Showing posts with label Information Security. Show all posts
Showing posts with label Information Security. Show all posts

April 27, 2019

Top Secret Tinseltown

So this is a city with a lot of secrets. 

I'm not talking about just the run-of-the-mill, non-disclosure agreement (NDA).

This is Top Secret Tinseltown!

And even the stuff that comes out in the news--whether it's clandestine transfers of $1.7 billion to the Ayatollahs in Iran or the Uranium One deal with the Russians, there is plenty of dirty little games going on. 

What was hilarious is when when saw this huge industrial shredding truck in the parking lot:


Paper Shredding * Electronic Destruction * Medical Waste Disposal

And there were a line of cars waiting to get rid of their little secrets.

I kid you not when I say that on a Saturday morning, there were at least 25 cars in line to dispose of their "stuff."

Now who do you know in what city that waits 25 cars deep in line for an industrial shredder on a Saturday morning.

And the cars are pulling up, the trunks are popping open, and boxes and boxes of paper and electronic files are being handed over. 

Gee, I hope the Russians or Chinese aren't getting into the shredding business...and inside the truck isn't a large shredder but a bunch of analysts waiting for you to hand it all over. ;-)

(Source Photo: Andy Blumenthal) 
Share/Save/Bookmark

July 25, 2018

In the Know Or Dark

So here is one way that some people can (try to) manipulate you--positively or negatively. 

They can help either to keep you "in the know" or "in the dark."

As we all know by now, information is power!

When you're in the know--you are a trusted agent and a valuable resource; you have more dots and more connections between the dots to make; you are able to analyze what's happening and make better decision going forward; you can lead with knowledge, wisdom, and hopefully understanding. People come to you for advice, guidance, and because you are a true asset to the team, your superiors, and the organization. 

When you're in the dark--you are untrusted and unvalued, you may actually be seen as the enemy who needs to be marginalized, put out or taken out! You are kept out of meetings, uninformed or misinformed, and so you become more and more intellectually worthless. Further, others are implicitly or explicitly told that you are poisonous and not to get caught up in the pending slaughter.  A colleague of mine put it this way: "Don't get between a man and his firing squad."   

So with others, there can be information alliances as well as information warfare. 

To a great extent, you are responsible for keeping yourself in the know. You need to build relationships, bridges, and networks. You need to read, observe, and talk to lots of people. You need time to digest and analyze what you learn.  And you must build your information store so that it is ready and actionable. 

But to another extent, there are others--superiors, competitors, bullies, abusers--who just might seek to keep you in the dark and bring you down. Not everyone is your friend...some maybe just the opposite. (Wouldn't it be nice, if we all were just friends!) But showing you the intellectual ass of the group is a powerful nut that once superimposed as an image, cannot be easily distilled. There is plenty of groupthink to go around. And taking out a perceived enemy diffuses their power to everyone else.  What a lousy coup by some nasty f*ckers!

Why some friend and others foe you--who the heck knows. Perhaps some is chemistry; some is tit for tat; some is personal bias and bigotry; and some just the crapshoot of fate. 

In the end, keep doing your part to enhance your value, your friendships, and your integrity. The rest, you have to be vigilant about and realize not everyone wants the lights kept on. ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

November 15, 2016

Why Can't We Keep Our Secrets

Well after the now notorious email scandal and other information security mishaps galore, this advertisement in Washington, DC is really quite the rage. 
"Keeps classified data classified."

As parents tell their children about keeping private things private:
"If you can't keep it a secret, then how do you expect the other kids to keep it to themselves?"

There are lots of secrets in DC, but there are also a lot of big mouths, security negligence, and even corruption. 

This gives our adversaries the opportunities they need to get our countries vital information. 

We work too hard to develop the best intellectual property for national security and our economy as well as the critical policies for advancing human rights and democracy around the world to let it just be easy fodder for others to help themselves too. 

Technology won't solve the gap in certain big mouths and sloppy Joes around town. 

Only vigilant, smart people can protect the nations vital information that is the fuel for our success and survival. ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

May 28, 2016

The Federal Island of Insanity

So a colleague at work was supposed to get something done. 

Well it didn't happen, and someone else got left holding the bag--not really very fair.  

Too make matters worse, the guy sort of unapologetically and clouded pops in my door and says to me, "What are we doing here?"

Taken aback and not sure what this guy is talking about, I say "Excuse me?"

He looks up into space for a moment, and turns back toward me and repeats emphatically, "I mean, like what are we e-v-e-n doing here?"

Getting more than a little frustrated at this point, I ask quizzically and with some sarcasm, "You mean on planet Earth?"

Again, turning and looking oddly away and then back my way, he says, "In this building!"

I must've been looking at him at this point like is he on drugs, and I say, "We'll there are important laws that we're fulfilling here (implicitly referring to FOIA, Records Act, Privacy Act, E.O. 13526, etc.)."

Unbelievably, he continues, now shaking his head, "Well that's what I mean...why we need that?"

Having too much work to play out whatever this toxic game was any longer, I'm like, "[if you don't believe in transparency and safeguarding/security of information,] Maybe you should write your Congressman," [smile!] and with that went back to the million and one serious work things I still had waiting for attention.

In retrospect, I can't help but think that incredibly, there are people coming to work here in D. C. that either don't know why they are there in the first place (but should know!) or don't believe in the mission or meaning of what they are doing.  

In the private sector, I certainly don't think this conversation would've even gone on as long as it did...the consequences there seeming more pronounced, abrupt, and in a definite way connected with reality. 

With more than 16 years into the Federal sector, I still can't believe a lot of what goes on--both good and hopeful, and bad and more than a little disappointing. ;-)

(Source Photo: Danielle Blumenthal)
Share/Save/Bookmark

June 1, 2015

Snapchat, Eat Your Heart Out

As so many of you app users know, Snapchat allows you to send texts, drawings, photos, and videos, but with privacy, knowing they will disappear in a few seconds.

Disappearing messages is certainly not a new idea--in spycraft or for kids. 

Remember the disappearing ink (or maybe you've forgotten because it disappeared)?

Well, this is a photo of disappearing-disappearing ink!

Someone apparently stole the disappearing ink right out of the packaging in the store--it has truly disappeared. ;-)

(Source Photo: Rebecca Blumenthal)
Share/Save/Bookmark

February 23, 2015

Keep 'Em Clean

My friend's mother used to say to always make sure to wear clean underpants in case you end up at at the doctor or in the hospital. 

I guess that's some good advice.

In that context, I thought this was a funny post on facebook about how passwords are like underpants:

"Change them often, keep them private, and never share them with anyone."

Maybe you could add to this list as follows:

- Make them difficult to guess at. 

- Don't use the same one for every occassion.

- Never put them out there in a conspicuous way. 

- And require that you change them at least every 90 day. ;-)

(Source Photo: Facbook)

Share/Save/Bookmark

February 2, 2013

A SCIF Can Be Yours


A SCIF can be yours...if the wallpaper is right.

According to PC Magazine, a SCIF (Sensitive Compartment Information Facility) is a secure area where classified information can be discussed and handled. A SCIF is built to prevent information from leaking, being intercepted and compromised. 


Now, your business or home office can have its own SCIF-type protection without the use of more expensive Faraday cage electromagnetic mesh (e.g. chain-link) conductive shielding or Japanese anti-Wi-Fi paint that blocks all frequencies.

BusinessWeek (31 January 2013) reports on a new wallpaper called MetaPaper that blocks Wi-Fi signals and helps "improve data security and network speeds."

The Wi-Fi shielding wallpaper is developed by the French pulp and paper institute, Center Technique du Papier (CTP). 

MetaPaper is a snowflake pattern wallpaper "printed in conductive metallic ink" that "blocks Wi-Fi signals, while still allowing FM radio and emergency frequencies to pass through."

Its filtering is 99% effective (which may not be good enough for handling state secrets, but could be terrific for safeguarding most information) and sells for $12 per square meter. 

Aside from information security, additional benefits of MetaPaper is to protect people's health in terms of attenuating electromagnetic waves that cause genetic damage and cancer as well as socially to create quiet space, Wi-Fi free zones, such as in hospitals and movie theaters. 

Here is a link to a presentation on MetaPaper's development and benefits. ;-)

Share/Save/Bookmark

May 5, 2012

Understanding Risk Management

Information Security, like all security, needs to be managed on a risk management basis.  

This is a fundamental principle that was prior advocated for the Department of Homeland Security, by the former Secretary Michael Chertoff.  

The basic premise is that we have limited resources to cover ever changing and expanding risks, and that therefore, we must put our security resources to the greatest risks first.

Daniel Ryan and Julie Ryan (1995) came up with a simple formula for determining risks, as follows:

Risk = [(Threats x Vulnerabilities) / Countermeasures)]  x  Impact

Where:

- Threats = those who wish do you harm.

- Vulnerabilities = inherent weaknesses or design flaws.

- Countermeasures = the things you do to protect against the dangers imposed.

[Together, threats and vulnerabilities, offset by any countermeasures, is the probability or likelihood of a potential (negative) event occurring.]

- Impacts = the damage or potential loss that would be done.

Of course, in a perfect world, we would like to reduce risk to zero and be completely secure, but in the real world, the cost of achieving total risk avoidance is cost prohibitive. 

For example, with information systems, the only way to hypothetically eliminate all risk is by disconnecting (and turning off) all your computing resources, thereby isolating yourself from any and all threats. But as we know, this is counterproductive, since there is a positive correlation between connectivity and productivity. When connectivity goes down, so does productivity.

Thus, in the absence of being able to completely eliminate risk, we are left with managing risk and particularly with securing critical infrastructure protection (CIP) through the prioritization of the highest security risks and securing these, going down that list until we exhaust our available resources to issue countermeasures with.

In a sense, being unable to "get rid of risk" or fully secure ourselves from anything bad happening to us is a philosophically imperfect answer and leaves me feeling unsatisfied--in other words, what good is security if we can't ever really have it anyway?

I guess the ultimate risk we all face is the risk of our own mortality. In response all we can do is accept our limitations and take action on the rest.

(Source Photo: here with attribution to martinluff)

Share/Save/Bookmark

May 4, 2012

Leadership Cloud or Flood Coming?

I came across two very interesting and concerning studies on cloud computing--one from last year and the other from last month.

Here is a white paper by London-based Context Information Security (March 2011)

Context rented space from various cloud providers and tested their security. 

Overall, it found that the cloud providers failed in 41% of the tests and that tests were prohibited in another 34% of the cases --leaving a pass rate of just 25%!

The major security issue was a failure to securely separate client nodes, resulting in the ability to "view data held on other service users' disk and to extract data including usernames and passwords, client data, and database contents."

The study found that "at least some of the unease felt about securing the Cloud is justified."

Context recommends that clients moving to the cloud should:

1) Encrypt--"Use encryption on hard disks and network traffic between nodes."

2) Firewall--"All networks that a node has access to...should be treated as hostile and should be protected by host-based firewalls."

2) Harden--"Default nodes provisioned by the Cloud providers should not be trusted as being secure; clients should security harden these nodes themselves."

I found another interesting post on "dirty disks" by Context (24 April 2012), which describes another cloud vulnerability that results in remnant client data being left behind, which then become vulnerable to others harvesting and exploiting this information.

In response to ongoing fears about the cloud, some are choosing to have separate air-gaped machines, even caged off, at their cloud providers facilities in order to physically separate their infrastructure and data--but if this is their way to currently secure the data, then is this really even cloud or maybe we should more accurately call it a faux cloud? 

While Cloud Computing may hold tremendous cost-saving potential and efficiencies, we need to tread carefully, as the skies are not yet all clear from a security perspective with the cloud. 

Clouds can lead the way--like for the Israelites traveling with G-d through the desert for 40 years or they can bring terrible destruction like when it rained for 40 days and nights in the Great Flood in the time of Noah. 

The question for us is are we traveling on the cloud computing road to the promised land or is there a great destruction that awaits in a still immature and insecure cloud computing playing field? 

(Source Photo: here with attribution to freefotouk)


Share/Save/Bookmark

March 20, 2011

Fixing The Information Flow

So check this out--H2Glow has an LED faucet light that it temperature sensitive and turns blue for cold water and red for hot.

When I saw this, I thought this would be a great metaphor for managing the information flow from our organizations--where we could quickly and simply see whether the information flowing was sharable and for public consumption ("blue") or whether something was private and proprietary ("red").

The Economist, 24 February 2011, in an article called "The Leaky Corporation" writes: "Digital information is easy not only to store, but also to leak. Companies must decide what they really need to keep secret, and how best to do so."

Like a faucet that gushes water, our organizations are releasing information--some with intent (where we are in control) and much without (due is spillage and pilferage).
In the age of WikiLeaks, computer hackers, criminals, terrorists, and hostile nation states, as well as the insider threat, information is leaking out uncontrollably from our organizations and this puts our vital competitive information, national secrets, and personal privacy information at risk (i.e. health, financial, identity, and so on).

Of course, we want the proverbial blue light to go on and information to be shared appropriately for collaboration and transparency, but at the same time, we need to know that the light will turn red and the information will stop, when information is justifiably private and needs to be kept that way.

Being an open and progressive society, doesn't mean that that there is only cold water and one color--blue. But rather, that we can discern the difference between cold and hot, blue and red, and turn the faucet on and off, accordingly.

Information is proliferating rapidly, and according to IDC, a market research firm, the "digital universe" is expected to "increase to 35 zettabytes by 2020."--a zettabyte is 1 trillion gigabytes or the equivalent of 250 billion DVDs.

Therefore, the necessity of filtering all this digitally available information for inside use and outside consumption is going to become more and more critical.

According to The Economist article, we will need to employ the latest techniques and automation tools in:

- Enterprise Content Management--to "keep tabs on digital content, classify it, and define who has access to it."

- Data Loss Prevention--using "software that sits at the edge of a firm's network and inspects the outgoing data traffic."

- Network Forensics--"keep an eye on everything in the a corporate network and thus...detect a leaker."

Of course, as the Ciso chief security officer says: "technology can't solve the problem, just lower the probability of accidents."
In the end, we need to make sure people understand the vulnerability and the dangers of sharing the "red" information.
We can focus our employees on protecting the most critical information elements of the organization by a using a risk management approach, so that information with the high probability of a leak and with the greatest possible negative impact to the organization is filtered and protected the most.

The leaky faucet is a broken faucet and in this case we are all the plumbers.

Share/Save/Bookmark

July 12, 2009

Information Management Framework

The Information Management Framework (IMF) provides a holistic view of the categories and components of effective information architecture.

These categories include the following:

Information-sharing--Enable information sharing by ensuring that information is visible, accessible, understandable, and interoperable throughout the enterprise and with external partners.

Efficiency--Improve mission efficiency by ensuring that information is requirements-based, non-duplicative, timely, and trusted.

Quality--Promote information quality, making certain that information provided to users is valid, consistent, and comprehensive.

Compliance--Achieve compliance with legislation and policy providing for privacy, freedom of information, and records management.

Security-- Protect information assets and ensure their confidentiality, integrity, and availability.

All areas of the framework must be managed as part of effective information architecture.

Share/Save/Bookmark

June 7, 2009

Digital Object Architecture and Internet 2.0

There is an interesting interview in Government Executive, 18 May 2009, with Robert Kahn, one of the founders of the Internet.

In this interview Mr. Kahn introduces a vision for an Internet 2.0 (my term) based on Digital Object Architecture (DOA) where the architecture focus is not on the efficiency of moving information around on the network (or information packet transport i.e. TCP/IP), but rather on the broader notion of information management and on the architecture of the information itself.

The article states: Mr Kahn “still harbors a vision for how the Internet could be used to manage information, not just move packets of information” from place to place.

In DOA, “the key element of the architecture is the ‘digital element’ or structured information that incorporates a unique identifier and which can be parsed by any machine that knows how digital objects are structured. So I can take a digital object and store it on this machine, move it somewhere else, or preserve it for a long time.”

I liked the comparison to electronic files:

“A digital object doesn’t become a digital object any more than a file becomes a file if it doesn’t have the equivalent of a name and an ability to access it.”

Here are some of the key elements of DOA:

  • Handles—these are like file names; they are the digital object identifiers that are unique to each and enable each to be distinctly stored, found, transported, accessed and so forth. The handle record specifies things like where the object is stored, authentication information, terms and conditions for use, and/or “some sense of what you might do with the object.”
  • Resolution system —this is the ‘handle system’ that “gives your computer the handle record for that identifier almost immediately.”
  • Repository—“where digital objects may be deposited and from which they may be accessed later on.” Unlike traditional database systems, you don't need to know a lot of the details about it to get in or find what you're looking for.
  • Security at object layer—In DOA, the security “protection occurs at the object level rather than protecting the identifier or by providing only a password at the boundary.”

The overall distinguishing factor of DOA from the current Internet is that in the current Internet environment, you “have to know exactly where to look for certain information” and that’s why search engines are so critical to indexing the information out there and being able to find it. In contrast, in DOA, information is tagged when it is stored in the repository and given all the information up front about “how do you want to characterize it” and who can manage it, transport it, access it, and so on.

To me, in DOA (or Internet 2.0) the information itself provides for the intelligent use of it as opposed to in the regular Internet, the infrastructure (transport) and search features must provide for its usability.

As I am thinking about this, an analogy comes to mind. Some people with medical conditions wear special information bracelets that identify their unique medical conditions and this aids in the speed and possibly the accuracy of the medical treatment they receive—i.e. better medical management.  This is like the tagging of information in DOA where the information itself wears a metaphorical bracelet identifying it and what to do with it thereby yielding faster and better information management.

Currently, we sort of retrofit data about our information into tags called metadata, but instead here we have the notion of creating the information itself with the metadata almost as part of the genetic makeup of the information itself.

Information with “handles” built into as a part of the information creation and capture process would be superior information for sharing, collaboration, and ultimately more user-centric for people. 

In my humble opinion, DOA has some teeth and is certainly not "Dead On Arrival."


Share/Save/Bookmark

February 25, 2009

Security Architecture Q&A

Recently, I was interviewed on the subject of Security Architecture and was given permission to share the Q&A:

In general, what kinds of information security issues does an organization face?

The overarching information security issue in any organization is one of communication, collaboration and the need for transparency vs. the need to protect information from being compromised. Information security is about more than just "stopping leaks." It is also about making sure that people don't intercept, interject or otherwise manipulate agency information for their own ends.

A related issue has to do with protecting the agency's critical IT infrastructure from physical or cyber attack. It's the age-old conflict: If you lock it down completely, then you're protecting it, but you also can't use it. And if you open yourself up altogether, then obviously it won't be long before somebody takes aim.

Finally, the largest threat to an organization's information is clearly from insiders, who have the "keys to the kingdom." And so one must pay great attention to not only the qualifications, but also the background, of the employees and contractors entrusted with access to IT systems. Additionally we must institute checks and balances so that each person is accountable and is overseen.

How do leaders demonstrate security leadership?

Leadership in the area of security is demonstrated in a variety of ways. Obviously the primary method for demonstrating the importance of this function is to formalize it and establish a chief information security officer with the resources and tools at his or her disposal to get the job done.

But security leadership also means building an awareness of risk (and countermeasures) into everything we do: education, awareness, planning, designing, developing, testing, scanning and monitoring.

When new applications or services are being planned and rolled out, does security have a seat at the table?

I can't imagine any organization these days that doesn't consider security in planning and rolling out new applications or services. The real question is, does the organization have a formal process in place to provide certification and accreditation for IT systems? By law, federal agencies are required to do this.

Would you say that information security is generally tightly integrated into organizational culture?

I think that a security mindset and culture predominate in professions where security is paramount, such as law enforcement, defense and intelligence, for obvious reasons.

But the larger question is, how would other organizations make the transition to a culture of greater information security? And this is actually a really important question in today's age of transparency, social networking, Web 2.0, etc., where so much information is freely flowing in all directions. One approach that I have adopted as a culture-changing mechanism is to treat key initiatives as products to be marketed to a target audience. The IT security professional needs to be a master communicator as well as a technical expert, so that employees not only grudgingly comply with necessary measures, but are actively engaged with, and support, their implementation.

At the end of the day, the organization's information security is only as strong as its weakest link. So security has to be as deeply ingrained into the culture and day-to-day operations as possible.

Is information security an inhibitor to new initiatives?

Information security is one of many requirements that new initiatives must meet. And of course there will always be people who see compliance as an inhibitor. But the reality is that security compliance is an enabler for initiatives to achieve their goals. So the key for IT security professionals is to keep educating and supporting their stakeholders on what they need to do to achieve success and security at the same time.


Share/Save/Bookmark

May 9, 2008

IPv6 and Enterprise Architecture

Internet Protocol version 6 (IPv6) is a network layer for packet-switched internetworks. It is designated as the successor of IPv4, the current version of the Internet Protocol, for general use on the Internet. The main change brought by IPv6 is a much larger address space that allows greater flexibility in assigning addresses. The extended address length eliminates the need to use network address translation to avoid address exhaustion, and also simplifies aspects of address assignment and renumbering when changing providers. (Wikipedia)

IPv6 is an important architecture change.

Government Executive Magazine, May 2008, reports that “Ipv6 upgrades are critical as space available for Internet addresses dwindles.”

Why are we running out of IP addresses on version 4?

IPv4 uses 32-bit addresses and can support 4.3 billion devices with individual addresses on the Internet. With the world’s population estimated to be 6.5 billion—and with many people possessing multiple electronic devices such as PCs, cell phones, and iPods—there simply wil not be enough IPv4 addresses to meet the demand, let alone support the anticipated influx of new Internet users from developing countries. Also on the horizon are newfangled IP-enabled devices and appliances that will drive up the number of IP addresses per person.”

How does IPv6 solve this problem?

“IPv6 used 128-bit addresses and can support a virtually limitless number of globally addressable devices (The actual number is 2 to the 128th power).”

How is the conversion going?

The office of Management and Budget (OMB) has mandated that “By June 30, all federal agencies must prove that they have upgraded their networks’ connections, or backbones, to be capable of carrying IPv6 data traffic.”

Note: “All leading routers can support IPv6.”

A senior vice president for Quest said that “Every North American business and government needs to make the conversion.”

What other benefits does IPv6 offer?

Other benefits include:“built in security, network management enhancements such as auto-configuration and improved support for mobile networks. But in the decade since IPv6 was created, many of the extra features have been added to IPv4. So, the real motivator…is that it offers unlimited IP address space.”

The most savings, however, will come from the new applications and services that IPv6 will provide.”

The Department of Defense “needs IPv6 to make its vision of netcentric warfare (the ability to tie together networks and sensors to deliver a stream of integrated real-time data to the battlefield and commanders) a reality…with IPv6, ‘everything can be addressable from a soldier to a sensor to an aircraft to a tank…we could have a sensor network with hundreds of thousands of nodes.”

IPv6 is important, but what other network initiatives underway is it competing with?

  • The Trusted Internet Connections (TIC) initiative—aims to “reduce the number of external connectivity points that workers use to gain access to the internet.”
  • Networx—“a telecommunications contract that agencies are supposed to use to select a new carrier by September.”

On the Federal side, what needs to be architected next for IPv6?

“Federal IT managers should begin reserving IPv6 address space, developing an addressing plan, and creating a migration strategy that includes extensive product testing and evaluation. So far 37 agencies have requested IPv6 adress space from the American Registry for Internet Numbers.”


Share/Save/Bookmark

May 6, 2008

Information Management and Enterprise Architecture

Information management is the key to any enterprise architecture.

Information is the nexus between the business and technical components of the EA:

  • On one hand, we have the performance requirements and the business processes to achieve those.
  • On the other hand, we have systems and technologies.
  • In between is the information.

Information is required by the business to perform its functions and activities and it is served up by the systems and technologies that capture, process, transmit, store, and retrieve it for use by the business. (The information perspective is sandwiched in between the business and the services/technology perspectives.)

Recently, I synthesized a best practice for information management. This involves key values, goals for these, and underlying objectives. The values and objectives include the following:

  1. Sharing –making information visible, understandable, and accessible.
  2. Quality—information needs to be valid, consistent, and comprehensive.
  3. Efficiency—information should be requirement-based (mission-driven), non-duplicative, timely, and delivered in a financially sound way.
  4. Security—information must be assured in terms of confidentiality, integrity, and availability.
  5. Compliance—information has to comply with requirements for privacy, Freedom of Information Act (FOIA), and records management.

The importance of information management to enterprise architecture was recently addressed in DM Review Magazine, May 2008. The magazine reports that in developing an architecture, you need to focus on the information requirements and managing these first and foremost!

“You need to first understand and agree on the information architecture that your business needs. Then determine the data you need, the condition of that data and what you need to do to cleanse, conform, and transform that data into business transformation.”

Only after you fully understand your information requirements, do you move on to develop technology solutions.

“Next, determine what technologies (not products) are required by the information and data architectures. Finally, almost as an afterthought, evaluate and select products.” [I don’t agree with the distinction between technologies and products, but I do agree that you first need your information requirements.]

Remember, business drives technology—and this is done through information requirements—rather than doing technology for technology’s sake.

“Let me also suggest …Do not chase the latest and greatest if your incumbent products can get the job done.”

In enterprise architecture, the customer/end-user is king and the information requirements are their edicts.


Share/Save/Bookmark

April 18, 2008

10 Obstacles to Enterprise Architecture

Here is an interesting list of 10 obstacles to the enterprise architecture from a colleague and friend, Andy Wasser, Associate Dean, Carnegie Mellon University School of Information Systems Management:

  1. Lack of Senior Management [Commitment] Support
  2. Inability to obtain necessary resources (funds, personnel, time)
  3. Business partner alienation
  4. Internal IT conflicts and turf issues (no centralized authority)
  5. Lack of credibility of the EA team
  6. Inexperience with enterprise architecture planning or inexperience with the organization
  7. Entrenched IT team [operational focus versus strategic]
  8. Focus on EAP methodologies and tools [rather than on outputs and outcomes]
  9. Uncertain payback and ROI
  10. Disharmony between sharing data vs. protecting data

This is a good list for the chief enterprise architect to work with and develop strategies for addressing these. If I may, here are some thoughts on overcoming them:

1-4,7,9: Obtain Senior management commitment/support, resources, and business/IT partnership by articulating a powerful vision for the EA; identify the benefits (and mandates); preparing an EA program assessment, including lessons learned and what you need to do to make things “right”; developing an EA program plan with milestones that shows you have a clear way ahead. Providing program metrics of how you intend to evaluate and demonstrate progress and value for the business/IT.

5,6,8: Build credibility for EA planning, governance, and organizational awareness by hiring the best and the brightest and train, train, train; getting out of the ivory tower and working hand-in-hand in concert with business partners; building information products and governance services that are useful and usable to the organization (no shelfware!); using a three-tier metamodel (profiles, models, and inventories) to provide information in multiple levels of details that makes it valuable and actionable from everyone from the analyst to the chief executive officer; looking for opportunities (those that value EA and want to participate) and build incrementally (“one success at a time”).

10: Harmonize information sharing and security by developing an information governance board (that includes the chief information security officer) to vet information sharing and security issues; establishing data stewards to manage day-to-day issues including metadata development, information exchange package descriptions, discovery, accessibility, and security; creating a culture that values and promotes information sharing, but also protects information from inappropriate access and modification.


Share/Save/Bookmark

April 2, 2008

Hacker Camps and Enterprise Architecture

One of the perspectives of the enterprise architecture is Security. It details how we secure the business and technology of the organization. It includes managerial, operational, and technical controls. From an information security view, we seek confidentiality, integrity, availability, and privacy of information.

Who are we protecting the enterprise from in terms of our information security? From hackers of course!

How do we protect ourselves from hackers? By teaching our security professionals the tricks of the trade—teach them how to hack!

The Wall Street Journal, 1 April 2008, reports that “Hacker Camps Train Network Defenders: Sessions Teach IT Pros to Use Tools of the Online Criminal Trade.”

“In such sessions, which cost about $3,800, IT pros typically spend a week playing firsthand with the latest underground computer tools. By the end of the week, participants are trained as ‘ethical hackers’ and can take a certification test backed by the International Council of Electronic Commerce Consultants.”

Overall more than 11,000 people have received the ‘ethical hacker’ certificate since 2003; nearly 500 places world-wide offer the training.”

Why do we need to teach these hacking tools to IT security professionals?

They need to understand what they’re up against so they can more effectively plan how to protect against the adversary. Know thy enemy!

How large is the IT security issue?

The average large U.S. business was attacked 150,000 times in 2007…the average business considered 1,700 of these attacks as sophisticated enough to possibly cause a data breach. In addition, the number of unique computer viruses and other pieces of malicious software that hackers tried to install on computers and IT networks doubled to 500,000 last year from 2006…[and it’s expected] to double again in 2008.”

It’s great that we are advancing the training of our information security champions and defenders, but what about those who take the course, but are really there to learn hacking for the sake of hacking? How many of the 11,000 ‘ethical hackers’ that have been trained are really ethical and how many are using their newfound knowledge for more nefarious ends?

From an enterprise architecture standpoint, we need to ensure that we are not giving away the keys of the kingdom to anyone, including our own IT security staff—through hacker training. Also, we need to be careful not to rely on any one individual to maintain the security order of things. We need to plan our security using a system of checks and balances, just like the constitution lays out for the governance of the nation, so that even the chief information security officer (CISO) is accountable and has close oversight. Finally, we need to institute multiple layers of defense to work best we can to thwart even the determined hackers out there.
Share/Save/Bookmark

February 12, 2008

Information Integrity and Enterprise Architecture

We are in an information economy and now more than ever business needs information to conduct their functions, processes, activities, and tasks.

To effectively conduct our business, the information needs to be relevant and reliable. The information should be current, accurate, complete, understandable, and available.

Information integrity is essential for enabling better decision-making, improving effectiveness, and reducing risk and uncertainty.

However, according to DMReview, 8 February 2008, “information within the [corporate] data warehouse continues to be inaccurate, incomplete, and often inconsistent with its sources. As a result, data warehouses experience low confidence and acceptance by users and consumers of downstream reports.”

“The Data Warehousing Institute estimates that companies lose more than $600 million every year due to bad information.”

What are some of the challenges to information integrity?

  1. Complex environments, [in which organizations] constantly generate, use, store, and exchange information and materials with customers, partners, and suppliers.”
  2. Accelerating change in the business environment [and] changing needs of business users”
  3. “Increasing complexity of source systems and technology
  4. Expanding array of regulations and compliance requirements

“Change and complexity introduce information integrity risk. Accelerating change accelerates information integrity risk. Compliance makes information integrity an imperative rather than an option.”

What are the particular challenges with data warehouses?

  1. Questionable input information—“Several source systems feed a data warehouse. Data may come from internal and external systems, in multiple formats, from multiple platforms.”
  2. Lack of downstream reconciliation—“As information traverses through the source systems to a data warehouse, various intermediate processes such as transformations may degrade the integrity of the data. The problem becomes more acute when the data warehouse feeds other downstream applications.”
  3. Inadequate internal controls—these include controls over data input, processing, and output, as well as policies and procedures for change management, separation of duties, security, and continuity of operations planning.

From an enterprise architecture perspective, information integrity is the linchpin between the businesses information requirements and the technology solutions that serves up the information to the business. If the information is no good, then what good are the technology solutions that provide the information to the business? In other words, garbage in, garbage out (GIGO)!

As enterprise architects, we need to work with the business and IT staffs to ensure that data captured is current, accurate, and complete, that it is entered into the system correctly, processed accurately, and that outputs are distributed on a need to know basis or as required for information sharing purposes, and is protected from unauthorized changes.

Using business, data, and systems models to decompose the processes, the information required for those, and the systems that serve them up helps to identity possible information integrity issues and aids in designing processes that enable quality information throughput.

Additionally, security needs to be architected into the systems from the beginning of their lifecycle and not as an afterthought. Information confidentiality, integrity, availability, and privacy are essential for an information secure enterprise and for information quality for mission/business performance.


Share/Save/Bookmark

January 13, 2008

Fire Sale Attack and Enterprise Architecture

Fire Sale─“Matt Farrell (Justin Long), a character in the movie Live Free or Die Hard, used this term to describe the plot by Thomas Gabriel (Timothy Olyphant) to systematically shut down the United States computer infrastructure. The plan crashes the stock market, communications and utilities infrastructure, crippling America's economy and causing nation-wide chaos. The term was coined because of the phrase "everything must go" meaning all of the world's technology based off of a computer system, virtually everything.” (Wikipedia)
The New York Times, 4 June 2007, in an article titled, “When Computers Attacks,” states how governments are preparing for the worst in terms of cyber attacks.
Anyone who follows technology or military affairs has heard the predictions for more than a decade. Cyberwar is coming. Although the long-announced, long-awaited computer-based conflict has yet to occur, the forecast grows more ominous with every telling: an onslaught is brought by a warring nation, backed by its brains and computing resources; banks and other businesses in the enemy states are destroyed; governments grind to a halt; telephones disconnect.”
What systems are at risk?
All computers are at risk that connect “to the Internet through the industrial remote-control technologies known as Scada systems, for Supervisory Control and Data Acquisition. The technology allows remote monitoring and control of operations like manufacturing production lines and civil works projects like dams. So security experts envision terrorists at a keyboard remotely shutting down factory floors or opening a dam’s floodgates to devastate cities downstream.
But how bad would a cyberwar really be — especially when compared with the blood-and-guts genuine article? And is there really a chance it would happen at all? Whatever the answer, governments are readying themselves for the Big One.
For example, “China, security experts believe, has long probed United States networks.Congress, China’s military has invested heavily in electronic countermeasures and defenses against attack, and concepts like “computer network attack, computer network defense and computer network exploitation.” According to a 2007 Defense Department annual report to
What are we doing?
The United States is arming up, as well. Robert Elder, commander of the Air Force Cyberspace Command, told reporters in Washington at a recent breakfast that his newly formed command, which defends military data, communications and control networks, is learning how to disable an opponent’s computer networks and crash its databases.
How serious is the threat of cyber attack?
An all-out cyberconflict could ‘could have huge impacts,’ said Danny McPherson, an expert with Arbor Networks. Hacking into industrial control systems, he said, could be ‘a very real threat.’”
Is our nation’s architecture prepared to secure our enterprises and this country from a fire sale-type or other cyber terrorism attacks? Here are some actions that have been taken based on a CRS Report for Congress on “Computer Attacks and Cyber Terrorism” (17 October 2003)
  • In 2002, The Federal Information Management Security Act (FISMA) was enacted giving the office of OMB responsibility for coordinating information security and standards developed by civilian federal agencies.
  • In 2003, The National Strategy to Secure Cyberspace was published by the administration to encourage the private sector to improve computer security for critical infrastructure.
  • DHS has established the National Cyber Security Division (NSCD) to oversee the Cyber Security National Tracking and Response Center to conduct analysis of threats and vulnerabilities, issue alerts and warnings, improve information sharing, and respond to major cyber security incidents.
  • The Cyber Warning and Information Network (CWIN) is an early warning system for cyber attacks.
  • In 2003, there was established a new Terrorist Threat Integration Center (TTIC) to monitor and analyze threat information (composed of CIA, FBI, DOD, DHS, and Department of State officials)
Additionally, “The United States Computer Emergency Readiness Team (US-CERT) is a partnership between the Department of Homeland Security and the public and private sectors. Established in 2003 to protect the nation's Internet infrastructure, US-CERThttp://www.us-cert.gov/) coordinates defense against and responses to cyber attacks across the nation.
According to the CRS Report For Congress, in July 2002, The U.S. Naval War College hosted a three day seminar style war game called ‘Digital Pearl Harbor;” 79% of participants believed that a strategic cyber attack was likely within 2 years.
While the dreaded cyber attack did not occur as feared by the war game participants, the scenario of a devastating cyber attack remain a real possibility that we must be prepared to confront and defeat.
As in the movie Live Free or Die Hard, a major cyber attack on this country could quickly bring us to our knees, if successful. We have become a nation born and bred on computers and automation. I challenge you to think of many things that you do that does not in some way involve these. We have formed a day-to-day dependency on all things computers, as individuals and as a nation.
In our enterprise architecture, we must continue to focus on comprehensive security frameworks for our organizations that address technical, managerial, and operational security areas. While the Federal Enterprise Architecture treats Security as a cross-cutting area, I believe that Security should be its own perspective (even though it crosses all domains), so that it can be given focus as an area that each and every agency and organization addresses. We must do more than create alerts, warning, and reporting capabilities. We need both “computer vaccines” that can quickly cure and rid us from the encroachment of a cyber attack, as well as hunter-killer offensive capabilities that can paralyze any warring nation or terrorist organization that would dare to attack us.
I remember hearing a saying that once something is created, it is bound to eventually be used. So it was with the atomic bomb. So it will be with cyber warfare, and we must be prepared to defend this nation.

Share/Save/Bookmark

December 11, 2007

Information Security and Enterprise Architecture

Information security is generally considered a cross-cutting area of enterprise architecture. However, based on its importance to the overall architecture, I treat information security as its own perspective (similar to performance, business, information, services, and technology).

According to the Wall Street Journal (WSJ), 11 December 2007, professional hackers are getting smarter and more sophisticated in their attacks and this requires new IT tools to protect the enterprise. Here are some of the suggestions:

  1. Email scams—“hackers have responded to improved filtering software and savvier population by aiming their attacks at specific individuals, using publicly available information to craft a message designed to dupe a particular person of group of people” In response, organizations are installing antivirus and antimalware software from multiple vendors to increase the chance, the an attack that gets by one security software products, will be stopped by one of the others. These products can be obtained from vendors like Sophos, Sybari, Micosoft, Symantec, and McAfee.
  2. Key loggers—“one common form of malware is a key logger, which captures the user names and passwords that an unsuspecting computer user types, and then sends these to a hacker.” However, software from Biopassword Inc. can thwart this by recording employees typing rhythms, so that even a hacker that knows a username and password is denied access if he types too fast or too slow.
  3. Patrolling the network—hackers who get past the firewall often have free rein to roam once inside the network. However, CoSentry Networks Inc. has a product that imposes controls on where a user can go on the network, so even someone with a valid login will be prevented from snooping around the network or accessing information from an unapproved location.
  4. Policing the police—one of the biggest threats to an enterprise is from the insiders, employees who have access to the systems and information. Software from Application Security Inc., however, monitors access, changes, repeated failed logins, and suspicious activity and notifies the designated security officer.

From a user-centric EA standpoint, information security is paramount to protect the enterprise, its mission execution, its employees, and stakeholders. As the WSJ points out, “breaches of corporate computer security have reached epidemic proportions. So far this year more than 270 organizations have lost sensitive information like customer credit-card or employee social security numbers—and those are just the ones that have disclosed such incidents publicly.” EA must help the chief information security officer to identify these enterprise security threats and select appropriate countermeasures to implement.


Share/Save/Bookmark