Enhancing Security and Functionality At The Same Time

Have you ever been sucked into the false debate over how much IT spending should be spent on security?  I used to all the time.  Some folks point to a rule of thumb that goes something like “ten percent of the IT budget should be applied to security.”  That old school formula may well be part of the reason we got into the mess we are currently in.  It contributes to thoughts that lead you to think security can be separated.  By my way of thinking, 100% of the budget goes to security and functionality and that is the calculus.

Really, security is about ensuring information confidentiality, availability and integrity. And those constructs are totally connected to functionality of IT.   I try whenever possible to use the term security and functionality in the same context just to underscore that point. 

For example, the goal I continually push regarding security in the federal space is not just one dealing with security.  I put it this way:  “Security and functionality of all federal IT will be increased by two orders of magnitude in the next 24 months.”  Putting the goal this ways also underscores that it is not security vs. functionality.  Both need to increase. 

This goal also cries out for the need for metrics in security and functionality.  For functionality there are many customer focused survey methods that can help collect the right metrics.  For security, I think one metric stands out above all others:  Detected unauthorized intrusions.  There are many other important metrics for other dimensions of the security problem, but that one is key.  So, a goal that expects both security and functionality of federal enterprise IT to improve by two orders of magnitude will expect customer survey satisfaction to go through the roof, and will expect detected intrusions to drop significantly.  If there were 50,000 detected intrusions in 2008, there should be less than 5000 in 2010.  

That is a dramatic goal.  What makes me think it is achievable?  In part the dramatic action being put in place today in the federal space.  And in part by dramatic new technologies and approaches like private clouds and thin client computing and enhanced identity management and authorization methods.  But of more importance and more relevance than all of that, in my opinion, is the coordinated action and leadership underway by CIOs and CISOs and the security  experts in the federal space today.

As evidence of this incredible positive action I’d like to bring your attention to a release by a Consortium of US Federal Cybersecurity Experts on Consensus Audit Guidelines.  Details of this effort are at http://www.sans.org/cag/

The Consensus Audit Guidelines provide the twenty most important controls and metrics for effective cyber defense and continuous FISMA compliance.   These controls and metrics include:

Critical Controls Subject to Automated Measurement and Validation:

1. Inventory of Authorized and Unauthorized Hardware.

2. Inventory of Authorized and Unauthorized Software.

3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.

4. Secure Configurations of Network Devices Such as Firewalls and Routers.

5. Boundary Defense

6. Maintenance and Analysis of Complete Security Audit Logs

7. Application Software Security

8. Controlled Use of Administrative Privileges

9. Controlled Access Based On Need to Know

10. Continuous Vulnerability Testing and Remediation

11. Dormant Account Monitoring and Control

12. Anti-Malware Defenses

13. Limitation and Control of Ports, Protocols and Services

14. Wireless Device Control

15. Data Leakage Protection

Additional Critical Controls (not directly supported by automated measurement and validation):

1. Secure Network Engineering

2. Red Team Exercises

3. Incident Response Capability

4. Data Recovery Capability

5. Security Skills Assessment and Training to Fill Gaps

The site at http://www.sans.org/cag provides more details on each, including detailed descriptions of the controls, how to implement them, how to measure them, and how to continuously improve them.   The site also spells out the fact that this is a work in progress and processes are in place to ensure this great effort remains relevant and maximizes our ability to protect ourselves.  

What should CTOs think about this guidance?  As for me, I most strongly endorse it. In my mind the appropriate implementation of these controls will reduce unauthorized intrusions in any enterprise. 

The deeply respected community leader Alan Paller said it this way:

“This is the best example of risk-based security I have ever seen,” said
Alan Paller, director of research at the SANS Institute.  “The team that was
brought together represents the nation’s most complete understanding of
the risk faced by our systems. In the past cybersecurity was driven by
people who had no clue of how the attacks are carried out. They created an
illusion of security. The CAG will turn that illusion to reality.”
 

Please give these controls a read, and please help get them into the hands of the security and functionality professionals in your enterprise.

The Future of the Grid: From Telecommunications to Cloud-Based Servers

There was once a time long long ago when telecommunications and
computing were two different concepts.  That was the age when phone
company operators manually switched calls and computers like ENIAC
were programmed by patches and cables.  Since then the two fields have
been on a convergence path.   The many advances in both fields since
the 1940′s make for exciting reading for computer and telecom fans, but
rather than recount those achievements here I’d rather talk about a
more modern achievement of note, the establishment of the Advanced
Telecommunications Computing Architecture (ATCA or AdvancedTCA). 

ATCA is an open standard that has been around since about 2003.  It has
been continually enhanced and today it is perhaps the most broadly
accepted standard in the telecom industry, with over 100 companies
participating in development and implementation of the specification.  Perhaps more important is the adoption of the standard in the telecommunications industry.  A review of wikipedia entries and other open info (like the Intel Embedded and Communciations Alliance) indicates typical “hockey-stick” implementation seen in other highly reliable, highly virtuous standards.  IDC projects the ATCA market will be about $2.7 billion in size by 2013.   I think the global financial crisis and the ongoing wave of mergers  and purchases of smaller comms and equipment providers by larger ones will accelerate this trend even faster, as the need for modular low cost, highly relieable standards is needed even more.  

Network equipment providers face two challenges that they are addressing with ATCA: 1) the need to continue to deliver new platforms and applications and, 2) the need to reduce costs and improve productivity.  ATCA provides a great opportunity to address these needs.  ATCA standards provide a common platform which provides lower cost, reduced maintenance, the ability to use third party boards, and the ability to reduce vendor lock-in (more on ATCA capabilities is below). 

In my opinion, enterprise CTOs should work to accelerate moving the
ATCA standard and compliant products into data centers.  It results in
more computer power per square inch, higher reliability, power savings,
cost savings, long term maintainability, and a path for upgrade that
does not require forklifts.  ATCA is not something that currently scales down to small network devices, but it is something that I believe will prove to be perfect for data center server support.

Here is more on ATCA:

– Boards (blades) in an ATCA shelf are hot swapable.
- There is not a “bus” for communications in an ATCA shelf.  Instead,
boards communicate point to point, which is faster and ensures there is
not a single point of failure like in the bus model.
– Any switching fabric can be used.
– Boards can be processors, switches or specially designed advanced cards, if desired.
- The most advanced shelf management capability ever designed is in
the ATCA container.  If any sensor reports a problem the shelf manager
can take action or report the problem to a system manager. This action
could be things like turning up a fan or powering off a component or
telling a human that something needs to be replaced before failing.
– It is designed for very high reliability and very high availability. 
– It runs cooler, even with its higher powered processors.
– It supports a healthy multi-vendor, interoperable ecosystem.
– It is based on open standards vice proprietary (locked-in) solutions.

Now back to the opening idea of this post.  Telecom and data and compute power are not separate things anymore.  Each are closely interwoven and successes in one thrust can make a huge positive difference in capabilities in other areas.  As organizations and users grow more accustom to the power of cloud computing they will demand higher and higher levels of reliability and resiliency from their server providers.  And as service providers provider higher levels of reliability and throughput cloud compute providers will see more and more success which will place increased requirements on their capability.  In both cases, ATCA will provide the agility, resiliency and reliability required, which will drive its adoption further and further into the telecon and data worlds.

So, for
CTOs who are concerned with maximum performance with power and space
efficiency and a path to future upgrades, accelerate ATCA into your
enterprise.  How?  I just typed the words “atca for the datacenter”
into Google and got several links worth diving much deeper into,
including:

Will ATCA Bring Order Out of Chaos for Blade Servers?

Sun Netra CP3220 ATCA Blade Server

Vint Cerf of Google and Bob Gourley of CTOvision.com on CIO Talk Radio

On Wednesday 28 Jan 2009 at 10am Eastern I’ll be on CIO Talk Radio with one of the stars of the global technology community, Vint Cerf.  

The topic we will be discussing is the next technology revolution in the US and how it will start.  Vint is fantastically qualified to discuss this topic, and I’m honored to be sharing a microphone with him and look forward to learning from the interaction.  Every time I get the pleasure of interacting with Vint it ends up influencing me.  I hope to capture some of our interaction for future blog posts here at ctovision.com

Vint’s bio is incredible and I learn something every time I read it.  I’ve pasted it below.  

But first more on CIO Talk Radio.  CIO Talk Radio is an Internet radio talk show, broadcasted live every Wednesday at 9:00 AM Central/ 10:00 AM Eastern, about how technology has changed and is changing the way we live our lives as well as do business.  Guests are business leaders, subject matter experts, and thought leader who are responsible for shaping the way we use technology. Visit the site at: http://ciotalkradio.com and click on LIVE BROADCAST to listen. A popup window will open and if you have Windows Media Player installed, in 10 – 15 seconds, you will listen to the live radio. In case of issues you may also open broadcasting station websites.  Call 866.472.5790 to ask questions during the live broadcast.

Now for that incredibly interesting bio:

Vint Cerf
Vice President and Chief Internet Evangelist for Google

Vinton G. Cerf has served as vice president and chief Internet evangelist for Google since October 2005. In this role, he is responsible for identifying new enabling technologies to support the development of advanced, Internet-based products and services from Google. He is also an active public face for Google in the Internet world.

Cerf is the former senior vice president of Technology Strategy for MCI. Previously, Cerf served as MCI’s senior vice president of Architecture and Technology.

Widely known as one of the “Fathers of the Internet,” Cerf is the co-designer of the TCP/IP protocols and the architecture of the Internet. In December 1997, President Clinton presented the U.S. National Medal of Technology to Cerf and his colleague, Robert E. Kahn, for founding and developing the Internet. Kahn and Cerf were named the recipients of the ACM Alan M. Turing award in 2004 (sometimes called the “Nobel Prize of Computer Science”) for their work on the Internet protocols. In November 2005, President George Bush awarded Cerf and Kahn the Presidential Medal of Freedom, the highest civilian award given by the United States to its citizens. In April 2008, Cerf and Kahn received the prestigious Japan Prize.

Prior to rejoining MCI in 1994, Cerf was vice president of the Corporation for National Research Initiatives (CNRI). As vice president of MCI Digital Information Services from 1982-1986, he led the engineering of MCI Mail, the first commercial email service to be connected to the Internet.

During his tenure from 1976-1982 with the U.S. Department of Defense’s Advanced Research Projects Agency (DARPA), Cerf played a key role leading the development of Internet and Internet-related packet data and security technologies.

Vint Cerf served as chairman of the board of the Internet Corporation for Assigned Names and Numbers (ICANN) from 2000-2007. Cerf also served as founding president of the Internet Society from 1992-1995 and in 1999 served a term as chairman of the Board. In addition, Cerf is honorary chairman of the IPv6 Forum, dedicated to raising awareness and speeding introduction of the new Internet protocol. Cerf served as a member of the U.S. Presidential Information Technology Advisory Committee (PITAC) from 1997 to 2001 and serves on several national, state and industry committees focused on cyber-security. Cerf sits on the Board of Directors for the Endowment for Excellence in Education, the Jet Propulsion Laboratory Advisory Committee and the Board of the Avanex Corporation. He also serves as 1st Vice President and Treasurer of the National Science & Technology Medals Foundation. Cerf is a Fellow of the IEEE, ACM, and American Association for the Advancement of Science, the American Academy of Arts and Sciences, the International Engineering Consortium, the Computer History Museum, the Annenberg Center for Communications at USC and the National Academy of Engineering.

Cerf is a recipient of numerous awards and commendations in connection with his work on the Internet. These include the Marconi Fellowship, Charles Stark Draper award of the National Academy of Engineering, the Prince of Asturias award for science and technology, the National Medal of Science from Tunisia, the St. Cyril and St. Methodius Order (Grand Cross) of Bulgaria, the Alexander Graham Bell Award presented by the Alexander Graham Bell Association for the Deaf, the NEC Computer and Communications Prize, the Silver Medal of the International Telecommunications Union, the IEEE Alexander Graham Bell Medal, the IEEE Koji Kobayashi Award, the ACM Software and Systems Award, the ACM SIGCOMM Award, the Computer and Communications Industries Association Industry Legend Award, installation in the Inventors Hall of Fame, the Yuri Rubinsky Web Award, the Kilby Award, the Rotary Club International Paul P. Harris Medal, the Joseph Priestley Award from Dickinson College, the Yankee Group/Interop/Network World Lifetime Achievement Award, the George R. Stibitz Award, the Werner Wolter Award, the Andrew Saks Engineering Award, the IEEE Third Millennium Medal, the Computerworld/Smithsonian Leadership Award, the J.D. Edwards Leadership Award for Collaboration, World Institute on Disability Annual award and the Library of Congress Bicentennial Living Legend medal. Cerf was inducted into the National Inventors Hall of Fame in May 2006.

Federal Government Technology Directions and the Fed CTO

Technologists in and out of government have been very excited about the work of the Obama transition team, especially the work of their technologists.   A group known as the TIGR (Technology, Innovation and Government Reform) Team has brought some of the best and brightest minds together to strategize and impact the action plans of the federal government.

We have now been treated to an insider’s view into the workings of this team.  The Change.gov website posted a 4 minute video introducing these thinkers and showing us some of the dialog underway.  See it below:

The video shows glimpses of the entire team, but features :

• Vivek Kundra, CTO of Washington DC
• Beth Noveck, Author and idea generator who has written on topics like “Wiki-Government”
• Andrew McLaughlin, head of global policy and government for Google.
• Dan Chenok, a former IT executive and Obama advisor.
• Blair Levin, Telecom analyst and former FCC executive.

Watch the video to see them in action!  Listen for the term “mashups.”  And a good definition of cloud computing relevant to the federal enterprise.

For those who have made it a hobby to speculate on who Obama’s CTO will be, I think the answer now is that it almost doesn’t matter which of the nation’s great tech leaders will be selected.  We know whoever it is will stand on the shoulders of giants and will be served with a group of advisors who have mapped out a vision and an action plan for success (whoever it is, I just hope to have dinner with periodically to pick his or her brain and see how I can serve from the outside- I sure want to see them succeed).

Now things are about to get exciting!  Time for all of us to do what we can to ensure the visions of this group become reality.

What if you could show key Social Media/Web2.0 sites in one graphic?

Overdrive is a company that specializes in helping others leverage the social media landscape.  They produced a great graphic that gives at least a high level overview of the key social media and web2.0 world.  Click on the image here for a larger view download the PDF here: Download social-media-map.pdf (1330.3K)

I really like this graphic for a couple reasons.  One is that like many other people I long for ways that can help me visualize and grasp things in this fast moving space.  I know this does not capture all the social media sites and I know the categories are not as clean as depicted here.  But still it is GREAT context and will be helpful to me in explaining to others some of the fast moving cloud based services out there (note to overdrive: please find room to add a section on cloud services, like cloud based office automation).  

Another key reason I like this is it proves Overdrive's assertion that they are a company that can demystify online tools and help companies leverage these capabilities.  The fact that they are letting any blogger anywhere post this graphic on their site is proof that they understand how these things work.  Companies who want to make it in social spaces should give first then receive later.

How did I find this cool graphic?  Friends at Facebook sent it to me.  I found this cool social media reference through a cool social media site.

CTOs, Global Cyberwar and Our Collective Future

If you are a technologist, please take a moment to download the PDF of the report by the U.S. Commission on Cybersecurity.  This report, titled Securing Cyberspace for the 44th Presidency, is the best proclamation of the challenges of cyber I have read.  It is also a roadmap that will help any trying to navigate these very tough issues.

I've been involved in things cyber for a long time.  My deepest
involvement began in December 1998, almost 10 years ago to the day.  
In all that time I've seen lots of studies and lots of papers and many
treatments of the issues.  But I've never seen one that captures the
complexities and the need for specific actions as well as this one. 

I'd really recommend you read every word, if you want to be considered literate in this field.   But if it will be a little while till you get to it, here are some key points:

The three major findings are:  1) Cybersecurity is now a major national security problem for the U.S., 2) Decisions and actins must respect privacy and civil liberties, and 3) only a comprehensive national security strategy that embraces both the domestic and international  aspects of cybersecurity will make us more secure.

The report makes a few points about the Bush Administration's Comprehensive National Cybersecurity Initiative (CNCI).  In general the give credit to that initiative, and call it good.  I agree, it is a great activity I've previously written about that is led by one of the most effective people in government today and has done great work.  But as the comission points out, the work of the CNCI is good but not sufficient. 

The biggest shock for me in this study:  The amount of funding on R&D for cyber security.  I have been looking into the many activities underway, and maybe that look made me deceive myself into thinking it was a well funded effort.  According to the comission, however, they estimate that the total R&D funding in the federal government for cybersecurity is about $300million.  Less than two-tenths of one percent of the total federal R&D.

The report has a great section on identity manangement. 

I am convinced the organizational approaches outlined in the study are the right ones as well.  There is only one place in our government where we can lead solutions to this challenge.  Where is that?  Hey read the report!

What else do I recommend CTOs do besides read the report?  I think one way we can all help the cybersecurity effort is to think through which standards bodies are the most important to engage with regarding security.   A few are here:
http://www.ctovision.com/2008/05/standards-organizations-ctos-should-track.html

Vivek Kundra: Democratizing Data and Putting it in the Public Domain

I'm hoping most enterprise CTOs have had a chance to learn more about Vivek Kundra's Apps for Democracy initiative.  I'm really impressed by this activity for many reasons, but primarily because it got results of use to the citizens and visitors of DC.  This initiative proved yet again that Vivek Kundra is a CTO who gets things done.  From his bio:

Vivek Kundra was appointed by Mayor Adrian M. Fenty on March 27, 2007
to the Cabinet post of Chief Technology Officer (CTO) for the District
of Columbia. As CTO, Kundra leads the Office of the Chief Technology
Officer (OCTO), an organization of over 600 staff that provides
technology services and leadership for 86 agencies, 38,000 employees,
residents, businesses, and millions of visitors.

Prior to this Vivek was getting things done in the Commonwealth of Virginia, in the private sector, and in Arlington Virginia. 

In his current position he became an instant hero to an entire enterprise when he took the bold step of moving his enterprise to a Google Apps foundation. The video below provides some background on this move. 

An equally wise, and similarly bold move was Vivek's initiative called Apps For Democracy.  This contest began with Vivek insuring that the DC government is being as open and transparent with data as possible, exposing data in a variety of common formats.  This was no simple task, requiring vision, perseverance, and a dedication to plow through city hall obstacles that only a motivated leader could tackle.  Vivek set the groundwork for success by working with a great thought leaders like Peter Corbett at iStrategyLabs and by coordinating with Internet enthusiasts like the crew at Mashable.  The Strategy Labs team created a proposal for this project and brought this project to life in six days!  created a page encouraging mashup entries, and the result was an incredible generation of capabilities that serve DC citizens and visitors to our Capital.   47 applications were created in a way that did not require long procurement processes or costly integration contracts.  What do the apps do?  Check them out yourself here: medal-winners

My favorite:  DC Historic Tours.   This is really really cool.   Thanks Vivek!

For more see the video below:

Apps for Democracy from Shaun Farrell on Vimeo.

What else can I say about Vivek?  He also has great models for internal program management.  His approach is nothing like the one I learned from Gartner the everyone trys to implement.  And it is better than the one I learned in the corporate world that worked very well for us at TRW and Northrop Grumman.  His approach is nothing like the one we used at DIA.  In fact, if I had it to do over again I would use his approach in my old enterprise.  For more on his way, see the write up for his 2008 InfoWorld Top 25 CTO award. 

So hey, what's next?  My hope is that the methods and models of Vivek (and iStrategylabs) are applied across the nation and up to state and federal levels.  Think of the good that could be done. 

One to watch regarding standards and security

In May 2008 I provided an overview of Standards Organizations CTOs Should Track.  Standards groups don't change that fast, so the list is still pretty much ok, but I was very light on industry consortia.  Industry groups can play a large role in setting and implementing standards.  Industry reps send the majority of thinkers to standards bodies and industry management decides what standards to follow or ignore.  Tracking industry consortia can be very important to the CTO. 

Since security is such a hot topic (see: The Future of Cyberspace Security and Melissa Hathaway Op-Ed on Cyber Security, for example ) I wanted to point out one I think we should all watch.  The Industry Consortium for Advancement of Security on the Internet or ICASI. 

Read the rest of this entry »

OMB on CIOs: Some context for the enterprise CTO

On 21 October, Mr. Clay Johnson of OMB signed out a memorandum for the heads of all executive departments and agencies in the US government.  Check it out here:

Download 20081023-omb-cio-memo.pdf (0.0K)

This is a great read and a positive move.  It provides an emphasis on the information technology management structure and governance framework.  This type of memo should be required reading of all government IT professionals, but it holds particular significance for the CIO and CTO. 

Read the rest of this entry »

Melissa Hathaway Op-Ed on Cyber Security

Below I'm going to post, in its entirety, the text of an e-mail I received from the ODNI notification service.   The subject is an op-ed written by Melissa Hathaway, a senior leader who has been spearheading significant coordination action in the federal government (opinion: Melissa is perhaps the most effective SES-level leader in the US government today, IMHO).

I wanted to post this in totality for a couple reasons.  One is it is something all of us should read.  Although I believe most readers of this blog will find no surprises in this op-ed, Melissa has a real talent for capturing information in easy to understand ways and I think we can all borrow lessons from the way she explains things. 

Read the rest of this entry »