FedTech Magazine

Agriculture Department Could Offer Big Data–Based Nutrition Advice

Ricky Ribeiro — Fri, 17 May 2013 14:26:52 +0000

People may wonder how Big Data could change the world; as it turns out, Big Data could play a role in helping to feed more people efficiently.

The Department of Agriculture is seeking a data-driven tool to provide better nutritional assistance to low-income individuals and families, reports Nextgov.

The USDA’s long-running Supplemental Nutrition Assistance Program (SNAP) relies on its state-level partners to understand and assess the needs and the usage patterns of people participating in the program. Currently, a national database for all of this data doesn’t exist, and not all states have created data-sharing agreements for SNAP caseload information, according to Nextgov.

The information about the USDA’s possible Big Data play with SNAP comes from a sources sought document that presents the opportunities and the challenges associated with creating such a database.

The document outlines the agency’s objectives as follows:

The objectives of this feasibility study are to understand the technological, policy, and cost requirements of creating a system that could capture and store State SNAP caseload data; identify barriers to State cooperation and ways to overcome those barriers; identify potential risks associated with data quality, cost, privacy, confidentiality and potential abuses; and provide options for delivering all data and a representative sample from each State Agency.

If this ends up becoming a reality, it won’t be the first time that agriculture and Big Data have crossed paths.

Farmers are also looking at the future by eyeing opportunities for analytics and intelligence. In a post on the VMware blog, Mike Stolz, global field architect for the vFabric division of VMware, outlined how Big Data could change the farming industry:

Next generation farm equipment like combines and tillers are going to be able to take soil samples as they move along, perform analysis on those samples, and feed the results of the analysis back to the manufacturer for crunching on a macro scale. This will result in a better understanding of what is happening in that entire area and make it possible to adjust things like the amount or types of fertilizer and chemicals that should be applied.

As the field of Big Data matures, we can expect to see more creative and innovative applications like this in the future.

Review: Belkin Advanced Secure KVM Switch Holds Down the Fort

Jason Holbert — Fri, 17 May 2013 11:00:00 +0000

Of all the possible security threats facing businesses, relatively few systems administrators give much thought to those that can occur on unsecured KVM technology.

Too often, KVM switches are seen as turnkey solutions, bought and implemented to give users access to several systems and devices, but without so much as a second thought to the security implications. The ugly truth: KVM technology can introduce a litany of vulnerabilities, creating the risk of data theft, malware attacks and even console redirection. Fortunately, IT departments can prevent most of these security breaches simply by using secure KVM switches for controlling systems that house sensitive data.

Belkin’s newest line of Advanced Secure KVM switches is designed with this need in mind, boasting an array of security enhancements that will benefit companies of any size without busting the IT budget.

Advantages

The Belkin Advanced Secure KVM complies with the National Security Agency’s Information Assurance Directorate standards, offering physical security features beyond those of traditional KVM switches, including optical data diodes that allow only unidirectional data flow between peripherals and target systems.

Additionally, segregation of data for each connected system is facilitated by separate processors for each channel. Most KVM switches use the same processor for multiple systems. Video displays are segregated using protected video display emulators to prevent Extended Display Identification Data from being compromised, effectively preventing the video signal from being redirected to unsecured systems.

Though equipped with USB ports for keyboard and mouse control, the switch has built-in safeguards to prevent data drive access to the ports. If the device detects anything that isn’t a mouse or keyboard in a drive, it will instantly lock the port down.

Why It Works for IT

Common Access Card switching lets clients toggle between networks without losing their existing sessions (on CAC-enabled networks). This can save time and curb frustration for users who often need to switch between connected machines.

The Belkin switch arrives in tamper-resistant packaging, with tamper-evident holographic tape also holding the casing together at the front seam. Once out of the box, the unit itself is rigged with sensor switches along its chassis that will render the unit inoperable upon detection of physical intrusion. This ensures integrity from point of sale to implementation.

Belkin engineers obviously put careful thought into making the user experience as intuitive as possible, leaving less room for end-user error. Instead of using one button to toggle between multiple clients, the switch has a dedicated button for each channel, making identification simple. Additionally, the buttons feature pop-out color inserts that can be used to change the look of each button bezel. Quick mental associations such as these are often all that is needed to curtail end-user error, especially when switching between secure and unsecure networks.

Disadvantages

The Belkin Advanced Secure KVM switch is more expensive than other secure switches on the market. Belkin, however, is an established switch manufacturer, and its devices include a three-year warranty, better than those offered on many competing products. Although features and usability are important in choosing a secure KVM solution, purchasers would be well advised to factor Belkin’s reputation and support into their final decision.

The History of Federal Data Centers [#Infographic]

Jimmy Daly — Thu, 16 May 2013 13:41:37 +0000

In one form or another, data centers have been at the core of the federal government’s technology infrastructure for more than 100 years. The government’s interest in computers was sparked years before the first machines were ready for widespread use, and data centers are now vital to most agencies’ daily operations.

In the early days of computing, the mechanical devices performed simple mathematical equations, albeit considerably faster than humans. In 1890, the Census Bureau used Herman Hollerith’s mechanical tabulator to conduct the decennial census. It was finished months ahead of schedule, changing forever the government landscape.

It took decades to move from punch-card machines to supercomputers. The military understood the value of computers early on, and the Army was a pioneer in developing the first programmable, digital computer, known as ENIAC. At the time, it cost $500,000, equivalent to about $6 million today. EDVAC, the ENIAC successor, required 30 people to operate and weighed nearly nine tons.

NASA was another agency that recognized the incredible power of computers and data centers in the early years. By the mid-1960s, NASA had already sent a server into space; by 1985, the agency had sent a notebook computer, the Grid Compass, on a Space Shuttle mission.

In the early 1990s, the general public and a large base of federal employees began to discover the advantages of working with computers. Personal computers increased the need for mainframes and later for server farms. The influx eventually led to a bloated and expensive infrastructure within the government. Data centers are notoriously expensive to run and maintain, and the swell prompted the Office of Personnel Management to create the Federal Data Center Consolidation Initiative in 2010. The project was a move to optimize the use of data centers, whose utility is growing rapidly as cloud computing becomes the norm.

The history of federal data centers is far from complete. Here is a look at how they have evolved over the past 120 years.

Download the sources for this infographic.

Next-Generation Firewalls Simplify Security for Agencies

Steve Zurier — Thu, 16 May 2013 04:00:00 +0000

The Defense Information Systems Agency sees great value in next-generation firewalls.

DISA initially deployed an NGFW for secure web gateway functionality, and recently tapped the device for antimalware and intrusion prevention. “By expanding the role of the NGFW, DISA has eliminated the need for separate devices for those enterprise capabilities,” says Mark Orndorff, chief information assurance executive and program executive officer for mission assurance and network ops.

By using an NGFW to fulfill multiple enterprise perimeter protection roles, DISA reduces overall operations and maintenance costs, as well as the costs of training operators and computer network defense personnel, Orndorff says.

While the device’s management interface affords the Defense Department greater visibility into the network, DISA has elected to integrate the same information into existing logging and analysis capabilities. Orndoff notes that this enables the agency to cross-correlate and analyze the firewall data with other computer network defense data.

Another benefit is application control. Orndorff says NGFWs are application-aware and support development of custom signatures. The Defense Department plans to use this capability to prioritize applications to ensure that mission-critical interactions with the Internet are maintained during periods of high traffic volume.

77%

Percentage of security professionals who believe that staff access to social media increases the likelihood of an advanced persistent threat or other sophisticated malware attack on the organization

SOURCE: “A Prudent Approach to Next-Generation Firewalls” (Enterprise Strategy Group, January 2013)

John Grady, a research manager for IDC’s security products group, says IT managers such as Orndorff opt for multifunction devices because they offer enhanced capabilities.

“I see this as the gradual evolution of the UTM,” Grady says. “The latest devices offer better integration between technologies, as well as application control and the ability for systems administrators to set very granular policies for users or groups of users.”

Extra Insight

The Department of Interior relies on NGFWs at each of its five Trusted Internet Connection gateways to provide visibility into the application layer.

Because of the complexity of the agency’s network and the diverse needs of its nine technical agencies, the Interior Department isn’t quite ready to replace traditional security devices with NGFWs for primary security, says Larry Ruffin, the agency’s chief information security officer.

The devices work well to offer supplemental capability, however. “For example, the BitTorrent protocol would be difficult to identify and control using traditional firewalls and security devices,” Ruffin explains. “However, BitTorrent can easily be identified and controlled using the next-generation firewalls.”

Moving forward, Ruffin says replacing the traditional security environment with NGFWs will require a complete change of mindset. “The difficulty is not learning the devices themselves, but to change the way that traditional security professionals think,” he adds.

3 Elements of a Next-Gen Security Architecture

Jon Oltsik, a senior principal analyst for the Enterprise Strategy Group, advises organizations to adopt a broad, next-generation security architecture of tightly integrated network services that can be applied throughout the network.

Next-generation network security includes these elements:

Central management. A major aspect of next-generation security is the ability to centrally manage security policies, service orchestration/provisioning, monitoring and reporting.
Distributed policy enforcement. This capability expedites network security service provisioning throughout the network. For example, a systems administrator can deploy a firewall service at the network perimeter, in the data center, at remote offices or within a physical server hosting multiple virtual servers.
Any network security service in any form factor. Next-generation network security can be applied in any type of device or set of services, including fixed-function, multifunction or virtual appliances, or cloud-based managed services.

How to Secure Optimized Networks

Joel Snyder — Tue, 14 May 2013 04:00:00 +0000

A long-simmering feud between network and security managers is heating up over visibility and performance.

Network managers strive to deploy fast and resilient WANs for distributed organizations. The problem is that some of the best tools available to optimize networks, such as compression, protocol optimization, load balancing and dynamic routing, can wreak havoc with proxies, data loss prevention (DLP), intrusion prevention systems (IPS) and firewalls.

To keep networks and data as secure as possible, consider these four tips:

1. Order functions correctly.

In most networks, firewalling and VPN should be at the outer edge, while IPS and DLP should occur as close to users and servers as possible. WAN optimization goes between the two. Thus, user traffic should hit the IPS or DLP system first, then pass through optimization, before finally traversing the firewall and moving out onto the WAN or Internet.

The same is true of a server: Traffic should go from the server to any security devices, then optimization, load balancing and acceleration, and finally hit the firewalls.

Mixing up that order will cause gaps. For example, unified threat management (UTM) firewalls have IPS built in, but an IPS cannot properly function on traffic that has been compressed. This means that optimized networks will not get the best results from IPS functions in a UTM firewall; they need dedicated IPS devices that can see traffic before it’s encrypted and optimized.

IPS manufacturers prefer this location anyway because the IPS can give best results when it sees network traffic as if it were end system (such as a PC, notebook or server), reducing effects of load balancing, network fragmentation and reordering.

2. Try not to do things twice — or three times.

Optimization devices must decrypt traffic in order to compress and cache it, which calls for man-in-the-middle decryption of all SSL/TLS traffic on the WAN. The same is true of next-generation firewalls, which need to decrypt traffic to identify application layer information and apply controls. And IPS solutions have the same problem — without decrypted traffic, they cannot be fully effective. Decrypting and re-encrypting twice or even three times will slow traffic down and cause problems.

Network and security managers who plan to use devices that require man-in-the-middle decryption should deploy products that can work together. This can limit product selection options, but it’s better to work out interoperability early rather than having to start over.

3. Identify key monitoring and control points.

For highly optimized networks, it’s better to have multiple smaller IPS devices instead of one enormous centralized device that is partially blinded by encryption. When traffic flows through multiple IPS devices, security managers should be sure to write rules so that traffic is only scanned once at the most appropriate place. This improves performance and efficacy while reducing false positives.

For example, many application managers have used sophisticated application delivery controllers to load balance, increase reliability and scalability, and optimize application delivery. In most cases, these devices can also perform SSL/TLS offloads, handle encryption on the outside and pass unencrypted traffic to the application, speeding server performance as well. The short path between the application delivery controller and the servers is the perfect place to put IPS and DLP functionality.

4. Closely watch dynamic routing.

When building optimized networks, look out for the effects of dynamic routing. Network managers build networks to keep packets flowing, but this can cause both short-term and long-term asymmetric traffic flows. From a networking point of view, that’s fine, but from a security point of view, it can be a problem. Any good firewall will block asymmetric traffic by default, making the firewall responsible for network outages.

Security managers can work around this issue in several ways. Most firewalls will allow asymmetric traffic if they’re specifically configured to do so. They should not do this out of the box — that’s a sign of a broken firewall — but manufacturers have recognized this problem and usually have an option to allow asymmetric flows. A better option is to be aware of the potential for asymmetric flows.

Network and security staff should work together during design and upgrade planning to watch out for these potential problems. That should make it easier to place firewalls and firewall clusters so that any asymmetry is invisible to the firewalls. The same advice applies to optimization devices, which cannot do their job properly if traffic flows aren’t symmetric.

Moving to the Cloud? Here Are Three Tips for Reworking Your Network

Mon, 13 May 2013 12:00:00 +0000

As organizations have begun to move applications to the cloud, network managers are relieved that they no longer have to worry about them. Moving apps to the cloud, however, requires rethinking some things at the network layer.

Bandwidth Management

One usual side effect of cloud computing is an increased requirement for Internet bandwidth and reliability. Network managers should keep service-level agreement (SLA) metrics, such as bandwidth, latency and availability, in mind when they upgrade Internet connections. Adding those metrics to a contract may be difficult for most ISPs.

No matter whether the SLA is part of the contract, the networking team should be evaluating these metrics and self-reporting how well the Internet connections are holding up as applications move outside the building.

Encryption Increase

Many network and security managers have been able to apply security controls, such as data loss prevention, intrusion prevention, URL filtering and application layer controls, because traffic in the LAN may not have been encrypted. When applications move to the cloud, though, encryption is a clear requirement. Security managers will have to figure out how to do their job, typically using tools such as next-generation firewalls (which can handle SSL decryption), as encryption usage skyrockets.

Access Controls and Authentication

When all of an organization’s network traffic resided on a LAN, network and security managers could be sloppy about access control policies by depending on known IP addresses to define permissions within the network. When applications move to the cloud, these controls must be reconsidered, because IP addresses should not be used across the Internet to define security permissions.

Network and security teams should look at network access control to re-establish access control policies based on a user’s identity and group affiliations. Cloud-based applications also must be online and integrated with the organization’s authentication and authorization system, such as Windows Active Directory.

The Future of U.S. Financial Regulation

J.C. Boggs — Fri, 10 May 2013 17:51:33 +0000

U.S. financial institutions have long been recognized as early adopters of technology in order to increase efficiency, better understand their own risks, and gain a competitive advantage over their peers both in the United States and internationally. Before the financial crisis, however, many firms did not have integrated data systems, so that information was often segregated by division, by office and, in some cases, even by individual trader. Consequently, many firms lacked a cohesive picture of their financial positions, risks and exposures.

As many of today’s financial services firms have come to learn, big data systems can be used to analyze and publicize large, complex data sets. These systems can accommodate massive amounts of data, conduct deep and thorough analysis, and work with both firms’ and regulators’ systems. At the New York Stock Exchange’s Euronext, for example, daily data volumes are up 200 percent year-over-year, which led the NYSE to implement a fine-grained analytics system to measure latency across all transactions on a daily basis. By implementing new technology, the exchange now has better intelligence, more rapidly and at lower cost. Firms throughout the financial sector have seen similar results.

What has worked well in the private sector is now being adopted in the public sector. In 2010, Congress passed the Dodd-Frank Wall Street Reform and Consumer Protection Act, which included a number of provisions aimed at creating more transparent and stable financial markets. For example, Dodd-Frank includes measures designed to increase regulators’ understanding of financial markets by requiring financial institutions to improve their data collection and reporting and by giving regulatory agencies significant latitude in the types and amounts of data they collect from firms.

The impact of the massive regulatory overhaul has been felt throughout the financial industry, including transaction types, the nature of financial advice to the authorities of regulatory agencies. One of the central guiding principles of the overhaul was the need for more information. Regulators are using this information to provide a real-time view of bank performance and market conditions and improve their oversight of the financial system. Four federal financial regulatory organizations are at the heart of this effort: the Federal Reserve Board, the Securities and Exchange Commission (SEC), the Office of Financial Research (OFR) and the Consumer Financial Protection Bureau (CFPB).

The Need for Better Data

Following the 2008 crisis, the Federal Reserve Board recognized its need for more detailed data on mortgage and credit markets and launched the Risk Assessment, Data Analysis and Research Group. RADAR was part of an effort to help the Fed acquire and centralize a broad array of U.S. consumer credit data — credit cards, auto loans, student loans and mortgages — and make the information more broadly available to Fed staff and, in some cases, the public. Since its launch in mid-2010, RADAR has helped the Fed produce timely reports and research papers and has produced meaningful insights that inform monetary policy and bank supervision and regulation, as well as macroprudential supervision. While the data warehouse is mainly used for bank surveillance purposes, it has also proven useful in the Fed’s community development initiative.

In 2011, the Federal Reserve Bank of New York began work on a Sentiment Analysis and Social Media Monitoring Solution that enabled the bank to monitor discussions across Facebook, Twitter, blogs, YouTube, web forums and other media. The project recognized “a need for the FRBNY Communications Group to be timely and proactively aware of the reactions and opinions expressed by the general public as it relates to the Federal Reserve and its actions on a variety of subjects,” as the bank stated in a request for proposals. In essence, the Fed Reserve wanted to know what people were saying about the economy and to better understand how consumer confidence was trending.

With social media, a real-time opportunity exists to monitor local, national and even global consumer psychology. Consumers are said to be 70 percent of the economy, so listening to what they are saying — and what they are spending their money on — is important. As a result of its experience during the financial crisis, the Federal Reserve has stated that it is committed to “improving the responsiveness and flexibility of its business intelligence tools for analysis and decision-making,” and numerous business intelligence initiatives are underway.

A Clearer View

The SEC is similarly beefing up its business intelligence efforts and is seeking to leverage the digital process by employing data analytics and increasing the use of dashboards across the organization. For example, the SEC recently procured an analytics tool that collects real-time trade data from the exchanges and hosts their entire repository of historical market data logs on a Virtual Private Cloud (VPC). The VPC is dedicated to the SEC for a secure environment where its users are able to access, analyze and create complex models.

The SEC is also planning to develop and deliver a system that allows four of its divisions to track the creation, modification and cancellation of orders in real time. The system is intended to allow the SEC to collect, store, aggregate, monitor, query, manipulate and analyze trades, and quotes and orders on stocks and options, as disseminated by national securities exchanges, over-the-counter markets and alternative trading systems. The SEC analysts within the newly created Office of Analytics and Research will be looking for patterns of disruptive activity and nefarious trading practices, intentional or accidental.

The SEC’s Electronic Data Gathering Analysis and Retrieval (EDGAR) system, which electronically receives, processes and disseminates more than 500,000 financial statements every year, has also been going through an upgrade. Using interactive data, an investor can pull out specific information and compare it to information from other companies, performance in past years and industry averages. At the SEC, interactive data can provide investors faster access to the information they want in a form that's easily used and can help companies prepare information more quickly and accurately. As more companies embrace interactive data, sophisticated analysis tools that are now used by financial professionals could become available to the average investor.

Reducing Risk

In the years leading up to the financial crisis, policymakers and investors lacked sufficient data to anticipate emerging threats to financial stability or assess how shocks to one financial firm could impact the whole system. Accordingly, Dodd-Frank established the Office of Financial Research (OFR) within the Treasury Department to improve the quality of financial data available to policymakers and facilitate more robust and sophisticated analysis of the financial system.

OFR is empowered to collect “all data necessary” from financial companies, including banks and private equity firms. OFR’s mandate includes providing critical information and analytical tools to anticipate and respond to future emerging vulnerabilities; making it easier to aggregate and organize data; and maximizing data efficiency and security.

OFR operates a data center to standardize, validate and maintain the data necessary to help regulators identify vulnerabilities in the system as a whole. It also runs a Research and Analysis Center to conduct, coordinate and sponsor research to support and improve regulation of financial firms and markets. These data and analytical capabilities are intended to help policymakers and regulators, including the newly created Financial Stability Oversight Council (FSOC), as well as to promote financial stability and enhance market discipline.

The OFR has already begun to support the FSOC and its member agencies by providing analyses and data-related services. For example, the OFR is providing FSOC with data and analysis related to the designation of nonbank financial companies for consolidated supervision by the Federal Reserve Board. The OFR is also actively working with the FSOC to develop and maintain an initial “dashboard” of metrics and indicators related to financial stability.

In December 2012 , OFR and FSOC hosted a conference titled “The Macroprudential Toolkit: Measurement and Analysis.” The conference brought together thought leaders from the financial regulatory community, academia, public interest groups and the financial services industry to discuss issues related to data, technology and analytical approaches for assessing, monitoring and mitigating threats to financial stability. The OFR is also promoting stronger data-related standards to improve the quality and scope of financial data, which in turn should help regulators and market participants mitigate risks to the financial system. Such standards will also help firms link and aggregate information more easily and allow them to use the same basic data for reporting to regulators and for managing their businesses, providing important efficiencies and cost savings.

21st Century Tools

The basic idea underlying the OFR’s mandate is that better data and analysis can support the design of stronger financial shock absorbers and guardrails to reduce the risk of crises. They can also support earlier warning and effective responses to reduce the effects of crises when they occur, and help draw lessons for the future, which fits with the CFPB’s mission. Elizabeth Warren, former special adviser for the CFPB and now a U.S. senator representing Massachusetts, proposed that “a 21st-century agency should use 21st-century tools” and promised that the CFPB would employ innovative technologies to advance its goals. As the first federal “start-up agency” in a generation, the CFPB has already begun several large-scale data collection efforts on topics ranging from credit cards to mortgages to student loans.

Since opening it doors in July 2011, the CFPB has launched numerous consumer complaint databases and plans to collect data from large and small financial firms and rely on “crowdsourcing” — using technology to gain input from large groups of people — to inform its oversight efforts. As part of its Project Catalyst, the CFPB now makes consumer credit card complaint information available to the public through the bureau’s Consumer Complaint Database. In addition, the CFPB is able to identify patterns of deceptive and unfair sales and billing practices that have been reported by consumers. The agency can then use its crowd-sourced big-data analytics to alert credit and debit cardholders to similar charges on their cards and help them resolve the problem.

This treasure trove of data also allows the CFPB to observe trends in consumer complaints and resolution and act on them. For example, “credit card protection” is so far the 12th-most prevalent type of complaint overall, accounting for 3.6 percent of all complaints filed. Based on this data, the CFPB found that at every stage of the consumer experience — from advertising to enrollment to payment to collection — several companies had violated consumer financial laws. The agency brought actions against those companies for deceptive marketing practices.

On the bright side, those same companies can leverage the CFPB’s consumer complaint database to see where they stand in relation to competitors. And other companies can monitor the database in order to identify compliance issues and take action to avoid similar penalties, which could help them to retain customers, strengthen relationships and avoid fines.

The CFPB has also set up a Social Networks and Citizens Engagement System that, according to the CFPB, “will enable the CFPB to interact with the public in effective and meaningful ways, encourage the wide ranging sharing of consumer financial information and the strengthening of an online community of consumers, and ensure that critical information about the agency and key consumer finance issues is distributed.” According to Sen. Warren, “real-time data collection will be essential, both for the agency to serve as an effective cop on the beat, and for giving third parties a chance to glean insights from the data quickly enough to be useful.”

Going forward, federal financial regulators must continue to leverage new and emerging technologies that will enable them to better aggregate and understand the amazing wealth of financial and market information that is available today. As our financial system becomes increasingly complex, data aggregation and storage challenges will only continue to grow. In order to fulfill their oversight, supervision and enforcement responsibilities effectively, regulators must rapidly adopt new technologies so that we can identify problems in the economy sooner rather than later — thereby helping to forestall the next financial crisis.

Automatic or Manual: An Explanation of Two Types of Remote Wiping

FedTech Staff — Wed, 08 May 2013 12:00:00 +0000

No matter how careful users are with their mobile devices, accidents happen. Devices will be lost, stolen or otherwise unaccounted for. And these devices may contain sensitive information belonging to the organization, which must be safeguarded from any parties that gain access to the devices.

One helpful feature for safeguarding devices is remote locking. By authorization of an administrator, enterprise MDM software can issue a command to immediately lock a managed mobile device — preventing access until the necessary credentials (such as passwords, biometrics or cryptographic tokens) have been presented. This feature is helpful if a device was unlocked or in an unknown state when lost or stolen because implementing a device lockdown can prevent any further access to applications or data.

Another helpful feature for safeguarding devices is remote wiping. Remote wipes take two forms.

33%

The percentage of organizations that have implemented an MDM solution.

SOURCE: Survey Employees to Target Mobility Improvements, Forrester, April 2012

The first, an administrator-issued command through enterprise MDM software, transmits to a lost or stolen device and causes it to destroy its organization-issued data and applications — securely wiping that portion of the device so that no information can be recovered from it.

The second involves configuring a device so that after a certain number of consecutive failed authentication attempts, the device will securely wipe itself.

Both forms of remote wiping achieve similar results, but the first form requires a device to be reported to the organization as lost or stolen, while the second automatically works if someone tries repeatedly to log on to a device that isn’t their own. Unfortunately, the second form wipes the entire device, not just the organizational content. Plus, if the owner of the device simply fails to authenticate several times in a row, he or she can trigger this type of wipe accidentally.

But if a device is lost or stolen and ends up in the wrong hands, a person may be delighted to have a remote wipe destroy their personal banking information, social networking credentials and other sensitive information on the phone as well. Given this possibility, remote wiping may need to be considered on a case-by-case basis.

Learn more about remote wiping and mobile security in our BYOD Security reference guide.

What IT Managers Should Know About Asymmetric and Elliptic Curve Cryptography

FedTech Staff — Mon, 06 May 2013 12:00:00 +0000

Although encryption is the primary goal, many encryption systems depend on a combination of tools to accomplish other tasks. Public-key cryptography is one of those tools. Although public-key cryptography is rarely used for encryption of long strings of data because of its fairly slow performance, public keys are used heavily for signing messages (authentication and integrity checking) as well as encrypting short strings (such as session keys).

One algorithm is heavily used in public-key cryptography: Rivest-Shamir-Adleman (RSA), the original public-key cryptography algorithm from 1978. The Digital Signature Algorithm, or DSA, based on a 1984 algorithm developed by Egyptian cryptographer Taher Elgamal and used only for signing, not encrypting, is also widely available.

When network managers have a choice between the two, typically RSA is more widely supported — mainly because it can be more widely applied.

One important consideration for security-conscious managers is key size. RSA keys should be chosen based on the sensitivity of the information being protected and the expected lifetime of the sensitivity. Keys sizes of 512 bits are now considered insecure — one was “broken” in 1999 in seven months.

RSA (the company), through its RSA Laboratories, suggests that organizations select key sizes of 1,024 bits (considered about equal to an 80-bit symmetric encryption key) for ordinary enterprise use and 2,048 bits (similar in strength to a 112-bit symmetric encryption key) for extremely valuable data, such as certification authority root keys.

For information that must be protected for more than 20 years, the U.S. National Institute of Standards and Technology recommends a 3,072-bit RSA key, which is roughly equivalent in strength to a 128-bit symmetric encryption key.

An even more important area of attention when using RSA is key lifecycle. Most RSA (and DSA) keys are used many times over their lifetime; for instance, when incorporated into digital certificates. Enterprise security managers should strictly require that keys be replaced every few years. A maximum of three years is considered good practice.

What Is Elliptic Curve Cryptography?

When an organization doesn’t control the infrastructure, there’s a huge question to answer: Will the organization’s cloud service provider safeguard its data? Or is it up to the entity to do that?

It’s critical to alleviate this concern through encryption use. Any cloud application, whether private, public or hybrid, must use an encrypted VPN for all communication. Encrypting data in transit solves some problems and is a clear requirement for any cloud-based application. But encrypting data in transit doesn’t help secure data at rest.

Cloud applications have two significant risks that encryption can help mitigate. One risk is familiar: An application could have holes or bugs that let an unauthorized party view sensitive data. The other risk, more specific to cloud service providers, is that the infrastructure might not be secure.

Encrypting data in the app protects against both types of risk but may not be desirable. For example, cloud-based email, such as an outsourced Microsoft Exchange service, will easily support Secure/Multipurpose Internet Mail Extensions to encrypt sensitive mail on the server. But S/MIME presents a different set of problems, including interference with archiving and search, long-term key storage issues, and generally weak support in popular mobile and web-based email clients.

Learn more about enterprise encryption in our free white paper.

The Factors Behind Public-Cloud Adoption

Brad Grimes — Thu, 02 May 2013 15:27:00 +0000

Credit: Jonathan Timmes

The public cloud presents a cost-effective way for small agencies to overhaul their IT infrastructures, says André Mendes, Director of the Office of Technology, Services and Innovation for the Broadcasting Board of Governors.

Migrating an agency’s IT services to the cloud is rarely an easy decision — unless an agency is facing what the Broadcasting Board of Governors faced three years ago.

“From an IT standpoint, it was an anachronistic, backwards, 1990s environment,” says André Mendes, director of the Office of Technology, Services and Innovation, who joined the agency in 2010. “Totally insular and unsustainable.”

Among its dinosaurs was a legacy email system that couldn’t communicate with the agency’s deployment of BlackBerry mobile devices. The BBG’s patchwork solution at the time? To forward email from its antiquated servers to an email service, from which BlackBerry users would download their messages via standard Post Office Protocol.

But rather than rip and replace its email servers, Mendes oversaw the BBG’s migration of email and other applications to Microsoft Office 365, a multitenant public-cloud service. “For smaller government agencies that have been unable to keep up with advances in information technology, the public cloud presents a cost-effective way to overhaul their infrastructures,” he says.

According to analysts, the majority of services that federal agencies port to the cloud — at least in the short term — are ported to private clouds, in part because of a need to ensure information security while improving data center efficiency. But as public-cloud services such as Office 365 prove themselves trustworthy, they’re attracting users who see the public cloud as an opportunity to accomplish numerous objectives.

The BBG is responsible for U.S. government and government-sponsored international broadcast networks, including Voice of America and Radio Free Europe/Radio Liberty. For Mendes, the objectives were to modernize the agency’s infrastructure while introducing a means of ensuring continuity of operations.

“When we started this, we did not have a credible disaster recovery solution,” Mendes says. “By moving services to the cloud, we don’t have to worry about them from a disaster recovery standpoint, and they’re available to people over tablets, phones — you name it. Plus, if I don’t have to put a new server here [at BBG headquarters], a redundant server, a backup server and a disaster recovery server, then I’m making my life much simpler.”

The BBG contracted for 3,000 seat licenses of Office 365. It moved email services to the cloud over a year ago and has since begun introducing other Office 365 cloud services, including SharePoint Online and Lync Online voicemail and unified communications. Mendes says the agency is also moving to Microsoft Dynamics Customer Relationship Management Online, which it will use in conjunction with Office 365.

The upside? Again, no new servers. In fact, Mendes says he’s already retired 200 servers, which is good because the BBG is in no position to operate a large IT staff to maintain them. “We’re moving as aggressively as we can to the cloud because in this era of tight budgets, with every person who retires, we’re not hiring at the same level,” he says.

COOP Considerations

The Federal Maritime Commission, an independent agency that regulates the U.S. international ocean transportation system, is going through a similar transition to a public-cloud suite that’s been authorized by the General Services Administration for federal use. Like the BBG, the FMC was motivated primarily by infrastructure and COOP issues rather than cost.

“An agency’s size can determine whether or not it sees a real cost savings from moving to the cloud,” says FMC Director of IT Brian Parker. “If you’re small enough, you can make the argument that cost isn’t the primary driver. Access to and availability of agency data are also high-priority considerations.”

"By moving services to the cloud, we don’t have to worry about them from a disaster recovery standpoint."

André Mendes, BBG

Last year, the Washington, D.C., area experienced multiple weather-related power outages. “We’re a small agency with a small budget,” Parker explains. “There weren’t a lot of funds for full backup sites and disaster recovery. When power went out to our headquarters for a few days, we were without almost all IT services.”

The agency therefore made the decision to move its 130 users to the public cloud — beginning, as many agencies do, with email.

“I hesitate to say email is the easiest because it depends on what an agency uses email for and how it ties to their back-end systems,” explains Shawn McCarthy, research director at IDC Government Insights. “That said, for most users, email is one of the easiest systems to move. And for the most part, people are happy. Are they as happy as they were with an email server down the hall? No, but to get that other 5 percent of happiness, it’s probably not worth spending three times more.”

For its part, the FMC is paying approximately $6 per month, per user, for its public-cloud services, which also include office productivity, chat and voice applications. The IT staff continues to use its legacy Active Directory to manage network accounts, which then synchronizes with the cloud-based systems via a server plug-in.

“That provides a degree of comfort to my IT staff by keeping them in an environment they’re familiar with for general account management and network access,” Parker says.

Although some agencies may not see dramatic cost savings from the public cloud, others do. “On every one of our cloud initiatives, we’re saving significant money or avoiding significant cost,” says Joseph Klimavicz, CIO of the National Oceanic and Atmospheric Administration. NOAA has 25,000 public-cloud email licenses, under a three-year, $11.5 million contract that Klimavicz says will probably end up costing less.

The agency also runs emergency notification and Voice over IP systems in the public cloud. It licenses 3,000 seats of help desk software as a service, as well as 2,500 seats of Fiberlink’s MaaS360 mobile device management.

Although not all of NOAA’s cloud initiatives are of the public variety, Klimavicz says, “We want to try and go to the public cloud when we can because that’s where the greatest economies of scale are.”

Security and SLAs

80+

The number of cloud companies or services under review by FedRAMP, as of February

SOURCE: General Services Administration

For every federal agency that migrates services to a public cloud, security is a primary concern. The fact that neither the BBG nor the FMC handles classified information gave them the confidence to move forward. Still, both agencies, as well as NOAA, needed to ensure that their cloud solutions met the requirements of the Federal Information Security Management Act. The BBG became the first agency to accredit Microsoft Office 365 under FISMA. The provider now maintains FISMA documentation that potential government customers can review as they consider cloud services.

Klimavicz says that, as important as security is, an acceptable service-level agreement is also crucial. “The terms-of-service agreements need to be negotiated up front, before you do the award,” he says. “In all these solutions, you need to spend appropriate time getting your agency-specific concerns addressed before you sign a contract. The government cannot accept some terms-of-service clauses — many are related to privacy — so we just need to work through those early.”

Mendes says the BBG’s SLA with Microsoft calls for 99.9 percent availability, “which is better than anything I could do here, especially when it comes to disaster recovery.”

He recommends that agencies exploring their public-cloud options look at what agencies before them have done.

“We knew Office 365 had certifications and that an agency larger than ours had already migrated,” he says. “We used the Wendy’s model for market evaluation. You basically find a McDonald’s and put your restaurant on the other side of the street. You know McDonald’s spent the money to evaluate the market, and if it’s good enough for them, it’s good enough for me.”

FedRAMP and FISMA

As of March 1, only two cloud service providers have received authorization by the Federal Risk and Authorization Management Program (FedRAMP), which authorizes providers for use governmentwide. Neither is named Microsoft — yet Microsoft public-cloud services are increasingly used by federal agencies.

That’s not to say that Microsoft Office 365 hasn’t gone through strict evaluations in accordance with the Federal Information Security Management Act. Individual agencies have evaluated cloud services for FISMA compliance and authorized their use. The Broadcasting Board of Governors went through the process for Microsoft Office 365.

Still, Microsoft must also take its cloud services through the FedRAMP process to earn formal Authority to Operate. FedRAMP launched the process last year.

“FedRAMP is still getting its legs,” says Greg Wilshusen, director of information security issues at the Government Accountability Office. Wilshusen says the GAO has been assigned by the Senate Committee on Homeland Security and Governmental Affairs to investigate the implementation of FedRAMP later this year. “How are they doing? We don’t know yet. Security control over personnel is a big part of FedRAMP.”

Other questions regarding agencies and cloud services may only be answered over time. Wilshusen wonders, for example, “Will all this be as cost-efficient as advertised?”