iGouge

What’s on the list?

Agencies’ IT priorities include consolidation, virtualization and, as always, security
By John Moore

Link to this page

In this report
Agencies’ IT priorities include consolidation, virtualization and, as always, security
Sidebar: A call for wireless

There’s nothing like a tight budget for getting people to focus on the bottom line. And many of the technologies government agencies have at the top of their priority lists follow that line. Agency and industry executives say they see the government emphasizing technologies that reduce costs, boost efficiency and protect data. Near-term goals focus on infrastructure consolidation, virtualization and encryption. The General Services Administration, for example, took on infrastructure consolidation last year when it awarded its Information Technology Global Operations contract. Within that broad framework, the agency now pursues local-area network consolidation and security-related initiatives, said Casey Coleman, GSA’s chief information officer. The budget climate provides a mandate for consolidation and “forces us to look for ways to use each dollar most efficiently,” Coleman said. Agencies also have begun to explore nontraditional models, such as software as a service, that promise to reduce the upfront cost of applications. And thin-client computing is back on some agency radars as interest in desktop virtualization increases. IT managers who want to put these technologies into play need to keep the bottom line in mind: A solid business case can help get initiatives off the ground even in a challenging financial situation. “If a good [return on investment] can be calculated for a proposed project, interest remains strong,” said Shawn McCarthy, director of research for Government Vendor Programs at IDC’s Government Insights and a GCN columnist. Here are what agencies consider must-have technologies for the near term and what they have in mind for the future. Consolidation and virtualization Server consolidation — and the technologies that make it happen — ranks high on the short-term list.

The reason is hardly surprising: Consolidation can lead to significant cost reductions. The Agriculture Department, for example, has embarked on a program to consolidate data centers and centralize applications. The initiative, which includes server virtualization, could save $40 million per year, said Charles Christopherson Jr., chief financial officer and CIO at USDA. The savings take into account factors such as reduced hardware expenditures, software licensing fees, utilities and systems management. “The footprint is getting smaller and smaller as we move forward on the infrastructure side,” Christopherson said. USDA has established four centralized data centers and plans to reduce the number of smaller data centers from more than 30 to “as few as we can,” Christopherson said. Virtualization will help USDA reduce its server count. This approach partitions a single server into virtual machines that can run multiple operating systems and applications. Virtualization let USDA’s Farm Service Agency trim its server roster from 300 to the mid-100s, Christopherson said. Another USDA data center downsized from 40 servers to eight. USDA, however, still has a lot of room for consolidation and virtualization. Christopherson estimated that the department runs about 19,000 servers. “We are fairly young at virtualization,” he said. The National Institute of Standards and Technology also employs virtualization. Simon Szykman, NIST’s CIO, said the performance per dollar is the primary driver behind the move toward virtualization, which he described as “a way of providing more capability for a given cost.” Server virtualization options include VMware’s ESX Server, Citrix Technologies’ XenServer and Oracle’s Oracle VM. In February, Microsoft introduced Windows Server 2008 with a beta version of the company’s Hyper-V technology. The company plans to add the full virtualization feature to the server operating system later this year. Interest in virtualization is surfacing among state and local governments in addition to federal agencies. A CDW survey of public- and private-sector IT buyers found that state and local governments and higher education institutions are the top server virtualization users. The implementation rate was 48 percent among state and local respondents and 49 percent in higher education. David Cottingham, director of product and partner management at CDW, said he believes public-sector interest stems from the need to stretch resources. “State and local governments are trying to do more with less,” he said. Blade servers are another must-have technology among agencies that are consolidating resources. Such products house several server modules — or blades — in a single enclosure. This contrasts with traditional one-unit (1U) rack-mount servers. “It’s a trend common across all the federal agencies we are dealing with,” said Joe Brown, president of reseller Accelera Solutions. “They’re shying away from 1U servers, with the blade form factor being deployed more readily.” IT security IT security threats show no signs of going away, so agencies will continue to employ security improvements to protect day-to-day operations, McCarthy said. Some budget-conscious moves serve double duty as security measures.

Data center consolidation, for example, reduces agencies’ exposure to data loss.

“From a security perspective, if there are [fewer] access points to your network, you’re going to be more secure,” said Jim Pietrocini, vice president of business development at TechTeam Government Solutions.

Other approaches address security more directly. For example, government organizations have started buying products that encrypt data on storage devices, and the Defense Department issued a data-at-rest directive in July.

The CIO’s memo called for DOD components to encrypt data stored on mobile computers and removable storage media such as thumb drives. The policy applies to “all unclassified DOD data at rest that has not been approved for public release,” according to the memo.

Pietrocini said the services are in various stages of addressing the vulnerability of data at rest.

The Navy Marine Corps Intranet program, for instance, plans to implement encryption products from GuardianEdge as part of its data-at-rest defense. GuardianEdge deployment is set to begin in August, according to a tentative date cited in an Office of Naval Research presentation.

DOD and GSA, meanwhile, collaborate through the Data at Rest Tiger Team (DARTT) to make encryption products available to federal, state and local agencies. The CIO office said it expects DOD to buy a considerable amount of encryption products this year because of the CIO’s mandate for full data-at-rest encryption by Dec. 31. In addition, many state and local agencies and first responders are now buying such products in smaller quantities. Already, 15 states have bought products through the DARTT initiative. GSA is encrypting data at rest in accordance with an Office of Management and Budget security directive, Coleman said. BlackBerry devices have been encrypted, she added, and GSA has laptop PC encryption well under way and is moving toward encrypting mobile storage devices such as thumb drives. Another GSA priority — telecommuting — is helping fuel the need for encryption. The agency aims to have 20 percent of its employees engaged in telework by the end of 2008. Last year, GSA Administrator Lurita Doan set a target of having 50 percent of eligible GSA employees telework at least one day a week by 2010. “One of the things we are doing there is issuing laptop [PCs] to employees who are teleworking,” Coleman said, noting that the laptops issued are 20 percent more energy efficient than those previously used in the field. In addition, GSA will pursue its enterprise architecture this year, concentrating on the financial acquisition segments of its IT portfolio. GSA’s enterprise architecture efforts “are focused on modernization in those areas,” Coleman said. Aside from encryption, McCarthy said configuration management will become increasingly important as the transition to IPv6 picks up stream and agencies support dual-stack IPv6 and IPv4 environments. Dual-mode operations can open security holes if agencies aren’t careful, he said. SaaS Other investments fall into the short- or medium-term category, depending on the agency. Software as a service (SaaS) is a case in point. Some government entities, particularly state and local ones, have already embarked on this approach to acquiring software, and others might move in this direction in the coming months. Stratford, Conn., opted to obtain e-mail capability as a service rather than replace its Microsoft Exchange 5.5 server. David Wright, the town’s IT manager, said replacement costs would have hit the $250,000 mark. Stratford’s subscription to Infostreet’s hosted e-mail service runs about $1,000 a month. West Linn, Ore., has embraced the pay-as-you-go aspect of SaaS. In January, the city entered a five-year subscription agreement with Agresso for its enterprise resource planning product. West Linn will host the software internally, although Agresso offers a service-based option. Steve Arndt, the city’s chief technology officer, referred to the arrangement as a rental of Agresso’s product. He said the monthly payments under the five-year deal will amount to “substantially less than doing an outright purchase.” He also described software rental as more financially attractive than leasing “We’ve spent our money judiciously in the sense of not having a large cash outlay,” he said. Although the city runs the Agresso software in-house, Arndt said he sees the future evolving toward SaaS. “As government agencies gain more experience with the controls and testing of the SaaS security model, I think you are going to see a lot more agencies utilize solutions for unclassified systems in the near term,” said Jay Tansing, managing director of public-sector services at Acumen Solutions. Thin clients and Virtualization Thin-client computing has been talked about for years, but the technology could gain greater traction in the current market. This investment trend is getting a push from virtualization, security and SaaS. Application and desktop virtualization, in particular, play into the thin-client model. Application virtualization lets organizations deliver applications from a central server instead of installing them on PCs. Desktop virtualization involves hosting desktop images — Windows Vista, for instance — within virtual machines at the data center. Application virtualization products include Citrix Systems’ XenApp, Microsoft’s SoftGrid and Symantec/Altiris’ Software Virtualization Solution. VMware also plays in this market through its recent acquisition of Thinstall. Citrix and VMware offer desktop virtualization, which is sometimes referred to as Virtual Desktop Infrastructure technology. Together, those forms of virtualization reduce the need to install software on desktop PCs and open opportunities for government agencies to introduce thin clients and get off the desktop refreshment treadmill, Brown said. “People are considering using application virtualization and OS virtualization…to reduce the amount of time and energy they spend at the desktop level,” Brown said. At USDA, Christopherson said, the department will progressively deploy thin clients over time. Any new application the department brings onboard must now be supported on thin-client devices, he added. Laptop thin clients, along with the desktop variety, might be used for mobile applications. Government agencies that adopt SaaS, which offloads the application to an outside party, might also be inclined to go the thin-client route. “It’s definitely something we are looking at,” Wright said.

IBM creates a technology designed to make mashups more secure.

With security risks increasing with Web 2.0 technologies such as mashups, IBM is rolling out a new technology known as SMash, short for “secure mashup.”

IBM announced SMash March 13 and contributed the technology to the OpenAjax Alliance. Mashups pull information from multiple sources, such as Web sites, enterprise databases or e-mails, to create a unified Web application. Mashups have caught on quickly for business use because they enable nontechnical users to gain insight on complex situations in minutes, and nondevelopers to quickly create “situational” applications. However, as with most Web-based initiatives, security is a concern.

“When we started a lot of this mashup work, the first thing enterprise customers asked was, ‘Have you thought about security?’ ” Rod Smith, IBM fellow and vice president of emerging technology, said in an interview with eWEEK.

With SMash, IBM is trying to reduce the risk. SMash allows information from different sources to talk to each other, but keeps them separate so malicious code can’t creep into enterprise systems, Smith said.

“IBM Research did the development in conjunction with some guidance from the OpenAjax security working group,” Smith said. “IBM Research did a reference implementation and wrote the code.”

Based on meeting with Navy this week:

Any comments are welcome

• Security Chaining
• Attribute Based Control
• Secure Discovery (SSC Charleton Project)

American researchers have proven it’s possible to maliciously turn off individuals’ heart monitors through a wireless hacking attack.

Many thousands of people across the world have the monitors, medically known as implantable cardiac defibrillators (ICDs), installed to help their hearts beat regularly.

ICDs treat abnormal heart conditions; more recent models also incorporate the abilities of a Pacemaker. Their function is to speed up a heartbeat which is too slow, or to deliver an electrical shock to a heart which is beating too quickly.

According to the research (pdf) by the Medical Device Security Center – which is backed by the Harvard Medical School among others – hackers would be able to intercept medical information on the patient, turn off the device, or, even worse, deliver an unnecessary electrical shock to the patient.

The hack takes advantage of the fact the ICD possesses a radio which is designed to allow reprogramming by a hospital doctor. The ICD’s radio signals are not encrypted, the Security Center said.

The Security Center demonstrated the hack on an ICD made by Medtronic using a PC, radio hardware and an antenna. The ICD was not in a patient at the time. The research is detailed in a report released today.

The report reveals that a hacker could “render the ICD incapable of responding to dangerous cardiac events. A malicious person could also make the ICD deliver a shock that could induce ventricular fibrillation, a potentially lethal arrhythmia.”

The Security Center says manufacturers of ICDs could implement several measures to prevent the threat. These include making the IMD produce an audible alert when an unauthorised party tries to communicate with their IMD. It also suggests employing cryptography to provide secure authentication for doctors.

The researchers added that the risk facing patients is negligible. “We believe the risk to patients is low and that patients should not be alarmed,” it said in the report.

“We do not know of a single case where an IMD patient has ever been harmed by a malicious security attack.”

It added that hackers would need to be physically close to their intended victim and would need sophisticated equipment. The kit used in the demoed attack cost $30,000.

The researchers omitted their methodology from the paper to help prevent such an attack ever happening, they said.

Medtronic said the chance of such an attack is “extremely low”. Future versions of its IMDs, which will send radio signals ten metres, will incorporate stronger security, it told the Associated Press. ®

Certification

The comprehensive evaluation of the technical and nontechnical security features of an information system and other safeguards, made in support of the accreditation process, to
establish the extent to which a particular design and implementation meets a specified set of security requirements.

Accreditation

A formal declaration by the DAA that an information system is
approved to operate in a particular security mode using a
prescribed set of safeguards to an acceptable level of risk.

What is accredited?

Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display,
switching, interchange, transmission or reception of data and includes computer software, firmware, and hardware.”

Don’t make the mistake of trying to create an SSAA for
software!

What are the security objectives to test?

DoD Instruction 8500.2, but moving to NIST Special Publications 800-53/53-A

An accreditation decision must consider the potential:

– Loss of system availability due to identified vulnerabilities
– Loss of integrity due to data alteration
– Loss of confidentiality due to risk of disclosure
– Loss of accountability due to authentication or non-repudiation vulnerabilities
– Exploitation of threats in the specific system environment (i.e. AOR)

Reality of the Situation: We live in a “Risk Balanced” world

Risk Avoidance = so locked down, the mission can’t be done
Risk Ignorance = so open, the mission can’t be done

Some risk we can accept. Some risk we can’t.

Category 1 = unmitigated is never acceptable per DoD Directive

Category 2 = must be mitigated before full approval to operate (ATO) is granted

Every system/network/enclave must have a POA&M; on the
risk mitigation strategies, even with a full ATO

No system is perfect, so track how we are progressing.

I was working out this morning and reading the latest Fortune Magazine. Great article on Apple named the most admired company. I noticed across from Page 38, a two page add on the Air Force Cyber command. Good to see the Air Force still kicks the Navy but when it comes to advertising and marketing. Do future recruits read Fortune?

Also see http://airforce.com/achangingworld/

r/ Jim

The U.S. government will conduct a series of cyber war games throughout next week to test its ability to recover from and respond to digital attacks.

Code-named ‘Cyber Storm II,’ this is the largest-ever exercise designed to evaluate the mettle of information technology experts and incident response teams from 18 federal agencies, including the CIA, Department of Defense, FBI, and NSA, as well as officials from nine states, including Delaware, Pennsylvania and Virginia. In addition, more than 40 companies will be playing, including Cisco Systems, Dow Chemical, McAfee, and Microsoft.

In the inaugural Cyber Storm two years ago, planners simulated attacks against the communications and information technology sector, as well as the energy and airline industries. This year’s exercise will feature mock attacks by nation states, terrorists and saboteurs against the IT and communications sector and the chemical, pipeline and rail transportation industries.

Jerry Dixon, a former director of the National Cyber Security Division at the Department of Homeland Security who helped to plan both exercises, said Cyber Storm is designed to be a situational pressure-cooker for players: Those who adopt the proper stance or response to a given incident are quickly rewarded by having to respond to even more complex and potentially disastrous scenarios. Players will receive information about the latest threats in part from a simulated news outlet, and at least a portion of the feeds they receive will be intentionally misleading, Dixon said.

‘They’ll inject some red herring attacks and information to throw intelligence analysts and companies off the trail of the real attackers,’ Dixon said. ‘The whole time, the clock keeps ticking, and things keep getting worse.’

At a cost of roughly $6.2 million, Cyber Storm II has been nearly 18 months in the planning, with representatives from across the government and technology industry devising attack scenarios aimed at testing specific areas of weakness in their respective disaster recovery and response plans.

‘The exercises really are designed to push the envelope and take your failover and backup plans and shred them to pieces,’ said Carl Banzhof, chief technology evangelist at McAfee and a cyber warrior in the 2006 exercise.

Cyber Storm planners say they intend to throw a simulated Internet outage into this year’s exercise, but beyond that they are holding their war game playbooks close to the vest.

Individuals who helped plan the scenarios all have signed non-disclosure agreements about the details of the planned attacks. They will act as puppeteers apart from the participants, injecting events into the game from a command center at U.S. Secret Service headquarters in Washington, D.C. Meanwhile, players will participate via secure online connections from around the world.

At its most basic, organizers say, the exercise tests the strength of relationships and trust between government officials and the private sector companies that control more than 80 percent of the nation’s critical physical and cyber infrastructure. In Cyber Storm I, the Department of Homeland Security and the participating companies largely kept the exercise a secret until it was virtually completed. In fact, most of the companies that participated in Cyber Storm I did so anonymously, so that that private sector players only knew each other’s respective companies by fictitious business names.

The fact that so many companies have chosen to trumpet their participation in this year’s exercise is a testament to how those trust relationships have grown in the intervening years, said Reneaue Railton, manager of critical infrastructure response for Cisco Systems, a company whose hardware devices help direct a large portion of the traffic on the Internet.

‘All the companies that played did so anonymously,’ Railton said. ‘We didn’t always know who we were contacting.’

Railton, who helped plan the attack scenarios in this year’s exercise, said Cyber Storm II promises to keep all participants on their toes, like an episode of the television show ’24,’ only for an entire work week at a time. Dozens of companies and government agencies from Australia, Canada, New Zealand and the United Kingdom will also participate in the war games and will keep the game in flux around the clock, she said.

The war games will be far more realistic and inclusive for Australia, whose participation in the first Cyber Storm amounted to what a spokesperson for the Australian Attorney General’s department called “a desktop exercise” that did not include any private sector companies.

“This year, we’re setting up an exercise control room and will be sending out injects to the players in both the private sector and the government,” said Daniel Gleeson of the Australia’s Attorney General’s office. “So we’ll be involved in this as it unfolds in real time, rather than just talking about what we’d do in those situations.”

Requirements Gathering

One of the key aspects of a DMZ design, or any design for that matter, is the requirements gathering phase. This can begin as something as small as a meeting but can be as large as a full RFP process and will determine what it is that needs to be solved. The key deliverable from the requirements phase is a requirements document. This document outlines what the final deliverable, the scope and many of the requirements that need to be met. The document should be utilized to validate that all parties are in agreement with the information contained in the document.

DMZ Architecture

There are many potential ways to approach DMZ architecture, but they are all built on the premise that systems that require external access will not reside in the trusted network. The simplest of DMZ architectures is just segmenting a subnet and applying ACLs. This would not be the best approach to utilization when creating a DMZ but it can and has been done. The more elaborate DMZ may consist of a logical DMZ that is actually isolated from normal business traffic and extended to multiple sites throughout the network. This is a much more complex architecture but offers more flexibility and expansion capabilities. Most DMZs fall somewhere in the middle, but ultimately it is the requirements gathering phase that determines the best architectural approach.

Generally DMZs have access to both the internet and internal network and must be protect from the internet and protect the internal network. Since there will be systems that are reachable from the internet, the architecture must protect those systems, generally by use of a firewall. The firewall will only open the ports and IP addresses necessary to conduct business. The same holds true on the back end. There should be a firewall in place with a very restrictive policy that only allows the appropriate services to communicate through it. This ensures that not only the application owners understand their applications, but it eliminates the unnecessary exposure of the systems and the data.

A DMZ needs to have intrusion mechanisms in place. Whether it is an IDS (passive) or IPS (active), there needs to be a system that has the ability to report a suspected intrusion. Whichever system is utilized it is best to have the system watching traffic from/to the internet and the internal network. Also a critical piece of architectural insight is that those systems need to be placed in a manner which allows them to inspect unencrypted traffic or they do not truly aid in securing the environment. Also this means that they must be someone to review and act on the logs if needed.

Physically disbursed DMZs should have the ability to openly share data between instances, in theory created a single logical DMZ. When this is a requirement for the architecture to support, the communications between those DMZ instances needs to be encrypted. This affords the system owners to treat other DMZ systems as trusted, thus reducing the need to firewall between the instances. Adding the VPN architecture allows additional versatility in design and can also provide the foundation necessary to support a COOP environment.

Routing in a DMZ varies drastically depending on the requirements the architecture developed to meet the requirements. Routing can be as simple as route default traffic to the internet and internal traffic to the internal network. It can be as complex as having all devices taking part in a routing domain that is geographically dispersed and providing multiple entry/exit points from/to the DMZ.

The last step in DMZ architecture is generally the redundancy requirements. These services can vary depending on the requirements. In general the systems that are critical to the mission of the business need to have additional redundancy built in. Those that are not a necessity, but are used on occasion require limited to no redundancy and availability. The key note in DMZ architecture is that the network redundancy needs to map to the system redundancy. It does not do any good to build system redundancy when the network has none.

An expected deliverable out of the architecture phase would be an architecture document. The document would contain information describing technical components and technologies utilized to fulfill the requirements.

DMZ Design

During the design phase all of the details of how to accomplish the build out of DMZ architecture are developed. In this phase the components are mapped to products, placement of products are determined and configurations are engineered. This phase generally has a deliverable consisting of a detailed design document (or series of documents) that will contain detailed drawings, bill of materials, and configurations of components.

DMZ Implementation

As with most new major infrastructure implementations, DMZ implementations are unique and cannot be easily summed up. Some of the key items for consideration with implementations are:

· Coordination meeting to ensure that all parties understand the routing infrastructure. This ensures that all parties begin to understand the traffic flows which is critical for troubleshooting.

· Existing servers that will move to the DMZ. If the servers are currently providing business services and they are going to move into the DMZ architecture, there may be downtime associated during the migration.

· Establish a Troubleshooting Team. This team will investigate and manage the implementation from a delivery perspective. From this sense if an issue arises the team would engage and they would have the knowledge to correct the situation quickly.

· Quality Assurance Testing. This is necessity to ensure that the customer gets what they requested and that it is functioning as expected. This is crucial on larger more complex implementations.

TechTeam Cybersecurity

Our company has been involved in all aspects of DMZ designs (due to the large enterprise level of Navy Marine Corps Intranet), from the small single site to the complex geographically dispersed. We were crucial in the development, right from the requirements phase until implementation, of what is proving to be the most versatile DMZ design in the DoD, so much so that much of the design is being leveraged to develop a standard DoD DMZ design.