Have you ever been sucked into the false debate over how much IT spending should be spent on security?  I used to all the time.  Some folks point to a rule of thumb that goes something like “ten percent of the IT budget should be applied to security.”  That old school formula may well be part of the reason we got into the mess we are currently in.  It contributes to thoughts that lead you to think security can be separated.  By my way of thinking, 100% of the budget goes to security and functionality and that is the calculus.

Really, security is about ensuring information confidentiality, availability and integrity. And those constructs are totally connected to functionality of IT.   I try whenever possible to use the term security and functionality in the same context just to underscore that point.

For example, the goal I continually push regarding security in the federal space is not just one dealing with security.  I put it this way:  “Security and functionality of all federal IT will be increased by two orders of magnitude in the next 24 months.”  Putting the goal this ways also underscores that it is not security vs. functionality.  Both need to increase.

This goal also cries out for the need for metrics in security and functionality.  For functionality there are many customer focused survey methods that can help collect the right metrics.  For security, I think one metric stands out above all others:  Detected unauthorized intrusions.  There are many other important metrics for other dimensions of the security problem, but that one is key.  So, a goal that expects both security and functionality of federal enterprise IT to improve by two orders of magnitude will expect customer survey satisfaction to go through the roof, and will expect detected intrusions to drop significantly.  If there were 50,000 detected intrusions in 2008, there should be less than 5000 in 2010.

That is a dramatic goal.  What makes me think it is achievable?  In part the dramatic action being put in place today in the federal space.  And in part by dramatic new technologies and approaches like private clouds and thin client computing and enhanced identity management and authorization methods.  But of more importance and more relevance than all of that, in my opinion, is the coordinated action and leadership underway by CIOs and CISOs and the security  experts in the federal space today.

As evidence of this incredible positive action I’d like to bring your attention to a release by a Consortium of US Federal Cybersecurity Experts on Consensus Audit Guidelines.  Details of this effort are at http://www.sans.org/cag/

The Consensus Audit Guidelines provide the twenty most important controls and metrics for effective cyber defense and continuous FISMA compliance.   These controls and metrics include:

Critical Controls Subject to Automated Measurement and Validation:

1. Inventory of Authorized and Unauthorized Hardware.
2. Inventory of Authorized and Unauthorized Software.
3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.
4. Secure Configurations of Network Devices Such as Firewalls and Routers.
5. Boundary Defense
6. Maintenance and Analysis of Complete Security Audit Logs
7. Application Software Security
8. Controlled Use of Administrative Privileges
9. Controlled Access Based On Need to Know
10. Continuous Vulnerability Testing and Remediation
11. Dormant Account Monitoring and Control
12. Anti-Malware Defenses
13. Limitation and Control of Ports, Protocols and Services
14. Wireless Device Control
15. Data Leakage Protection

Additional Critical Controls (not directly supported by automated measurement and validation):

1. Secure Network Engineering
2. Red Team Exercises
3. Incident Response Capability
4. Data Recovery Capability
5. Security Skills Assessment and Training to Fill Gaps

The site at http://www.sans.org/cag provides more details on each, including detailed descriptions of the controls, how to implement them, how to measure them, and how to continuously improve them.   The site also spells out the fact that this is a work in progress and processes are in place to ensure this great effort remains relevant and maximizes our ability to protect ourselves.

What should CTOs think about this guidance?  As for me, I most strongly endorse it. In my mind the appropriate implementation of these controls will reduce unauthorized intrusions in any enterprise.

The deeply respected community leader Alan Paller said it this way:

“This is the best example of risk-based security I have ever seen,” said
Alan Paller, director of research at the SANS Institute.  “The team that was
brought together represents the nation’s most complete understanding of
the risk faced by our systems. In the past cybersecurity was driven by
people who had no clue of how the attacks are carried out. They created an
illusion of security. The CAG will turn that illusion to reality.”

Please give these controls a read, and please help get them into the hands of the security and functionality professionals in your enterprise.

If you are a technologist, please take a moment to download the PDF of the report by the U.S. Commission on Cybersecurity.  This report, titled Securing Cyberspace for the 44th Presidency, is the best proclamation of the challenges of cyber I have read.  It is also a roadmap that will help any trying to navigate these very tough issues.

I’ve been involved in things cyber for a long time.  My deepest
involvement began in December 1998, almost 10 years ago to the day.  In all that time I’ve seen lots of studies and lots of papers and many treatments of the issues.  But I’ve never seen one that captures the complexities and the need for specific actions as well as this one.

I’d really recommend you read every word, if you want to be considered literate in this field.   But if it will be a little while till you get to it, here are some key points:

The three major findings are:  1) Cybersecurity is now a major national security problem for the U.S., 2) Decisions and actins must respect privacy and civil liberties, and 3) only a comprehensive national security strategy that embraces both the domestic and international  aspects of cybersecurity will make us more secure.

The report makes a few points about the Bush Administration’s Comprehensive National Cybersecurity Initiative (CNCI).  In general the give credit to that initiative, and call it good.  I agree, it is a great activity I’ve previously written about that is led by one of the most effective people in government today and has done great work.  But as the commission points out, the work of the CNCI is good but not sufficient.

The biggest shock for me in this study:  The amount of funding on R&D for cyber security.  I have been looking into the many activities underway, and maybe that look made me deceive myself into thinking it was a well funded effort.  According to the comission, however, they estimate that the total R&D funding in the federal government for cybersecurity is about $300million.  Less than two-tenths of one percent of the total federal R&D.

The report has a great section on identity manangement.

I am convinced the organizational approaches outlined in the study are the right ones as well.  There is only one place in our government where we can lead solutions to this challenge.  Where is that?  Hey read the report!

What else do I recommend CTOs do besides read the report?  I think one way we can all help the cybersecurity effort is to think through which standards bodies are the most important to engage with regarding security.   A few are here:
http://ctovision.com/2008/05/standards-organizations-ctos-should-track/

You may also like -

Cyberwar? What Cyberwar?Enterprise Technology Developments in 2010 and 2011Privacy, Security, Functionality and Enhanced Benefits of Free CommerceRedesign of CTOlabs.comIf You Could Pick One Thing For Congress To Do Regarding CyberSecurity, What ...CrucialPointLLCCyberattack as Covert ActionCrucialPointLLCJoin Cloudera and Carahsoft for Big Data Success in GovernmentBob Gourley

My last several briefings, including one yesterday at the FIAC, have addressed some of the dramatic changes underway in the IT world.   That briefing is attached here: Download FIACGourleyBrief.pdf

The conference had a focus on information assurance, computer security, network security and Chief Information Assurance Officers (CISO) in the federal space.   So I not only updated my briefing with the latest tech trends but changed it to focus on lessons learned from industry on compliance monitoring and automation of remediation and related topics.

But I also mentioned cloud computing.  Some points:

• Cloud computing (use of computations services from “the grid”) will accelerate
• Government IT powerhouses (like NSA, NGA, DIA, DISA, IMO) will deliver more and more capability to users via the grid

And of course I mentioned that a key way to track what tomorrow’s IT will look like is to track what community leaders are doing.  This includes DISA.

This morning I checked Facebook and noticed a friend and CTO sent me a link to a great article on the topic of could computing.  I wish I would have seen that before the conference, I would have pointed everyone to that.  The link is here:

DISA CIO:  Cloud Computing ‘Something We Absolutely Have to Do’

I recommend that article to everyone who wants to track the future of cloud computing in the federal space.   I believe fast followers will track DISA and their lessons learned and we will see similar things in the large organizations outside DoD.   Or maybe DISA will just scale up and provide this as a service to the entire federal enterprise?  Who knows?

I also thought I should, as a former federal CTO, point out that building this sort of capability requires lots of hard work in multiple areas.  Attention has been paid to comms capacity planning, changing to server standards, improvement to security policy, fielding working identity management concepts, planning on conops, building alliances with mission partners in government and lots of work with technologists in and out of government.   My hat’s off to the DISA senior leadership, including their CIO and CTO and IA crew, for bringing this initiative forward.  It will one day benefit the entire government and the citizens it serves.

More later.

You may also like -

The Cloud and CybersecurityCTOs: Provide your inputs on how the government will implement cloud computin ...Some thoughts informed by a Cloud SummitAlex's 2012 Tech PredictionsEMC Addresses U.S. Congress on Federal Shift to Cloud Computing and Improvin ...CrucialPointLLCNov 4 NIST Cloud Computing Forum, Day 1: "Cloud Computing is not a fad"Dr Cloud's Flying Software CircusNSF releases Cloud Computing ReportCrucialPointLLCBig Data Tip For The New Project Manager: Starting With Apache HadoopCrucialPointLLCNicira Launches: Will change the world of networking giants and enterprise ITCTOvision.com

There are some interesting analogies between performance management applied to organizations and performance management applied to computers.

In both cases, performance metrics are crucial to success.  In organizations, what we reward gets measured, and what gets measured can be more efficiently and effectively done.   In our computers, what we decide is important gets measured, and those measurements can help us drive to increasingly effective and efficient performance.

Computer metrics apply to a broad range of disciplines and needs, including needs like:

• Improved power efficiencies
• Lower heat generation
• Smaller footprint and lighter weight
• Higher reliability
• Multi-threaded execution
• Continuous availability
• Enhanced security
• Enhanced information assurance
• Enhanced agility in the face of change
• Enhanced ability to ensure compliance

Metrics in these areas drive improvements, but they also help drive decision-making, both by the IT management team and, when done appropriately, by automated management computer systems.  Just as agile, high-performance organizations can rapidly assess metrics and drive decision-making based on them, the agile, high-performance IT enterprise can leverage metrics to drive decisions and actions.  Automated remediation of problems and automated implementation of new policies are only possible with well through out, integrated metrics solutions.

Well thought out metrics solutions also provide built in ways to measure compliance with directives and regulations, including:

• SOX: The Sarbanes-Oxley act of 2002, which establishes many standards for public companies, including internal controls for assuring the accuracy of key data and audits on key information.
• FISMA: The Federal Information Security Management Act of 2002, which bolsters computer and network security in the federal goverment and many contractors.
• OMB M06-16:  A security checklist coordinated by NIST and promulgated by OMB.
• FDCC: Federal Desktop Core Configuration, NIST coordinated, OMB mandated requirement for 300 settings on each Windows XP and Vista computer.
• SCAP: Security Content Automation Protocol, a US government multi-agency initiative to enable automation and standardization of technical security operations.  SCAP is the method for using specific standards to enable automated vulnerability management, measurement and policy compliance evalation.

Compliance with these and related directives, and compliance with the governance guidance of the enterprise CIO and CTO, are good governance.  This sort of compliance can be automated with tools like Triumfant’s compliance manager, and when automated generally provide a very rapid return on investment (ROI).

My conclusion:  in this case, the computers in your enteprise should be treated like an optimized organization: use metrics to enable compliance, agility and continually improving performance.  And use those metrics to drive decisions, and automate the entire process to the greatest degree possible.

For more on this topic also see: http://ctovision.com/2008/08/compliance-enhances-it-support-to-the-mission/

You may also like -

The Technology of VoltDBData Wizards Know Hadoop is Powerful: But they want more automationHadoop World Breakout Sessions 8 and 9 Nov: Recommendations for the enterpris ...A look at VMware's vFabric Cloud Application PlatformOne Trillion Reasons: One Year LaterTTPs, CRADAs, MRM, and FixmoCrucialPointLLCEnterprise Customers Gain Business Insight and Competitive Advantage With Net ...CrucialPointLLCA look at VMware’s vFabric Cloud Application PlatformBob GourleyJoin Cloudera and Carahsoft for Big Data Success in GovernmentBob GourleyCloudera and Carahsoft Webinar: Big Data Success in Government 19 Jan 2012CrucialPointLLC

In 2002 congress passed the E-Government Act.  It mandated that the approximately 300 federal entities that can make rules expose those rules in a modernized way and also specified that regulations in draft will be exposed so comments can be solicited.

The government’s response: OMB and CIO’s from throughout the government established an eRulemaking solution that required extensive IT planning, engineering and the fielding of a new IT system.  The eRulemaking Initiative’s Federal Docket Management System (FDMS) was created to provide an online public docket and comment system which expands public access to read and comment on Federal Agency rulemaking. Although it is a centralized system, agencies were given an ability to manage content and workflow related to their own regulations. Scalable web-based solutions that enable users in government and also citizens to find and read proposed legislation and supporting documents was provided.

And they did this in a way that was way under budget and delivered on time.  And its functionality exceeded all expectations.  Which is GREAT!

As an IT professional, this is the really neat part that bears repeating.  This project, which is very complex and IT intensive, was delivered under budget and on time.  Additionally, its capabilities far
exceeded the expectations of everyone involved.

If you haven’t heard of FDMS, maybe it is because it was widely successful.  To frequently the only programs that make news are those that don’t deliver on expectations.  That means IT heros, like Pat Micielli of EPA who led this program, frequently don’t get the recognition they deserve for the great things they do.

I hope I’ve gotten your curiosity up a bit on what Pat accomplished. If you are a citizen of the US you should be very proud of this one.  So check out http://regulations.gov for a first hand look.  You will see a single interface into approximately 1.5 million documents.  Don’t worry, there is a way you can navigate through these without looking at each individual record.  Just dive in and give it a try.  Search for a term like “data center energy”and view the results or narrow them down by agency.  Or click on those in the range of comment period you are interested in.  which ever selection you pick, notice how all the other facets of the search change as you do.   See how you can guide through the results and how the results keep giving you options for refining results?  After you try it this way, can you imagine doing it any other way?

Government users are giving more access (there are nearly 4 million records accessible only by federal agency users on FDMS.gov).

Overall, as a CTO and an admirer of technologists at the large agencies, I enjoy pointing this out and really admire what these folks have done.   Great Job!  And as a citizen– Thanks!

I’ve previously blogged about Triumfant, a company that has mastered the automated detection and resolution of IT problems.   I also think of them as the world’s greatest compliance monitoring capability.  What do I mean by compliance?  I mean compliance in the context of the many rules, regulations and configurations that external organizations and the government require, and also compliance with your own policies and guidance.

For those who are not familiar with the full scope of compliance issues, a great source is the site of the IT Compliance Institute.   Their goal is to be a global authority on the role of technology in business governance and regulatory compliance.   That means they are driven to seek out regulations, understand the requirements for compliance, and then help determine the best way to automate that compliance.

The site holds several white papers and checklists on topics like IT Audit, Risk Management, keeping up SOX compliance, Change Management, Logging, Reporting, and Security.  These papers seem to be good primers for any CTO or other enterprise technologist who needs to understand this domain.

Here are some other thoughts on compliance:

- During my time as a CTO of a DoD Agency, I noticed a shift in how federal organizations perceived compliance.  Federal organizations are all about compliance, and have long followed mandates like the Clinger-Cohen Act, FISMA, the many Enterprise Architecture requirements (like DoDAF or FEA), and a wide variety of other requirements.   But most federal organizations did not treat compliance as a way to optimize delivery of IT capabilities to users.   And most federal organizations did not have to comply with many of the regulations being levied on industry (like SOX, for example).   That is all changing.

- More recently IT professionals began to see compliance and the need for automated control of systems as a way of not just complying with regulation and reporting requirements, but a way of ensuring uptime, helping speed delivery of new software deployments, helping reduce IT admin costs, and helping with overall abiity to support the mission.  Add to this new awareness of the importance of compliance the recent shifting of federal policy  towards having agencies produce financial audits and IT auditing requirements to the same standards as the commerical sector.

There are more shifts in compliance underway in the federal space, including a new Federal Desktop Core Configuration (FDCC).  I see all this compliance as a good thing that should be executed in a way that enhances uptime, enhances security, and enhances the delivery of capability to end users.

For more on compliance see my previous post    http://ctovision.com/2008/07/automated-resolution-of-it-problems/

For more on triumfant see:  http://triumfant.com

You may also like -

Using Triumfant for Secure Configuration and Change ManagementCatbird's vSecurity 5.0Invincea and Triumfant: two firms filling important roles in enterprise ITFixmo And Mobile Risk Management For Enterprise and Government AgenciesIntelligence Community Executive Forum on Cyber OperationsCatbird’s vSecurity 5.0CrucialPointLLCFixmo Partners With CorreLog to Create Holistic Mobile Infrastructure Complia ...CrucialPointLLCSome Context on Malware in the EnterpriseCTOvision.comSecurity Innovation Network Announces the 2011 SINET Showcase InnovatorsCTOvision.comObama issues order aimed at preventing federal data leaksCrucialPointLLC

In January 2008 I was named to the advisory board of Triumfant, a company who has mastered the automated detection and resolution of IT problems.  Of all the IT firms I’ve seen, they are the ones with the most comprehensive approach to automated resolution management and the only one I’ve seen that can automate the entire lifecycle of IT problem management, from identification to resolution.

I recently read some very exciting news about Triumfant.   They have just signed a partnership agreement with one of the largest suppliers of computers to the federal government: computer giant Dell Inc.   Triumfant software will be sold pre-installed on Dell computers to federal customers running Microsoft Windows XP and Vista.

I take this as a huge endorsement of the Triumfant approach of automated process monitoring and IT compliance enforcement.   This agreement between Triumfant and Dell is also great news for enterprise CTOs and other technologists who must meet the mandate of the OMB’s Federal Desktop Core Configuration (FDCC).

The FDCC outlines the standard configuration established by the Department of Defense (DoD), Department of Homeland Security (DHS) and National Institutes of Standards and Technology (NIST).    Federal Agencies have till Feb 1 to meet these new standards, and now with Triumfant they have a way to
realistically and economically do that.

How does Triumfant work?   It collects configuration data from computers, documents the configuration, securely reports back key variables of state, and securely corrects and non compliant settings it identifies.   In my opinion, two important discriminators of Triumfant are the number and
scope of the settings it reports on and its ability to automate resolution.

For more on Trumfant see:  http://triumfant.com

You may also like -

Invincea and Triumfant: two firms filling important roles in enterprise ITUsing Triumfant for Secure Configuration and Change ManagementEnhance your security postureThe Debut of Invincea: New endpoint protection against malwareSome Context on Malware in the EnterpriseTriumfant: A New Approach to IT SecurityCrucialPointLLCSecurity Innovation Network Announces the 2011 SINET Showcase InnovatorsCTOvision.com