Welcome!

Microservices Expo Authors: Elizabeth White, Todd Matters, Harry Trott, Pat Romanski, Yeshim Deniz

Related Topics: Cloud Security, Microservices Expo, @CloudExpo

Cloud Security: Article

Coordinating Security Information

What happens when an agency finds a better point solution than one currently in place?

A recent article in Government Computer News raised the topic of FISMA reporting, specifically describing the "pessimism" of many USG agencies over meeting the September 2012 deadline for "using continuous monitoring to meet Federal Information Security Management Act reporting requirements." The article cites a survey of over 200 government IT professionals, conducted by RedSeal Networks, in which 55% of respondents felt they won't be ready, or don't know if they will be ready, by the deadline. One can certainly debate the significance of the number of agencies expressing concern over meeting the deadline, and the reasons given would likely drag the conversation to arguing over the validity of a deadline set by government for something that is far more complex than "flipping a switch." But set that aside for the moment.

More interesting is the fact that, when you look at the responses by the role of the respondents, "53 percent of security managers, administrators and auditors expected to meet the Sept. 30 deadline, while only 28 percent of CIOs and chief information security officers expected to." Mike Lloyd, RedSeal's CTO, said "This is an interesting finding, not what a cynic might expect." That cynic would expect the typical (over-)confidence of an executive, the one telling folks "no problem, we're right on track" while the IT managers, the ones actually tasked with the design, deployment and operation of relevant systems, the feverish scramble to find the right tools, the right people, and the right data to meet the reporting requirement.

In fact, the opposite is the case. The IT managers believe they have the right point solutions to do the monitoring, analyze the data, and process the relevant compliance reports. They aren't worried about trying to figure out how they're going to perform the continuous monitoring, primarily because today's IT vendors are creating products that provide the capabilities to meet these requirements. So why don't these CIOs and CISOs share the confidence of their IT staff?

The answer is both simple ... and not so simple. In discussing this survey and resulting article, the editors at SANS described the lack of C-level confidence this way (emphasis added): "Agencies need to find ways to bring together information from various systems to provide the necessary set of data." Bring information together? That's easy, just get a bunch of good developers to build custom integration points between all these systems that the IT managers feel really good about (rightly so), and then the data will flow! Sounds great...until you look a little closer at what this entails: a group of good developers is expensive, not to mention hard to find. Assuming you can find all these good developers (and afford to pay them), can they knock this effort out in, say, 6 months? 9 months? Factor in the unique and often proprietary formats and data structures of these various solutions, and now what, 12 months? Remember that September deadline?

What happens when the agency finds a better point solution than one currently in place? Bring back those good, expensive developers (or retain them) to build new integration points between the existing solutions and this new one? Not so simple anymore, is it?

This approach is not timely, cost-effective, or scalable. A better approach is to build a foundation that allows these best-of-breed point solutions to share data in a common format, providing each solution with the ability to use only that data that is relevant to it.

Over the last four years, the Trusted Computing Group (trustedcomputinggroup.org) has developed and published a set of open specifications called IF-MAP (or "Interface to Metadata Access Points"). IF-MAP is a protocol specifically designed to allow disparate systems from different vendors to share information. The IF-MAP open standard makes it possible for any authorized device or system to publish information to an IF-MAP server, to search that server for relevant information, and to subscribe to any updates to that information. This "sharing" is done in a standardized way, eliminating the need for costly custom integration points between these disparate systems. Through the use of IF-MAP, agencies would have the ability to enable data and information sharing between systems in an automated and continuous manner.

Share data without allowing unauthorized access among logs, records/databases, firewalls, provisioning systems, switches, and more.

Track devices and their owners on the network.

Track/monitor network traffic.

Control the activity/access of devices operating inappropriately.

Manage/Tie legacy systems into global enterprise (i.e., SCADA).

Validate endpoints and allow access (Standard managed endpoint security).

Share security data among devices and have those security devices act based on the collective available data.

And the best part - many government agencies already have solutions in place that support IF-MAP. Vendors including Lumeta, Juniper, Enterasys, and Infoblox, just to name a few, have products supporting IF-MAP. Numerous government agencies and system integrators have labs dedicated to using IF-MAP and similar open standard specifications to develop solutions to the biggest cyber-security challenges out there - such as real-time configuration management databases; the integration of physical and network security; and policy-based remote access - all using IF-MAP and COTS products.

IF-MAP alone won't necessarily help those agencies meet the September deadline, but one thing is certain - not using open standards and specifications such as IF-MAP will make the effort more costly, more time-consuming, and less flexible. If you can show me a government agency that has extra money and extra time, I'd love to see it.

More Stories By Steve Hanna

Steve Hanna is co-chair of the Trusted Network Connect Work Group in the Trusted Computing Group and co-chair of the Network Endpoint Assessment Working Group in the Internet Engineering Task Force. An inventor or co-inventor of 30 issued U.S. patents, he holds an A.B. in Computer Science from Harvard University.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@MicroservicesExpo Stories
@DevOpsSummit at Cloud Expo taking place Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center, Santa Clara, CA, is co-located with the 21st International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is ...
For most organizations, the move to hybrid cloud is now a question of when, not if. Fully 82% of enterprises plan to have a hybrid cloud strategy this year, according to Infoholic Research. The worldwide hybrid cloud computing market is expected to grow about 34% annually over the next five years, reaching $241.13 billion by 2022. Companies are embracing hybrid cloud because of the many advantages it offers compared to relying on a single provider for all of their cloud needs. Hybrid offers bala...
The margins of cloud products like virtual machines are still in the 50% range. In essence, price drops are going to be a regular feature for the foreseeable future. This begets the question - are hosted solutions becoming irrelevant today? Boston-based market research firm, 451 Research, has been publishing their ‘Cloud Price Index' for a few years now. The quarterly study looks into the pricing of various offerings in the cloud market to understand the shifting dynamics in the public, privat...
You know you need the cloud, but you’re hesitant to simply dump everything at Amazon since you know that not all workloads are suitable for cloud. You know that you want the kind of ease of use and scalability that you get with public cloud, but your applications are architected in a way that makes the public cloud a non-starter. You’re looking at private cloud solutions based on hyperconverged infrastructure, but you’re concerned with the limits inherent in those technologies.
For organizations that have amassed large sums of software complexity, taking a microservices approach is the first step toward DevOps and continuous improvement / development. Integrating system-level analysis with microservices makes it easier to change and add functionality to applications at any time without the increase of risk. Before you start big transformation projects or a cloud migration, make sure these changes won’t take down your entire organization.
What's the role of an IT self-service portal when you get to continuous delivery and Infrastructure as Code? This general session showed how to create the continuous delivery culture and eight accelerators for leading the change. Don Demcsak is a DevOps and Cloud Native Modernization Principal for Dell EMC based out of New Jersey. He is a former, long time, Microsoft Most Valuable Professional, specializing in building and architecting Application Delivery Pipelines for hybrid legacy, and cloud ...
21st International Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Me...
"Tintri focuses on the Ops side of the DevOps, which basically is pushing more and more of the accessibility of the infrastructure to the developers and trying to get behind the scenes," explained Dhiraj Sehgal of Tintri in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We do one of the best file systems in the world. We learned how to deal with Big Data many years ago and we implemented this knowledge into our software," explained Jakub Ratajczak, Business Development Manager at MooseFS, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
SYS-CON Events announced today that CA Technologies has been named "Platinum Sponsor" of SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CA Technologies helps customers succeed in a future where every business - from apparel to energy - is being rewritten by software. From planning to development to management to security, CA creates software that fuels transformation for companies in the applic...
Five years ago development was seen as a dead-end career, now it’s anything but – with an explosion in mobile and IoT initiatives increasing the demand for skilled engineers. But apart from having a ready supply of great coders, what constitutes true ‘DevOps Royalty’? It’ll be the ability to craft resilient architectures, supportability, security everywhere across the software lifecycle. In his keynote at @DevOpsSummit at 20th Cloud Expo, Jeffrey Scheaffer, GM and SVP, Continuous Delivery Busine...
Cloud Expo, Inc. has announced today that Andi Mann and Aruna Ravichandran have been named Co-Chairs of @DevOpsSummit at Cloud Expo Silicon Valley which will take place Oct. 31-Nov. 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. "DevOps is at the intersection of technology and business-optimizing tools, organizations and processes to bring measurable improvements in productivity and profitability," said Aruna Ravichandran, vice president, DevOps product and solutions marketing...
Managing mission-critical SAP systems and landscapes has never been easy. Add public cloud with its myriad of powerful cloud native services and this may not change any time soon. Public cloud offers exciting new possibilities for enterprise workloads. But to make use of these possibilities and capabilities, IT teams need to re-think everything they have done before. Otherwise, they will just end up using public cloud as a hosting platform for their workloads, aka known as “lift and shift.”
There's a lot to gain from cloud computing, but success requires a thoughtful and enterprise focused approach. Cloud computing decouples data and information from the infrastructure on which it lies. A process that is a LOT more involved than dragging some folders from your desktop to a shared drive. Cloud computing as a mission transformation activity, not a technological one. As an organization moves from local information hosting to the cloud, one of the most important challenges is addressi...
The reality of data ubiquity is here—data is buried in operational statistics, machine logs, stacks of overflowing tickets and customer details, among other things. How can any user get valuable information amid this rapid influx of data? Imagine a situation where your firm’s revenue takes a hit owing to an unexpected failure in some business process. It would be a nightmare for IT admins to sift through the interminable piles of data to deduce exactly why and where the problem occurred. To sav...
Hybrid IT is today’s reality, and while its implementation may seem daunting at times, more and more organizations are migrating to the cloud. In fact, according to SolarWinds 2017 IT Trends Index: Portrait of a Hybrid IT Organization 95 percent of organizations have migrated crucial applications to the cloud in the past year. As such, it’s in every IT professional’s best interest to know what to expect.
Both SaaS vendors and SaaS buyers are going “all-in” to hyperscale IaaS platforms such as AWS, which is disrupting the SaaS value proposition. Why should the enterprise SaaS consumer pay for the SaaS service if their data is resident in adjacent AWS S3 buckets? If both SaaS sellers and buyers are using the same cloud tools, automation and pay-per-transaction model offered by IaaS platforms, then why not host the “shrink-wrapped” software in the customers’ cloud? Further, serverless computing, cl...
In the decade following his article, cloud computing further cemented Carr’s perspective. Compute, storage, and network resources have become simple utilities, available at the proverbial turn of the faucet. The value they provide is immense, but the cloud playing field is amazingly level. Carr’s quote above presaged the cloud to a T. Today, however, we’re in the digital era. Mark Andreesen’s ‘software is eating the world’ prognostication is coming to pass, as enterprises realize they must be...
A common misconception about the cloud is that one size fits all. Companies expecting to run all of their operations using one cloud solution or service must realize that doing so is akin to forcing the totality of their business functionality into a straightjacket. Unlocking the full potential of the cloud means embracing the multi-cloud future where businesses use their own cloud, and/or clouds from different vendors, to support separate functions or product groups. There is no single cloud so...
In 2014, Amazon announced a new form of compute called Lambda. We didn't know it at the time, but this represented a fundamental shift in what we expect from cloud computing. Now, all of the major cloud computing vendors want to take part in this disruptive technology. In his session at 20th Cloud Expo, Doug Vanderweide, an instructor at Linux Academy, discussed why major players like AWS, Microsoft Azure, IBM Bluemix, and Google Cloud Platform are all trying to sidestep VMs and containers wit...