Welcome!

Microservices Expo Authors: Liz McMillan, Pat Romanski, Elizabeth White, Mehdi Daoudi, Yeshim Deniz

Related Topics: Cloud Security, Microservices Expo, @CloudExpo

Cloud Security: Article

Coordinating Security Information

What happens when an agency finds a better point solution than one currently in place?

A recent article in Government Computer News raised the topic of FISMA reporting, specifically describing the "pessimism" of many USG agencies over meeting the September 2012 deadline for "using continuous monitoring to meet Federal Information Security Management Act reporting requirements." The article cites a survey of over 200 government IT professionals, conducted by RedSeal Networks, in which 55% of respondents felt they won't be ready, or don't know if they will be ready, by the deadline. One can certainly debate the significance of the number of agencies expressing concern over meeting the deadline, and the reasons given would likely drag the conversation to arguing over the validity of a deadline set by government for something that is far more complex than "flipping a switch." But set that aside for the moment.

More interesting is the fact that, when you look at the responses by the role of the respondents, "53 percent of security managers, administrators and auditors expected to meet the Sept. 30 deadline, while only 28 percent of CIOs and chief information security officers expected to." Mike Lloyd, RedSeal's CTO, said "This is an interesting finding, not what a cynic might expect." That cynic would expect the typical (over-)confidence of an executive, the one telling folks "no problem, we're right on track" while the IT managers, the ones actually tasked with the design, deployment and operation of relevant systems, the feverish scramble to find the right tools, the right people, and the right data to meet the reporting requirement.

In fact, the opposite is the case. The IT managers believe they have the right point solutions to do the monitoring, analyze the data, and process the relevant compliance reports. They aren't worried about trying to figure out how they're going to perform the continuous monitoring, primarily because today's IT vendors are creating products that provide the capabilities to meet these requirements. So why don't these CIOs and CISOs share the confidence of their IT staff?

The answer is both simple ... and not so simple. In discussing this survey and resulting article, the editors at SANS described the lack of C-level confidence this way (emphasis added): "Agencies need to find ways to bring together information from various systems to provide the necessary set of data." Bring information together? That's easy, just get a bunch of good developers to build custom integration points between all these systems that the IT managers feel really good about (rightly so), and then the data will flow! Sounds great...until you look a little closer at what this entails: a group of good developers is expensive, not to mention hard to find. Assuming you can find all these good developers (and afford to pay them), can they knock this effort out in, say, 6 months? 9 months? Factor in the unique and often proprietary formats and data structures of these various solutions, and now what, 12 months? Remember that September deadline?

What happens when the agency finds a better point solution than one currently in place? Bring back those good, expensive developers (or retain them) to build new integration points between the existing solutions and this new one? Not so simple anymore, is it?

This approach is not timely, cost-effective, or scalable. A better approach is to build a foundation that allows these best-of-breed point solutions to share data in a common format, providing each solution with the ability to use only that data that is relevant to it.

Over the last four years, the Trusted Computing Group (trustedcomputinggroup.org) has developed and published a set of open specifications called IF-MAP (or "Interface to Metadata Access Points"). IF-MAP is a protocol specifically designed to allow disparate systems from different vendors to share information. The IF-MAP open standard makes it possible for any authorized device or system to publish information to an IF-MAP server, to search that server for relevant information, and to subscribe to any updates to that information. This "sharing" is done in a standardized way, eliminating the need for costly custom integration points between these disparate systems. Through the use of IF-MAP, agencies would have the ability to enable data and information sharing between systems in an automated and continuous manner.

Share data without allowing unauthorized access among logs, records/databases, firewalls, provisioning systems, switches, and more.

Track devices and their owners on the network.

Track/monitor network traffic.

Control the activity/access of devices operating inappropriately.

Manage/Tie legacy systems into global enterprise (i.e., SCADA).

Validate endpoints and allow access (Standard managed endpoint security).

Share security data among devices and have those security devices act based on the collective available data.

And the best part - many government agencies already have solutions in place that support IF-MAP. Vendors including Lumeta, Juniper, Enterasys, and Infoblox, just to name a few, have products supporting IF-MAP. Numerous government agencies and system integrators have labs dedicated to using IF-MAP and similar open standard specifications to develop solutions to the biggest cyber-security challenges out there - such as real-time configuration management databases; the integration of physical and network security; and policy-based remote access - all using IF-MAP and COTS products.

IF-MAP alone won't necessarily help those agencies meet the September deadline, but one thing is certain - not using open standards and specifications such as IF-MAP will make the effort more costly, more time-consuming, and less flexible. If you can show me a government agency that has extra money and extra time, I'd love to see it.

More Stories By Steve Hanna

Steve Hanna is co-chair of the Trusted Network Connect Work Group in the Trusted Computing Group and co-chair of the Network Endpoint Assessment Working Group in the Internet Engineering Task Force. An inventor or co-inventor of 30 issued U.S. patents, he holds an A.B. in Computer Science from Harvard University.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Microservices Articles
The explosion of new web/cloud/IoT-based applications and the data they generate are transforming our world right before our eyes. In this rush to adopt these new technologies, organizations are often ignoring fundamental questions concerning who owns the data and failing to ask for permission to conduct invasive surveillance of their customers. Organizations that are not transparent about how their systems gather data telemetry without offering shared data ownership risk product rejection, regu...
Containers and Kubernetes allow for code portability across on-premise VMs, bare metal, or multiple cloud provider environments. Yet, despite this portability promise, developers may include configuration and application definitions that constrain or even eliminate application portability. In this session we'll describe best practices for "configuration as code" in a Kubernetes environment. We will demonstrate how a properly constructed containerized app can be deployed to both Amazon and Azure ...
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm. In their Day 3 Keynote at 20th Cloud Expo, Chris Brown, a Solutions Marketing Manager at Nutanix, and Mark Lav...
The now mainstream platform changes stemming from the first Internet boom brought many changes but didn’t really change the basic relationship between servers and the applications running on them. In fact, that was sort of the point. In his session at 18th Cloud Expo, Gordon Haff, senior cloud strategy marketing and evangelism manager at Red Hat, will discuss how today’s workloads require a new model and a new platform for development and execution. The platform must handle a wide range of rec...
The Internet of Things is clearly many things: data collection and analytics, wearables, Smart Grids and Smart Cities, the Industrial Internet, and more. Cool platforms like Arduino, Raspberry Pi, Intel's Galileo and Edison, and a diverse world of sensors are making the IoT a great toy box for developers in all these areas. In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists discussed what things are the most important, which will have the most profound e...
If your cloud deployment is on AWS with predictable workloads, Reserved Instances (RIs) can provide your business substantial savings compared to pay-as-you-go, on-demand services alone. Continuous monitoring of cloud usage and active management of Elastic Compute Cloud (EC2), Relational Database Service (RDS) and ElastiCache through RIs will optimize performance. Learn how you can purchase and apply the right Reserved Instances for optimum utilization and increased ROI.
TCP (Transmission Control Protocol) is a common and reliable transmission protocol on the Internet. TCP was introduced in the 70s by Stanford University for US Defense to establish connectivity between distributed systems to maintain a backup of defense information. At the time, TCP was introduced to communicate amongst a selected set of devices for a smaller dataset over shorter distances. As the Internet evolved, however, the number of applications and users, and the types of data accessed and...
Consumer-driven contracts are an essential part of a mature microservice testing portfolio enabling independent service deployments. In this presentation we'll provide an overview of the tools, patterns and pain points we've seen when implementing contract testing in large development organizations.
In his session at 19th Cloud Expo, Claude Remillard, Principal Program Manager in Developer Division at Microsoft, contrasted how his team used config as code and immutable patterns for continuous delivery of microservices and apps to the cloud. He showed how the immutable patterns helps developers do away with most of the complexity of config as code-enabling scenarios such as rollback, zero downtime upgrades with far greater simplicity. He also demoed building immutable pipelines in the cloud ...
You have great SaaS business app ideas. You want to turn your idea quickly into a functional and engaging proof of concept. You need to be able to modify it to meet customers' needs, and you need to deliver a complete and secure SaaS application. How could you achieve all the above and yet avoid unforeseen IT requirements that add unnecessary cost and complexity? You also want your app to be responsive in any device at any time. In his session at 19th Cloud Expo, Mark Allen, General Manager of...