Enterprise Strategy Group | Getting to the bigger truth.TM

Posts Tagged ‘SAIC’

The CIA and the Encrypted Enterprise

Friday, October 29th, 2010

The international horse show wasn’t the only event in Washington DC this week; I participated in the Virtualization, Cloud, and Green Computing event in our nation’s capital. One of the guest speakers was Ira “Gus” Hunt, CTO at the CIA. If you haven’t seen Gus speak, you are missing something. He is very strong on the technical side and extremely energetic and entertaining.

Gus focused on cloud computing activities at the CIA (I’ll blog about this soon), but I was intrigued by one of his slide bullets that referred to something he called the “encrypted enterprise.” From the CIA’s perspective, all data is sensitive whether it resides on an enterprise disk system, lives in a database column, crosses an Ethernet switch, or gets backed up on a USB drive. Because of this, Hunt wants to create an “encrypted enterprise” where data is encrypted at all layers of the technology stack.

The CIA is ahead here, but ESG hears a similar goal from lots of other highly regulated firms. When will this happen? Unfortunately, it may take a few years to weave this together as there are several hurdles to overcome including:

  1. An encryption architecture. Before organizations encrypt all their data, they have to understand where the data needs to be decrypted. For example, remote office data could be encrypted when it is sent to the corporate data center, but it needs to be decrypted before it can be processed for large batch jobs like daily sales and inventory updates. There is a balancing act between data security and business processes here demanding a distributed, intelligent encryption architecture that maps encryption/decryption with business and IT workflow.
  2. Key management. Most encryption products come with their own integrated key management system. Many of these aren’t very sophisticated and an enterprise with hundreds of key management systems can’t scale. What’s needed is a distributed secure key management service across the network. Think of something that looks and behaves like DNS with security built in from the start. The Key Management Interoperability Protocol (KMIP) effort may get us there in the future as it is supported by a who’s who of technology vendors including EMC/RSA, HP, IBM, and Symantec, but it is just getting started.
  3. Technical experience. How should I encrypt my sensitive Oracle database? I could use Oracle tools to encrypt database columns. I could encrypt an entire file system using Windows EFS or tools from vendors like PGP. I could buy an encrypting disk array from IBM, or I could combine EMC PowerPath software with Emulex encrypting Host-based Adapters (HBAs). Which is best? It depends on performance needs, hardware resources, and financial concerns like asset amortization. Since there is no “one-size-fits-all” solution here, the entire enterprise market is learning on the fly.

A lot of the technical limitations are being worked on at this point, so the biggest impediment may be based upon people and not technology. We simply don’t have a lot of experience here, so we need to proceed with research, thought, and caution. To get to Gus Hunt’s vision of the “encrypted enterprise,” we need things like reference architectures, best practices, and maturity models as soon as possible. Look for service providers like CSC, HP, IBM, and SAIC to offer “encrypted enterprise” services within the next 24 months.

Security Development Lifecycle (SDL) for Agile Development

Tuesday, November 10th, 2009

While all of the recent Microsoft buzz centers on Windows 7, the company made a small but important announcement this week. At TechEd Europe in Germany, Microsoft announced that it has adapted its SDL model to accommodate Agile software development.

This announcement needs a bit of clarification. First, Agile software development is an interative software development model based upon teamwork, cooperation, and communication around specific software functionality. The goal here is rapid application development of specific “chunks” of software functionality rather than the massive, multi-phased software development models of the past. These principles were adapted from successful manufacturing processes such as Six Sigma and the Toyota 5S methodology.

Since its inception in 2001, the Agile development model has gained popularity as it fits well with today’s web-based applications. It is worth noting, however, that there is no single Agile development model. This makes sense as Agile’s focus on teamwork and communication leaves plenty of room for improvisation.

While Agile development has demonstrated its ROI value, the emphasis was always on rapid application and not necessarily on security. Recognizing this deficiency, Microsoft jumped in by adapting its SDL model for Agile. Since the Agile model does not have distinct phases and features rapid release cycles, Microsoft broke its process-oriented SDL into “buckets” of activities. Some of these activities must be done for each Agile project (ex. threat modeling), some must be done once (ex. update compilers), and some must be done on a case-by-case basis (ex. Fuzz testing). Microsoft produced a number of tools and papers to help developers align their Agile development processes to each of these buckets. Ultimately, all of the goodness of SDL remains intact, but developers can customize it for their own needs.

This may seem deep in the technical weeds, but I believe this is an important announcement because:

  1. Agile development is widespread. Microsoft uses it internally, so aligning Agile with SDL was an important corporate goal.
  2. Software security is generally very poor — especially around web applications.
  3. Software assurance is at the heart of many cybersecurity improvement plans such as the Cyber Supply Chain Assurance Model being studied and promoted by SAIC and SAFECode.org.

It is also worth mentioning that SDL is not a profit center for Microsoft. The SDL model creation, development, support, and distribution costs Microsoft a lot of dough each year.

I hope this announcement gets the attention it deserves, especially with Computer Science programs, developer communities, security professionals, and public policy makers. Software security is everybody’s business.

Search
© 2011 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site