problem is not getting any better.
        2. Curiously, organizations that must comply with more than three government or industry regulations suffered more breaches (19% of those organizations surveyed suffered more than one breach) than those that must comply with less than three government or industry regulations (6% of those surveyed suffered more than one breach). The obvious explanation is that the definition of a data breach is driven by regulatory compliance, thus the more compliance mandates, the more potential data breach incidents. This makes logical sense, but there is also an underlying cause for concern. Those organizations mandated to comply with lots of government and industry regulations tend to be the biggest organizations with matching IT and security budgets. If this is true, than the data indicates that large security budgets and resources do not necessarily equate to fewer data breaches.
        3. Thirty percent of federal, state, and local government organizations suffered more than one data breach over the past year. This is significantly higher than the cumulative average of 11%.

        Teleworkergate: Snowstorms Expose Real Weaknesses in Federal Teleworking Execution

        Thursday, March 18th, 2010

        While we in Boston had very little natural snow, Washington DC had a record year. Three storms dropped 32″ of snow on our nation’s capital. This led to a federal government shutdown for 3 days–costing an estimated $100 million per day.

        You’d think that the impact of this shutdown would be addressed somewhat by the fed’s liberal teleworking policies. According to a 2009 report titled “Status of Telework in the Federal Government, Report to Congress,” 78 agencies reported that nearly 9% of eligible workers reported as teleworkers in 2008. What’s more, 61% of agencies reported a net increase in the teleworker population as well.

        While these statistics look impressive, many reports from DC during the snowstorm indicated a different situation. It turns out that many federal workers were stuck at home without a teleworking option. Some workers report that their superiors discourage teleworking as a general rule, assuming that workers will not be productive. There were also a lot of technical problems reported as well. In general, the snowstorm seemed to expose that the federal teleworking execution is little more than a paper tiger.

        So is teleworking a good or a bad thing? While the research varies, many studies point to productivity benefits from teleworking. The State of Maryland Department of Transportation reported a 27% productivity increase from teleworkers. Cisco Systems found similar results: in a study of 2000 teleworking employees, Cisco found that 69% reported higher productivity, 75% said that the timeliness of their work improved, and 80% reported that teleworking improved their quality of life.

        As a veteran IT person, I’m shocked by this news. The feds talk a good teleworking game but if these anecdotes are true, they are talking the talk but not walking the walk. Heck, I even read a note from someone who works at the Dept. of Energy who claims that DOE–the agency that is supposed to help us break our dependence on foreign oil–is extremely tight on teleworking. This is certainly ironic, but also pretty sad. Note to Federal CIO Vivek Kundra: if these stories are true, your biggest obstacle may be culture rather than technology.

        With record budget deficits, we need the feds to save money anyway they can. Teleworking can and should be part of the solution. If the teleworking situation is as bad as many workers report, we need to figure out the problems and pose a solution ASAP. With the technology options available today, we can’t let outdated attitudes or technology paranoia stifle productivity, employee quality of life, or green-friendly policies.

        Fatal System Error: A MUST read for IT professionals, legislators, and law enforcement

        Monday, March 8th, 2010

        When I left home for the RSA Conference last Monday, I was already aware of the types of cyber threats we are up against. After speaking with security research leaders from Bluecoat, Symantec, and Trend at RSA, I am even more convinced that we are way behind the enemy and need to react quickly before we are completely overwhelmed.

        Since one way to drive action is increased cybersecurity visibility and knowledge, I strongly suggest that anyone associated with IT, cybersecurity, privacy, national defense, or law enforcement read the new book, Fatal System Error, by Joseph Menn.

        Now I have absolutely no financial interest in this book, nor do I know the author. In other words, I have nothing personal to gain by this recommendation. My goal here is to educate decision makers and the public at large about just how pervasive and sophisticated the cyber threat landscape has become.

        Menn’s book demands some level of technical knowledge, but he does a great job of explaining things in a cogent and clear way. The book highlights:

        1. The evolution of the cyber underground. How crimes and the criminal network developed techniques, skills, and attacks over time. The bad guys are evolving exponentially while the good guys’ skills and tools follow a logarithmic curve.
        2. The challenges faced by law enforcement. The Internet opens criminal activity to dispersed adversaries across the globe. Many operate in nation states that have a vested interest in compromising the economic foundation in the west. In other words, we can’t touch most of the bad guys who openly laugh in our faces.
        3. The sophistication of the attacks. The bad guys know who we are, who we trust, and how to exploit us. Think you are protected by law enforcement, banks, and security companies? Think again.

        My hope is that those who read this book (author’s note: again, everyone should) become as concerned as I am and demand immediate action. We need things like public awareness campaigns, K through 12 education, information sharing, and global law enforcement agreements, and we need them now. Time is not our ally.

        Joseph Menn and those that helped him with this book deserve a lot of credit. I hope it drives immediate action. If it doesn’t, I’ll join Menn in saying, “I told you so” to the industrialized world as we struggle to rebuild our digital economy.

        Many, including the DHS, believe that the damage from a cyber attack could be much greater than what we experienced from 9/11. We need to act before it is too late.

        RSA 2010: Cloud Security Announcements Already Dominate

        Tuesday, March 2nd, 2010

        It’s pouring in San Francisco, but ironically, the RSA Conference is already pointed toward clouds–in this, case cloud computing security.

        There were two announcements yesterday around securing private clouds. New initiative king Cisco announced its “Secure Borderless Network Architecture,” which is actually pretty interesting. Cisco wants to unite applications and mobile devices through an “always-on” VPN. In other words, Cisco software will enforce security policies for mobile devices regarding which applications they can use and when–without user intervention. Pretty cool, but you would need a whole bunch of new Cisco stuff to make this happen.

        On another front, industry big-wigs EMC, Intel, and VMware are pushing for a “hardware root of trust” for cloud computing. The goal here is to create technology that lets cloud providers share system state, event, and configuration data with customers in real time. In this way, customers can integrate cloud security with their own security operations processes and management. This is extremely important for regulatory compliance. (Note: Another reason why EMC/RSA bought Archer Technologies).

        These interesting announcement probably presage a 2010 RSA Conferernce trend: “all cloud all of the time.” Since ESG Research indicates that only 12% of midsized (i.e., 100 to 999 employees) and enterprise (i.e., more than 1,000 employees) will prioritize cloud spending in 2010, all of this cloud yackety yack may be a bit over the top.

        Two other announcement worth noting here:

        1. An actual leading voice on cloud computing security, the Cloud Security Alliance (CSA), teamed up with IEEE to survey users about cloud computing security. Users overwhelmingly want to see industry standards and soon. Bravo CSA and IEEE, I couldn’t agree more.
        1. I like the F5 Networks/Infoblox announcement around DNSSEC. The two companies will offer integration technology between F5 load balancers and Infoblox DNSSEC. This partnership blends the security of DNSSEC with the reality of distributed web-based apps and infrastructure. Kudos to the companies, the federal government will be especially pleased.

        See you at the show!

        Feds Change Cybersecurity Strategy — Again

        Friday, February 12th, 2010

        Yesterday the Office of Management and Budget (OMB) announced that it will no longer pursue the Trusted Internet Connect (TIC) initiative first announced in November 2007. TIC was considered one of the cybersecurity efforts making up the Comprehensive National Cybersecurity Initiative (CNCI) which was born out of National Security Presidential Directive (NSPD) 54 and Homeland Security Presidential Directive (HSPD) 23 in January 2008.

        Unless you are somewhere between Foggy Bottom and Independence Ave. SE you are probably confused by all of these acronyms so allow me to explain.

        Back in 2007 there were thousands of Internet connections across the Federal government. This was viewed as a tremendous problem since each connection was a potential ingress point for malicious code and hacker attacks. TIC proposed a simple solution to the problem — decrease the number of Internet connections to as few as possible and then secure the heck out of the remaining connections.

        I believe the ultimate goal was to reduce the thousands of Internet connections to something like 50. Throughout 2008 and 2009 the Feds boasted about the tremendous progress they were making.

        Okay now fast forward to yesterday. OMB throws the TIC baby out with the bath water and announces that it will no longer reduce the number of Internet connections but rather improve security requirements at all Internet ingress/egress points. OMB goes on further to say that the number of Internet connections in 2010 was roughly the same as in 2007. Diane Gowen, SVP of Qwest Government Services summed this up as follows: “Despite the whole TIC Initiative, there are probably as many points of Internet connection as there used to be. The new administration is less concerned with the number, and more concerned about getting them protected.”

        Back in 2007, many security professionals (including me) thought that TIC was completely misguided because:

        1. It was never linked to network engineering or architecture. Those internet connections aren’t there by accident. Yes, it is smart to minimize the number but reducing thousands to 50 would have to mean a “rip and replace” of the whole Federal network.
        2. It ignores network evolution. Data center consolidation, web-based apps, and cloud computing demands network flexibility and Internet connectivity. Reducing the number of Internet connections could be counter-productive here.
        3. It wouldn’t work. Did OMB really think that DOD, NSA, or homeland security would go along with this? My guess is that these agencies thumbed their noses and other civilian agencies followed.

        The crime here is that it took 3 years and tens, if not hundreds, of millions of taxpayer dollars to ramp up TIC — and then totally reverse course. Someone should be held accountable.

        I predict that the next shoe to drop will be some type of pull-back from the Einstein Project — a DHS/US Cert/Carnegie Mellon science project that could have easily been built with commercially available software from ArcSight, NetWitness, Nitro Security, Q1 Labs, RSA or dozens of others.

        I’m sure President Obama’s Cybersecurity Coordinator, Howard Schmidt, is rolling his eyes at these recent events and the demise of TIC. Let’s hope he introduces some pragmatism into high priced Federal cybersecurity plans before we waste another few hundred million.

        Search
        © 2011 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

        Switch to our mobile site