In preparation for interview with editor at GCN, I received some input from some of my current and former co-workers.
The main question was, “What technologies, solutions, or services will the government client still procure during a market downturn (as most folks in DOD/Government market believe the post 9/11 upswing is leveling out).
Jim P’s initial thoughts:
One new area that I am seeing is what I will term the “End of Life” quagmire. The government market (especially DOD programs) have always had long development and production life-cycles. I remember working on the ASPRO (associative/parallel processor) at Goodyear Aerospace in 1986. This tiny, mil-spec computer (at $1M/unit) was initially designed in the early 1980′s and still is flying in the E-2C in 2008. Sales cycles of 2-4 years are common in DOD. Ship C4I installations are done in 6-12 month increments (based on battle group deployment schedules/overhauls/etc.)
Program managers could always delay technology upgrades to reduce risk. I remember early GCCS staying on HPUX 8.0. Also a PM could perform his 2-3 years duty without any risk of doing a technology upgrade. In fact, some systems took 4-6 years to develop. Then came the internet revolution and the flattening of the world (or Globalization 3.0). The government is now using commercial based solutions and products, but not fully understanding the impact the shorter technology refresh cycle and how it conflicts with the longer government lifecycle.
Some recent examples:
- Windows NT end of life- the Navy still had ships in the fleet with Windows NT based systems. Microsoft did not bend on extending the EOL for NT. The Navy had to upgrade to 2000.
- Networking equipment- CISCO, Juniper and several vendors are not investing in long support periods for older equipment (they need a reason to get you to upgrade every 2 years!).
- Updating of security policies. As the government becomes more aware of security issues in their legacy networks, they are forced (due to policy) to upgrade their equipment or the vendor has a very justified reason to force the End of Life story (security is always a hard one to fight).
Time to go to bed and turn off my PC running OS2!
From a very intelligent co-worker (with a emphasis on security /IA related items:
- Data at Rest – With mobility continuing to expand, securing those mobile assets is a necessity. Difficulties revolve around how to manage the policies necessary to manage the protection on those assets. For years we have been focusing on securing the data in transit and not addressing the data while it is on the mobile asset. While agencies should focus on both mobile and stationary assets, initial focus needs to be the mobile assets.
- Data Leakage – Agencies need to focus on sensitive data leaving the trusted agency network. Difficulties are that there is a lot of information already out there that is not identified as sensitive information. That challenge should not deter an agency from starting a Data Leakage Prevention effort. Another challenge in this area is that more and more communications are secure from the client to the destination, there needs to be a solution that can inspect that package for sensitive information.
- Tiered Application Security – Continued focus on Web application security. With the continued focus on Web applications, agencies need to continue to focus on securing those applications, communications, and the sharing of information.
- Back-end Data Security – Enhancements on the security of the data behind the web front ends. Agencies will need to focus on database security to ensure that their data remains safe from exploit and in turn safe guarding sensitive data.
Security Information/Event Management:
- Agencies have a lot of security products deployed and all of them generate alerts. SIM/SEM can be tuned to gather the alerts and only deliver the events requiring actions thus providing opportunities to reduce hours spent evaluating all of the different management systems.
- There is always room for training.