Enterprise Strategy Group | Getting to the bigger truth.TM

Posts Tagged ‘NIST’

Worthwhile Cloud Computing Security Resources for CIOs

Tuesday, November 23rd, 2010

I recently participated in a Cloud Innovation Council CIO roundtable discussion focused on cloud computing in the insurance industry. As expected, the CIOs said that they were concerned about cloud computing security in areas like identity management, data security, and network security.

There was another issue, however, that came as a bit of a surprise to me. These IT executives said that cloud computing was so new that they really didn’t have a standard methodology to assess and audit cloud computing providers’ security. Yes, they had a general idea of what they wanted to know but were uncomfortable with informal evaluations and longed for some best practice guidelines.

This situation falls into the “I don’t know what I don’t know” category. Industry hype around cloud computing is off the charts, but when insurance industry CIOs really need some guidance, cloud computing noise makes it difficult to find help. For these and others in the same boat, I suggest they look into two different efforts focused on cloud computing security requirements and assessment processes.

The first is the great work being done by the Cloud Security Alliance (CSA). Now normally I am a bit skeptical of IT industry consortia, but the CSA really has looked thoroughly at cloud security and written several detailed documents around best practices. CSA has even looked beyond basic security and now offers several guidelines on cloud GRC as well.

In addition to the CSA, it is also worth looking into the cloud security work being done at the National Institute of Standards and Technology (NIST). While this has a federal government focus, NIST recently published its Federal Risk and Authorization Management Program (FedRAMP). According to the CIO.gov website, FedRAMP “has been established to provide a standard approach to Assessing and Authorizing (A&A) cloud computing services and products.” There are links to assessment guideline documents here.

With all of the money being spent on cloud computing marketing, you’d think there would be more focus on CSA and FedRAMP but this is not the case. As always, the IT industry loves to solve future, not current, problems. I hope that this blog calls attention to CSA and FedRAMP and provides some assistance to IT and security professionals in the process.

FedRAMP Seeks to Unify Cloud Computing Security Standards Across the U.S. Government

Wednesday, May 5th, 2010

Yesterday, I hosted a panel at the Cloud Computing summit focused on cloud security for the federal government. The panel was made up of some smart folks: Alex Hart from VMware, Bob Wambach from , and one of the primary authors of the Cloud Security Alliance guidelines, Chris Hoff from Cisco.

While these folks offered great contributions, most questions were focused on the fourth member of the panel, Peter Mell from NIST, the chair of the Federal Cloud Computing Advisory Council. Why? Let’s just say that Mell may be the single individual most focused on cloud security in the world. He has been tasked with defining cloud computing standards for the entire federal government–a big responsibility since President Obama and Federal CIO Vivek Kundra continue to trumpet the benefits of cloud computing and push federal agencies to adopt pilot projects.

Mell’s work will soon come to fruition when the feds introduce the Federal Risk and Authorization Management Pilot program (FedRAMP). FedRAMP has two primary goals:

  1. Aggregate cloud computing standards. Today, many agencies have their own sets of standards, which complicates procurement and frustrates federally-focused technology vendors. FedRAMP is intended to consolidate cloud computing requirements into one set of standards that span the entire federal government.
  2. Ease agency certification processes. Let’s say Microsoft’s federal cloud is FISMA-certified by the Dept. of Agriculture. In today’s world, this wouldn’t matter to any other agency–they would still be required to certify Microsoft’s cloud before procuring services. Kundra, Mell, et. al. recognize the redundancy and waste here. With FedRAMP, once a cloud provider passes the Certification and Accreditation (C and A) of one agency, all other agencies get a free pass.

Since FedRAMP is still a work in progress, the audience made up of federal IT people had a lot of questions about all of the fine points. Thus Mell was in the hot seat for most of the time.

Peter Mell deserves a lot of credit. Federal agencies have often acted independently with regard to IT, so Mell and his team are herding cats.

If FedRAMP works, cloud service providers can deliver to a single set of standards. This will encourage innovation and bolster competition. On the agency side, FedRAMP could pave the way for a wave of cloud computing consumption over the next few years. What happens if FedRAMP fails? The federal government becomes difficult to service, so most cloud service providers treat it as a market niche. If that happens, the federal government could lose its cloud computing leadership and momentum very, very quickly.

Federal Government Remains Curious — but Skeptical — of Cloud Computing

Monday, May 3rd, 2010

I’m in Washington co-chairing a Cloud Computing summit along with my colleague Mark Bowker. Thus far, we’ve covered cloud computing drivers, virtualization, cloud computing governance/compliance, and new skill sets needed for the cloud.

The audience is made up of federal IT workers, for the most part. These folks are under the gun since the Obama administration is pushing cloud projects and setting aside budget dollars to persuade federal agencies to get on board with proof-of-concept efforts. Federal CIO Vivek Kundra has added fuel to the fire, acting as the poster child for federal cloud computing as a way to save taxpayer money and improve IT service.

The federal audience is certainly hungry for knowledge, but very leery about the cloud in general. The feedback today indicates that:

  1. Federal IT doesn’t know where to start. Perhaps industry hype has blurred the focus, but there were a lot of questions about which IT activities/applications were a good fit for the cloud. We talked about the “low hanging fruit” like cloud storage for non-sensitive data and perhaps e-mail, but the feds want more information. Beyond these obvious candidates, what’s next?
  2. Security and governance scare the heck out of the Washington crowd. Remember that a high percentage of data is considered confidential. In spite of FISMA-compliant cloud efforts, federal IT workers remain unconvinced. Vendors will have to do a lot of hand-holding inside the Beltway.
  3. State and local governments are much more open to the cloud. This is true for one good reason: they are out of money. A CIO from Colorado talked about the state buying services from Amazon and Google. The CIO stated, “you have to give up some control, but you can gain financial benefits.”

Federal IT people really want more basic information and education about the cloud; vendors should note this and ramp up their knowledge transfer capabilities. Furthermore, it is important to talk in federal terms like FISMA and NIST rather than a more generic presentation. Think security and governance from the get-go.

Finally, the feds are really afraid of vendor lock-in, so standards are important here. When and if the federal government agrees upon cloud standards, vendors must go along to get along. If the feds fail to agree upon standards, all bets are off and the federal cloud becomes a big free-for-all. The private sector, public sector, and technology industry should all work together to make sure that this won’t happen.

House Cybersecurity Bill Passes. What’s Next?

Wednesday, February 10th, 2010

There is little doubt that President Obama and the 111th congress are prioritizing cybersecurity initiatives.

The President outlined his plan last May and appointed Howard Schmidt as his Cybersecurity Coordinator late last year. As for the 111 congress, it passed the Federal Data Breach Bill (H.R. 2221) earlier this year and just last week the House passed the Cybersecurity Enhancement Act (H.R. 4061) by an overwhelming vote of 422 to 5.

Just what is the Cybersecurity Enhancement Act? The bill is really focused on cybersecurity research, development, and training. Agencies participating in the National High-Performance Computing Program must provide the congress with a cybersecurity research plan, update an R&D implementation plan annually, and create new plans every three years. Additionally, the bill funds NSF cybersecurity scholarships in exchange for post graduation government service. The bill also seeks to build cybersecurity collaboration between academic, government, and International institutions and pushes the development of technology standards for cybersecurity.

On balance, this is a good bill that certainly heads in the right direction. That said, I have a few suggestions for fine-tuning this bill as it moves along:

  1. Start earlier. In South Korea, 2nd graders receive training on how to be a good Internet citizen. A cybersecurity bill (either this one or a follow-on) should fund K-12 cybersecurity programs as well. Young children on the network are at least as vulnerable as adults.
  2. Push for continuing education. It is ironic that with the unemployment rate as high as it is, many security positions remain unfilled. Unemployed or underemployed adults with mortgages and children would enthusiastically participate in cybersecurity training if it were available. Note to the President: This should be a funding priority as it is all about 21st century job creation.
  3. Broaden cybersecurity training. Yes, we need firewall administrators and security researchers but we also need security professionals who also have strong business, legal, and social sciences skills. This position was well articulated to Congress in June of 2009 by Cornell Professor Fred B. Schneider. We need to create a holistic security program like Dr. Schneider suggests who understand security technologies and its implication on business, law, and society.

One other note about the legislation: The stipulation that calls for a new R&D plan every 3 years is misguided. Security threats change on a weekly basis so three years is far too long a timeframe.

With all of my suggestions aside, I applaud the 111th congress for truly collaborating on this important legislation. I strongly urge the Senate and President to fast track this bill.

Symantec Bolsters Public Sector Offering with Acquisition of Gideon Technologies

Tuesday, January 12th, 2010

This morning, Symantec jumped into the 2010 acquisitions pool with its purchase of Gideon Technologies, a security and risk management software vendor. Gideon is not a broad market play — this acquisition is really focused on the Federal market alone.

Gideon is one of few vendors with tools that support the Secure Content Automation Protocol (SCAP) a set of standards for describing and rating the severity of system vulnerabilities. Through the National Institute of Standards and Technologies (NIST), the Federal government uses SCAP as a foundational component of other security standards like the Federal Desktop Core Configuration (FDCC), the Federal Information Security Management Act (FISMA) and DOD 8500.2/8510.

Yes, this deal is somewhat esoteric as its real application is for the U.S. Federal market alone. That said, ESG is bullish on Symantec’s acquisition for several reasons:

  1. Symantec is putting its money where its mouth is. Recognizing the $80+ billion Federal IT/cybersecurity opportunity, Symantec recently increased its budgets and added staff to its Herndon, VA Federal Sales office. Beyond these basics, Symantec is now willing to invest in specific technologies like Gideon to support this effort. This should demonstrate to Federal Agency CIOs and Beltway System Integrators that Symantec is in the Federal market for the long haul and thus a worthy partner.
  2. Gideon pivots off of Altiris. The former Altiris systems management offerings are clearly one of Symantec’s shining stars. By integrating Gideon SCAP capabilities with Altiris, Symantec will be well positioned to increase its value with its large base of existing Federal Altiris customers, or package Altiris/Gideon solutions to future prospects. Either way, Gideon enhances Altiris, an established market leader.
  3. Gideon can set up longer term opportunities. Ultimately, Altiris and Gideon will be integrated with other Symantec compliance, DLP, and information management products. This gives Symantec a long-term solutions approach to Federal IT complete with products and services. Federal CIOs and system integrators like this extended approach as it maps to big contracts, changing administrations, and new legislation.

To me, Symantec is demonstrating that it truly gets the Federal Government industry. This is important since doing business in the Federal space is different than the private sector. There is a different culture, language, set of standards, thought leaders and relationship protocols. Firms that simply get on the GSA schedule and edit their marketing material learn this lesson the hard way.

With its purchase of Gideon Technologies, Symantec is demonstrating a specific Federal strategy which is exactly what the Federal IT community wants. As it integrates Gideon, Altiris, and other products and services over time, Symantec should see a strong ROI on its acquisition and commitment to the Federal market.

Public Sector Opportunity for Cisco, EMC, and VMware

Wednesday, November 4th, 2009

Yesterday, Cisco, EMC, and VMware unveiled the next iteration of their partnership. Together, the three will offer common support, professional services (through their joint venture, Alpine), and an integrated server, networking, and storage hardware offering called Vblocks. The companies will also work together on service and support.

During the announcement, all three participants highlighted the fact that Vblocks were really targeted at “private clouds.” In other words, a sort of turnkey cloud infrastructure to be consumed by a single organization.

Hmm. So some Fortune 500 company is going to buy a single hardware and hypervisor stack from these guys and replace all kinds of other servers, storage, networking, management tools, etc? Perhaps, but this seems like a stretch to me as this simply isn’t the way IT consumes products. That said, I believe that Cisco, EMC, and VMware could be very successful with Vblocks and its other new initiatives in the broad public sector space because:

* The Federal government is ga-ga over cloud computing. Since early this year, we’ve seen the feds allocate money for cloud initiatives, propose that GSA offer cloud services, and task NIST with developing cloud standards. Federal CIO Vivek Kundra can’t speak often enough about cloud computing’s potential. Sensing an emerging trend, many federal integrators like Lockheed-Martin, SAIC, and Unisys are building their own clouds believing that Federal agencies will soon buy capacity and services. Cisco, EMC, and VMware should be all over every cloud effort inside the beltway.

* Governments are modernizing IT. Federal, state, and local governments are actively consolidating data centers, replacing legacy systems, and adopting virtualization technology as a foundation. Case-in-point, the Commonwealth of MA released its, “IT Strategy for the Commonwealth 2009-2011″ plan in 2008. The plan calls for the Commonwealth to create, “a robust, agile enterprise IT architecture, shared services and applications, and common, effective management practices.” As part of this, MA will consolidate down to 2 data centers, one of these will be a brand new facility in Holyoke. Seems to me that a massive and somewhat green-field opportunity is a perfect target for Vblocks.

* Governments are already onboard. Kundra already selected Google Apps for Washington DC at his previous job and just last week the City of Los Angeles decided to abandon its own email system in favor of Gmail. These aren’t pure play government cloud computing efforts but they do represent a growing trend. It is likely that more and more service providers will develop specific SAAS applications for the public sector and they will need servers, networks, storage, and virtualization when they do.

The common theme here is that net-new infrastructure presents the biggest short term opportunity for Cisco, EMC, and VMware and that a lot of this activity is occurring in the public sector. This trend will only accelerate as more stimulus dollars flow to IT projects and/or some type of healthcare reform legislation gets passed.

Cisco, EMC, and VMware are leading enterprise companies but so are competitors like HP and IBM. What’s more, technology migration is always ugly. Yes, these three must enter these knife fights together but a public-sector push may be more fruitful while the private sector sorts out this whole nebulous cloud thing over time.

Search
© 2011 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site