Welcome!

Microservices Expo Authors: Liz McMillan, Pat Romanski, Elizabeth White, Anders Wallgren, AppDynamics Blog

Related Topics: Cloud Security, Microservices Expo, @CloudExpo

Cloud Security: Article

Coordinating Security Information

What happens when an agency finds a better point solution than one currently in place?

A recent article in Government Computer News raised the topic of FISMA reporting, specifically describing the "pessimism" of many USG agencies over meeting the September 2012 deadline for "using continuous monitoring to meet Federal Information Security Management Act reporting requirements." The article cites a survey of over 200 government IT professionals, conducted by RedSeal Networks, in which 55% of respondents felt they won't be ready, or don't know if they will be ready, by the deadline. One can certainly debate the significance of the number of agencies expressing concern over meeting the deadline, and the reasons given would likely drag the conversation to arguing over the validity of a deadline set by government for something that is far more complex than "flipping a switch." But set that aside for the moment.

More interesting is the fact that, when you look at the responses by the role of the respondents, "53 percent of security managers, administrators and auditors expected to meet the Sept. 30 deadline, while only 28 percent of CIOs and chief information security officers expected to." Mike Lloyd, RedSeal's CTO, said "This is an interesting finding, not what a cynic might expect." That cynic would expect the typical (over-)confidence of an executive, the one telling folks "no problem, we're right on track" while the IT managers, the ones actually tasked with the design, deployment and operation of relevant systems, the feverish scramble to find the right tools, the right people, and the right data to meet the reporting requirement.

In fact, the opposite is the case. The IT managers believe they have the right point solutions to do the monitoring, analyze the data, and process the relevant compliance reports. They aren't worried about trying to figure out how they're going to perform the continuous monitoring, primarily because today's IT vendors are creating products that provide the capabilities to meet these requirements. So why don't these CIOs and CISOs share the confidence of their IT staff?

The answer is both simple ... and not so simple. In discussing this survey and resulting article, the editors at SANS described the lack of C-level confidence this way (emphasis added): "Agencies need to find ways to bring together information from various systems to provide the necessary set of data." Bring information together? That's easy, just get a bunch of good developers to build custom integration points between all these systems that the IT managers feel really good about (rightly so), and then the data will flow! Sounds great...until you look a little closer at what this entails: a group of good developers is expensive, not to mention hard to find. Assuming you can find all these good developers (and afford to pay them), can they knock this effort out in, say, 6 months? 9 months? Factor in the unique and often proprietary formats and data structures of these various solutions, and now what, 12 months? Remember that September deadline?

What happens when the agency finds a better point solution than one currently in place? Bring back those good, expensive developers (or retain them) to build new integration points between the existing solutions and this new one? Not so simple anymore, is it?

This approach is not timely, cost-effective, or scalable. A better approach is to build a foundation that allows these best-of-breed point solutions to share data in a common format, providing each solution with the ability to use only that data that is relevant to it.

Over the last four years, the Trusted Computing Group (trustedcomputinggroup.org) has developed and published a set of open specifications called IF-MAP (or "Interface to Metadata Access Points"). IF-MAP is a protocol specifically designed to allow disparate systems from different vendors to share information. The IF-MAP open standard makes it possible for any authorized device or system to publish information to an IF-MAP server, to search that server for relevant information, and to subscribe to any updates to that information. This "sharing" is done in a standardized way, eliminating the need for costly custom integration points between these disparate systems. Through the use of IF-MAP, agencies would have the ability to enable data and information sharing between systems in an automated and continuous manner.

Share data without allowing unauthorized access among logs, records/databases, firewalls, provisioning systems, switches, and more.

Track devices and their owners on the network.

Track/monitor network traffic.

Control the activity/access of devices operating inappropriately.

Manage/Tie legacy systems into global enterprise (i.e., SCADA).

Validate endpoints and allow access (Standard managed endpoint security).

Share security data among devices and have those security devices act based on the collective available data.

And the best part - many government agencies already have solutions in place that support IF-MAP. Vendors including Lumeta, Juniper, Enterasys, and Infoblox, just to name a few, have products supporting IF-MAP. Numerous government agencies and system integrators have labs dedicated to using IF-MAP and similar open standard specifications to develop solutions to the biggest cyber-security challenges out there - such as real-time configuration management databases; the integration of physical and network security; and policy-based remote access - all using IF-MAP and COTS products.

IF-MAP alone won't necessarily help those agencies meet the September deadline, but one thing is certain - not using open standards and specifications such as IF-MAP will make the effort more costly, more time-consuming, and less flexible. If you can show me a government agency that has extra money and extra time, I'd love to see it.

More Stories By Steve Hanna

Steve Hanna is co-chair of the Trusted Network Connect Work Group in the Trusted Computing Group and co-chair of the Network Endpoint Assessment Working Group in the Internet Engineering Task Force. An inventor or co-inventor of 30 issued U.S. patents, he holds an A.B. in Computer Science from Harvard University.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@MicroservicesExpo Stories
SYS-CON Events announced today that Alert Logic, Inc., the leading provider of Security-as-a-Service solutions for the cloud, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. Alert Logic, Inc., provides Security-as-a-Service for on-premises, cloud, and hybrid infrastructures, delivering deep security insight and continuous protection for customers at a lower cost than traditional security solutions. Ful...
SYS-CON Events announced today that Interoute, owner-operator of one of Europe's largest networks and a global cloud services platform, has been named “Bronze Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2015 at the Javits Center in New York, New York. Interoute is the owner-operator of one of Europe's largest networks and a global cloud services platform which encompasses 12 data centers, 14 virtual data centers and 31 colocation centers, with connections to 195 ad...
In most cases, it is convenient to have some human interaction with a web (micro-)service, no matter how small it is. A traditional approach would be to create an HTTP interface, where user requests will be dispatched and HTML/CSS pages must be served. This approach is indeed very traditional for a web site, but not really convenient for a web service, which is not intended to be good looking, 24x7 up and running and UX-optimized. Instead, talking to a web service in a chat-bot mode would be muc...
SYS-CON Events announced today that Men & Mice, the leading global provider of DNS, DHCP and IP address management overlay solutions, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. The Men & Mice Suite overlay solution is already known for its powerful application in heterogeneous operating environments, enabling enterprises to scale without fuss. Building on a solid range of diverse platform support,...
More and more companies are looking to microservices as an architectural pattern for breaking apart applications into more manageable pieces so that agile teams can deliver new features quicker and more effectively. What this pattern has done more than anything to date is spark organizational transformations, setting the foundation for future application development. In practice, however, there are a number of considerations to make that go beyond simply “build, ship, and run,” which changes ho...
WebSocket is effectively a persistent and fat pipe that is compatible with a standard web infrastructure; a "TCP for the Web." If you think of WebSocket in this light, there are other more hugely interesting applications of WebSocket than just simply sending data to a browser. In his session at 18th Cloud Expo, Frank Greco, Director of Technology for Kaazing Corporation, will compare other modern web connectivity methods such as HTTP/2, HTTP Streaming, Server-Sent Events and new W3C event APIs ...
SYS-CON Events announced today that AppNeta, the leader in performance insight for business-critical web applications, will exhibit and present at SYS-CON's @DevOpsSummit at Cloud Expo New York, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. AppNeta is the only application performance monitoring (APM) company to provide solutions for all applications – applications you develop internally, business-critical SaaS applications you use and the networks that deli...
Microservices are all the rage right now — and the industry is still learning, experimenting, and developing patterns, for successfully designing, deploying and managing Microservices in the real world. Are you considering jumping on the Microservices-wagon? Do Microservices make sense for your particular use case? What are some of the “gotchas” you should be aware of? This morning on #c9d9 we had experts from popular chat app Kik, SMB SaaS platform Yodle and hosted CI solution Semaphore sha...
Microservices are a type of software architecture where large applications are made up of small, self-contained units working together through APIs that are not dependent on a specific language. Each service has a limited scope, concentrates on a specific task and is highly independent. This setup allows IT managers and developers to build systems in a modular way. In his book, “Building Microservices,” Sam Newman said microservices are small, focused components built to do a single thing very w...
How is your DevOps transformation coming along? How do you measure Agility? Reliability? Efficiency? Quality? Success?! How do you optimize your processes? This morning on #c9d9 we talked about some of the metrics that matter for the different stakeholders throughout the software delivery pipeline. Our panelists shared their best practices.
The (re?)emergence of Microservices was especially prominent in this week’s news. What are they good for? do they make sense for your application? should you take the plunge? and what do Microservices mean for your DevOps and Continuous Delivery efforts? Continue reading for more on Microservices, containers, DevOps culture, and more top news from the past week. As always, stay tuned to all the news coming from@ElectricCloud on DevOps and Continuous Delivery throughout the week and retweet/favo...
The cloud promises new levels of agility and cost-savings for Big Data, data warehousing and analytics. But it’s challenging to understand all the options – from IaaS and PaaS to newer services like HaaS (Hadoop as a Service) and BDaaS (Big Data as a Service). In her session at @BigDataExpo at @ThingsExpo, Hannah Smalltree, a director at Cazena, will provide an educational overview of emerging “as-a-service” options for Big Data in the cloud. This is critical background for IT and data profes...
In a previous article, I demonstrated how to effectively and efficiently install the Dynatrace Application Monitoring solution using Ansible. In this post, I am going to explain how to achieve the same results using Chef with our official dynatrace cookbook available on GitHub and on the Chef Supermarket. In the following hands-on tutorial, we’ll also apply what we see as good practice on working with and extending our deployment automation blueprints to suit your needs.
Father business cycles and digital consumers are forcing enterprises to respond faster to customer needs and competitive demands. Successful integration of DevOps and Agile development will be key for business success in today’s digital economy. In his session at DevOps Summit, Pradeep Prabhu, Co-Founder & CEO of Cloudmunch, covered the critical practices that enterprises should consider to seamlessly integrate Agile and DevOps processes, barriers to implementing this in the enterprise, and pr...
If we look at slow, traditional IT and jump to the conclusion that just because we found its issues intractable before, that necessarily means we will again, then it’s time for a rethink. As a matter of fact, the world of IT has changed over the last ten years or so. We’ve been experiencing unprecedented innovation across the board – innovation in technology as well as in how people organize and accomplish tasks. Let’s take a look at three differences between today’s modern, digital context...
The principles behind DevOps are not new - for decades people have been automating system administration and decreasing the time to deploy apps and perform other management tasks. However, only recently did we see the tools and the will necessary to share the benefits and power of automation with a wider circle of people. In his session at DevOps Summit, Bernard Sanders, Chief Technology Officer at CloudBolt Software, explored the latest tools including Puppet, Chef, Docker, and CMPs needed to...
Sensors and effectors of IoT are solving problems in new ways, but small businesses have been slow to join the quantified world. They’ll need information from IoT using applications as varied as the businesses themselves. In his session at @ThingsExpo, Roger Meike, Distinguished Engineer, Director of Technology Innovation at Intuit, showed how IoT manufacturers can use open standards, public APIs and custom apps to enable the Quantified Small Business. He used a Raspberry Pi to connect sensors...
Let’s face it, embracing new storage technologies, capabilities and upgrading to new hardware often adds complexity and increases costs. In his session at 18th Cloud Expo, Seth Oxenhorn, Vice President of Business Development & Alliances at FalconStor, will discuss how a truly heterogeneous software-defined storage approach can add value to legacy platforms and heterogeneous environments. The result reduces complexity, significantly lowers cost, and provides IT organizations with improved effi...
Data-as-a-Service is the complete package for the transformation of raw data into meaningful data assets and the delivery of those data assets. In her session at 18th Cloud Expo, Lakshmi Randall, an industry expert, analyst and strategist, will address: What is DaaS (Data-as-a-Service)? Challenges addressed by DaaS Vendors that are enabling DaaS Architecture options for DaaS
One of the bewildering things about DevOps is integrating the massive toolchain including the dozens of new tools that seem to crop up every year. Part of DevOps is Continuous Delivery and having a complex toolchain can add additional integration and setup to your developer environment. In his session at @DevOpsSummit at 18th Cloud Expo, Miko Matsumura, Chief Marketing Officer of Gradle Inc., will discuss which tools to use in a developer stack, how to provision the toolchain to minimize onboa...