8 Principles for Securing DevOps

Although still in its infancy in the public sector, making the shift to DevOps methodologies is starting to catch on with many government agencies, including the U.S. Citizenship and Immigration Services, the EPA, and Nuclear Regulatory Commission.

As you may know, with DevOps, IT tasks and application deployment that would normally take months or years, now take weeks.

But Rome wasn’t built in a day.

DHS Designates New Protections for U.S. Election Infrastructure

On the same day that U.S. intelligence agencies issued a non-classified report citing that Russian state-sponsored influence campaigns sought to “undermine public faith in the U.S. democratic process…” using a blend of covert activity (such as cyber activity) with overt efforts (state-funded media, paid trolls, etc.) the Department of Homeland Security took steps to protect the bedrock of our voting system – the nation’s election infrastructure.

No More F.U.D. (Fear, Uncertainty, Doubt) about Cyber Threats

I’m fed up. Better yet, I’m “F.U.D.-ed” up.  In every cybersecurity conference, in every threat report, in every blog and every bit of cybersecurity marketing literature I see one tiresome theme:  “The bad guys are after us!  It’s getting worse every day!  How will we fix it?  Can we fix it?  There’s no magic bullet! The cyber sky is falling, run for your cyber life!”  In other words, an unrelenting stream of– Fear, Uncertainty, and Doubt.

Privacy vs. Security

Privacy vs. Security The AFCEA Global Intelligence Forum was scheduled for this June but given the ongoing debate in Congress on the conference topic and the FY13 budget uncertainties, the event has been postponed. Nevertheless, they have proposed some interesting questions: • What does it mean to be a citizen of the information nation? • Who are the protectors of that nation and what is the appropriate balance between personal privacy and public security? • Is the choice between security and privacy a false one? Can technology itself enable safe and secure citizenship? • Who and how should the ethics of information technology be determined? How does the next generation – the generation of cyber “citizens” – view the issue of privacy and security? It is easy to believe that there are more questions than answers but that is not a particularly useful ground to stand on for analysis. Let’s explore these questions.

Cloud and Continuous Monitoring

Continuous monitoring involves assessing an agency’s information security posture based on changes to risk resulting from new threats or newly discovered vulnerabilities. The National Institute of Standards and Technology’s (NIST) Guide for Applying the Risk Management Framework to Federal Information Systems (Special Publication 800‐37, Revision 1) specifies continuous monitoring as one of the six steps in information security. As agencies begin looking at cloud initiatives, the challenge is implementing a continuous monitoring program that reduces risk and ensures compliance with NIST and other relevant guidance in an environment of decreased control. The solution begins with knowing where compliance ends and risk begins.

Government Cloud Pushback

A recent New York Times article spells out the issues around federal cloud computing adoption explaining “such high praise for new Internet technologies may be common in Silicon Valley, but it is rare in the federal government, where concerns about security are paramount”. Agencies are notably concerned about losing responsibility for managing and securing data as well as the possibility of cloud outages. However, there are agencies with fewer concerns about security breaches and they have been busy moving user accounts and email services to the cloud environment. For example, the Agriculture Department has already moved about 46,000 employee accounts and is in the process of adding another 120,000. NASA has also made the migration by launching their own internal Nebula cloud computing platform. This platform provides a range of services powerful enough to manage all of NASA’s large-scale scientific data sets.

Risk as a Calculation

The problem is that we don’t typically have a disciplined methodology for arriving at a plan of action. Consider the following: You have to know what the loss is that you are trying to avoid. Sound simple? I assure you that most money is spent protecting assets without any regard to the loss that they represent. Remember, it’s not the laptop computer that you are protecting per se. It is the monetary value of some aspect of that asset. It could be the replacement cost of the asset. Do you think that would change your view of what was needed as a control? Of course! The replacement value of the computer is only a factor if you physically lose the computer or it is broken through physical damage. Anti-theft devices, padded carrying cases, security awareness training for employees are all possibilities but if the cost of these measures exceeds the cost of the computer then I’m guessing that you wouldn’t be likely to apply them. You may do some but not all and it would depend on analysis of which would represent a greater cost reduction.