FDCC
Enhancing Security and Functionality At The Same Time
Have you ever been sucked into the false debate over how much IT spending should be spent on security? I used to all the time. Some folks point to a rule of thumb that goes something like “ten percent of the IT budget should be applied to security.” That old school formula may well be part of the reason we got into the mess we are currently in. It contributes to thoughts that lead you to think security can be separated. By my way of thinking, 100% of the budget goes to security and functionality and that is the calculus.
Really, security is about ensuring information confidentiality, availability and integrity. And those constructs are totally connected to functionality of IT. I try whenever possible to use the term security and functionality in the same context just to underscore that point.
For example, the goal I continually push regarding security in the federal space is not just one dealing with security. I put it this way: “Security and functionality of all federal IT will be increased by two orders of magnitude in the next 24 months.” Putting the goal this ways also underscores that it is not security vs. functionality. Both need to increase.
This goal also cries out for the need for metrics in security and functionality. For functionality there are many customer focused survey methods that can help collect the right metrics. For security, I think one metric stands out above all others: Detected unauthorized intrusions. There are many other important metrics for other dimensions of the security problem, but that one is key. So, a goal that expects both security and functionality of federal enterprise IT to improve by two orders of magnitude will expect customer survey satisfaction to go through the roof, and will expect detected intrusions to drop significantly. If there were 50,000 detected intrusions in 2008, there should be less than 5000 in 2010.
That is a dramatic goal. What makes me think it is achievable? In part the dramatic action being put in place today in the federal space. And in part by dramatic new technologies and approaches like private clouds and thin client computing and enhanced identity management and authorization methods. But of more importance and more relevance than all of that, in my opinion, is the coordinated action and leadership underway by CIOs and CISOs and the security experts in the federal space today.
As evidence of this incredible positive action I’d like to bring your attention to a release by a Consortium of US Federal Cybersecurity Experts on Consensus Audit Guidelines. Details of this effort are at http://www.sans.org/cag/
The Consensus Audit Guidelines provide the twenty most important controls and metrics for effective cyber defense and continuous FISMA compliance. These controls and metrics include:
Critical Controls Subject to Automated Measurement and Validation:
-
Inventory of Authorized and Unauthorized Hardware.
-
Inventory of Authorized and Unauthorized Software.
-
Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.
-
Secure Configurations of Network Devices Such as Firewalls and Routers.
-
Boundary Defense
-
Maintenance and Analysis of Complete Security Audit Logs
-
Application Software Security
-
Controlled Use of Administrative Privileges
-
Controlled Access Based On Need to Know
-
Continuous Vulnerability Testing and Remediation
-
Dormant Account Monitoring and Control
-
Anti-Malware Defenses
-
Limitation and Control of Ports, Protocols and Services
-
Wireless Device Control
-
Data Leakage Protection
Additional Critical Controls (not directly supported by automated measurement and validation):
-
Secure Network Engineering
-
Red Team Exercises
-
Incident Response Capability
-
Data Recovery Capability
-
Security Skills Assessment and Training to Fill Gaps
The site at http://www.sans.org/cag provides more details on each, including detailed descriptions of the controls, how to implement them, how to measure them, and how to continuously improve them. The site also spells out the fact that this is a work in progress and processes are in place to ensure this great effort remains relevant and maximizes our ability to protect ourselves.
What should CTOs think about this guidance? As for me, I most strongly endorse it. In my mind the appropriate implementation of these controls will reduce unauthorized intrusions in any enterprise.
The deeply respected community leader Alan Paller said it this way:
“This is the best example of risk-based security I have ever seen,” said
Alan Paller, director of research at the SANS Institute. “The team that was
brought together represents the nation’s most complete understanding of
the risk faced by our systems. In the past cybersecurity was driven by
people who had no clue of how the attacks are carried out. They created an
illusion of security. The CAG will turn that illusion to reality.”
Please give these controls a read, and please help get them into the hands of the security and functionality professionals in your enterprise.
CTOs, Global Cyberwar and Our Collective Future
If you are a technologist, please take a moment to download the PDF of the report by the U.S. Commission on Cybersecurity. This report, titled Securing Cyberspace for the 44th Presidency, is the best proclamation of the challenges of cyber I have read. It is also a roadmap that will help any trying to navigate these very tough issues.
I've been involved in things cyber for a long time. My deepest
involvement began in December 1998, almost 10 years ago to the day.
In all that time I've seen lots of studies and lots of papers and many
treatments of the issues. But I've never seen one that captures the
complexities and the need for specific actions as well as this one.
I'd really recommend you read every word, if you want to be considered literate in this field. But if it will be a little while till you get to it, here are some key points:
The three major findings are: 1) Cybersecurity is now a major national security problem for the U.S., 2) Decisions and actins must respect privacy and civil liberties, and 3) only a comprehensive national security strategy that embraces both the domestic and international aspects of cybersecurity will make us more secure.
The report makes a few points about the Bush Administration's Comprehensive National Cybersecurity Initiative (CNCI). In general the give credit to that initiative, and call it good. I agree, it is a great activity I've previously written about that is led by one of the most effective people in government today and has done great work. But as the comission points out, the work of the CNCI is good but not sufficient.
The biggest shock for me in this study: The amount of funding on R&D for cyber security. I have been looking into the many activities underway, and maybe that look made me deceive myself into thinking it was a well funded effort. According to the comission, however, they estimate that the total R&D funding in the federal government for cybersecurity is about $300million. Less than two-tenths of one percent of the total federal R&D.
The report has a great section on identity manangement.
I am convinced the organizational approaches outlined in the study are the right ones as well. There is only one place in our government where we can lead solutions to this challenge. Where is that? Hey read the report!
What else do I recommend CTOs do besides read the report? I think one way we can all help the cybersecurity effort is to think through which standards bodies are the most important to engage with regarding security. A few are here:
http://www.ctovision.com/2008/05/standards-organizations-ctos-should-track.html
Performance Management In Organizations and Computers
There are some interesting analogies between performance management applied to organizations and performance management applied to computers.
In both cases, performance metrics are crucial to success. In organizations, what we reward gets measured, and what gets measured can be more efficiently and effectively done. In our computers, what we decide is important gets measured, and those measurements can help us drive to increasingly effective and efficient performance.
Another government IT program succeeds beyond all expectations!
2002 congress passed the E-Government Act. It mandated that the approximately 300 federal entities that can make rules expose those rules in a modernized way and also specified that regulations in draft will be exposed so comments can be solicited.
The government's response: OMB and CIO's from throughout the government established an eRulemaking solution that required extensive IT planning, engineering and the fielding of a new IT system. The eRulemaking Initiative's Federal Docket Management System (FDMS) was created to provide an online public docket and comment system which expands public access to read and comment on Federal Agency rulemaking. Although it is a centralized system, agencies were given an ability to manage content and workflow related to their own regulations. Scalable web-based solutions that enable users in government and also citizens to find and read proposed legislation and supporting documents was provided.
And they did this in a way that was way under budget and delivered on time. And its functionality exceeded all expectations. Which is GREAT!
As an IT professional, this is the really neat part that bears repeating. This project, which is very complex and IT intensive, was delivered under budget and on time. Additionally, its capabilities far
exceeded the expectations of everyone involved.
If you haven't heard of FDMS, maybe it is because it was widely successful. To frequently the only programs that make news are those that don't deliver on expectations. That means IT heros, like Pat Micielli of EPA who led this program, frequently don't get the recognition they deserve for the great things they do.
I hope I've gotten your curiosity up a bit on what Pat accomplished. If you are a citizen of the US you should be very proud of this one. So check out http://regulations.gov for a first hand look. You will see a single interface into approximately 1.5 million documents. Don't worry, there is a way you can navigate through these without looking at each individual record. Just dive in and give it a try. Search for a term like "data center energy"and view the results or narrow them down by agency. Or click on those in the range of comment period you are interested in. which ever selection you pick, notice how all the other facets of the search change as you do. See how you can guide through the results and how the results keep giving you options for refining results? After you try it this way, can you imagine doing it any other way?
Government users are giving more access (there are nearly 4 million records accessible only by federal agency users on FDMS.gov).
Overall, as a CTO and an admirer of technologists at the large agencies, I enjoy pointing this out and really admire what these folks have done. Great Job! And as a citizen– Thanks!
Compliance enhances IT support to the mission
I’ve previously blogged about Triumfant, a company that has mastered
the automated detection and resolution of IT problems. I also think
of them as the world’s greatest compliance monitoring capability. What
do I mean by compliance? I mean compliance in the context of the many
rules, regulations and configurations that external organizations and
the government require, and also compliance with your own policies and guidance.
For those who are not familiar with the full scope of compliance
issues, a great source is the site of the IT Compliance Institute.
Their goal is to be a global authority on the role of technology in
business governance and regulatory compliance. That means they are
driven to seek out regulations, understand the requirements for
compliance, and then help determine the best way to automate that
compliance.
The site holds several white papers and
checklists on topics like IT Audit, Risk Management, keeping up SOX
compliance, Change Management, Logging, Reporting, and Security.
These papers seem to be good primers for any CTO or other enterprise
technologist who needs to understand this domain.
Here are some other thoughts on compliance:
– During my time as a CTO of a DoD Agency, I noticed a shift in how
federal organizations perceived compliance. Federal organizations are
all about compliance, and have long followed mandates like the
Clinger-Cohen Act, FISMA, the many Enterprise Architecture requirements
(like DoDAF or FEA), and a wide variety of other requirements. But
most federal organizations did not treat compliance as a way to
optimize delivery of IT capabilities to users. And most federal
organizations did not have to comply with many of the regulations being
levied on industry (like SOX, for example). That is all changing.
– More recently IT professionals began to see compliance and the need
for automated control of systems as a way of not just complying with
regulation and reporting requirements, but a way of ensuring uptime,
helping speed delivery of new software deployments, helping reduce IT
admin costs, and helping with overall abiity to support the mission.
Add to this new awareness of the importance of compliance the recent
shifting of federal policy towards having agencies produce financial
audits and IT auditing requirements to the same standards as the
commerical sector.
There are more shifts in compliance underway in the federal space,
including a new Federal Desktop Core Configuration (FDCC). I see all
this compliance as a good thing that should be executed in a way that
enhances uptime, enhances security, and enhances the delivery of
capability to end users.
For more on compliance see my previous post http://www.ctovision.com/2008/07/automated-resolution-of-it-problems.html
For more on triumfant see: http://triumfant.com
Automated Resolution of IT Problems
In January 2008 I was named to the advisory board of Triumfant, a
company who has mastered the automated detection and resolution of IT
problems. Of all the IT firms I’ve seen, they are the ones with the
most comprehensive approach to automated resolution management and the
only one I’ve seen that can automate the entire lifecycle of IT problem
management, from identification to resolution.
I recently read some very exciting news about Triumfant. They have
just signed a partnership agreement with one of the largest suppliers
of computers to the federal government: computer giant Dell Inc.
Triumfant software will be sold pre-installed on Dell computers to
federal customers running Microsoft Windows XP and Vista.
I take this as a huge endorsement of the Triumfant approach of
automated process monitoring and IT compliance enforcement. This agreement between Triumfant and Dell is
also great news for enterprise CTOs and other technologists who must
meet the mandate of the OMB’s Federal Desktop Core Configuration
(FDCC).
CTOvision Blog 