An Interview with Oracle’s Director of Cybersecurity Strategy: Part 1 - NIST, FICAM, Federal & SLED

Paul Laurent, Oracle’s Director of Cybersecurity Strategy, Public Sector, was one of our speakers at the GovDefenders Cybersecurity Virtual Event – you can watch his video here: Extending Secure and Interoperable Government Services. He has graciously returned to talk to us about public sector cybersecurity for National Cybersecurity Awareness Month. The following Q&A is part one of a three-part series where we talk NIST, FICAM, and the Federal and SLED sectors.

DLT: NIST and their security guidelines have become the standard at the Federal level. Can those standards work at the SLED (State, Local, and Education) level, too?

Laurent: I think the answer is, “We’re about to find out.”

Over the last several years we’ve seen a large shift in the security requirements underlying participation in Federal programs, receiving grants, and requesting regulated data.  A high-level simplification would be to say that a lot of Federal dollars, data, and services are conditioned on having the proper security controls in place.  I would expect that trend to grow.  We may be entering a period where most, if not all, Federal programs and funds are tied to adopting and maintaining some portion of the NIST Risk Management Framework.

But the real question is how to make it work on the state and local level.  Working in the state & local arena, nearly every security practitioner I know has a working knowledge of the NIST Special Publication 800-53 controls, and for good reason.  On some level, 800-53 already dictates capabilities and controls for departments and agencies handling health data, federal tax information, criminal justice records, etc.  That constitutes a tremendous portion of state and local data.  I would also contend that NIST publishes the best, and easily the most relevant, security standards for public sector.

But when it comes to adopting NIST standards, many organizations “miss the forest for the trees.”  That is, they focus on the controls before they address the larger process NIST lays out in the Risk Management Framework.  Embracing the process is the best way to ensure simplicity and the framework scales to handle various levels of information sensitivity, from the completely innocuous to our most sensitive data.

If you don’t start at the process (starting with SP 800-37, the Guide for Applying the Risk Management Framework and SP 800-39, Managing Information Security Risk) and instead jump right into the SP 800-53 security controls (a 457-page document that scales all the way up to secure the most sensitive government systems around), it’s easy for state and local organizations to feel a sense of “requirements overload” and fight adoption.

Starting with the framework is a giant leap in simplifying the process and helping with adoption.  It’s a framework that accounts for both “best practices” and “appropriate practices” for your organization.

DLT: Along those same lines, and a little more general, what can state governments learn from FICAM and what the Federal government is doing with their own cybersecurity?

Laurent: The FICAM framework is another great example of a “one size fits many” and “best practices/appropriate practices” framework.

I see a few major takeaways states are gleaning from it.  For one, how to make the same set of standards work for (often wildly) different organizations.  FICAM scales for IT shops of different sizes and capabilities, but without being crippled by complexity.  The standards that underpin FICAM allow for a common set of core federation operations, but security measures are tweaked and adjusted based on the risk of the systems being accessed or exposed.

Another key takeaway is how FICAM and federation are the foundation of building shared services.  As budgets get tighter in states, this idea of architecting IT for extension and reuse through shared services continues to gain traction and momentum.  With that trend ICAM and federation are getting a lot more attention.  States are also seeing the charter and policy challenges in digesting a framework like FICAM.  In the Federal space, there’s much more authority for aligning budget, agenda, policy, and standards.  Congress can say, “By act of law, you will perform some new technology function. We’ve tasked a department or agency with overseeing the development of technology standards and protocols, and we’re allocating some additional amount of budget to you for procuring technology and hiring staff to make this happen.”

Traditionally, in the state arena, that level of coordination has been a tremendous hurdle, both in regards to legislative charters and budgets.  With new financial constraints and the focus on leveraging shared services, we’ve made great progress toward realizing ICAM projects without requiring the proverbial “Act of Congress.”  Some of it is the result of acting by state legislatures (often in the form of IT reorganization), but where that may be impractical or slow to advance, many states and state agencies are beginning to see that voluntary coordination and adherence to standards or a framework like FICAM/SICAM is the best, and sometimes only, way to bring those plans to reality.

As for cybersecurity, the Federal space has had to make adjustments to account for new cyberthreats, most notably, Advanced Persistent Threats or APTs.  APTs bring a whole host of new capabilities to bear in their cyberintrusions:  They are stealthy, coordinated, persistent, go to great lengths to evade or defeat security controls. They may also leverage “zero-day” vulnerabilities, and will take steps to cover their tracks.  Because of the sophistication of these attacks and the growing complexity of our systems, security is shifting from a focus on perimeter controls and preventing attacks to detecting attacks & mitigating them (i.e. “continuous monitoring and controls”).

What continuous monitoring brings to the table is the notion of “baselining.”  Part of the rationale in combating threats that are both “advanced” and “persistent” is that on a long enough timeline, an APT with resources will eventually breach security.  With baselining and continuous monitoring, you have a better chance of detecting the intrusion, realizing its scope, and mitigating its effects.

After all, if an organization hasn’t invested the time and resources to know what “normal” looks like for them, how will they know what an attack looks like?

You can read part two (Citizen Privacy & Identity-as-a-Service) of our interview here and part three (Private Sector & Foreign Cybersecurity & the Future) here.