Recent Updates RSS Toggle Comment Threads | Keyboard Shortcuts

• 

  Prem Jadhwani 3:07 pm on May 16, 2012 Permalink | Reply  

  Bridging the Gap between BYOD and Policy Enforcement 

  Best practices preach that security policies should be applied consistently across an entire distributed agency. However, the Bring Your Own Device (BYOD) trend is making it even more complicated than before, because not only are employees bringing a vast array of disparate wireless devices to work, they also want to connect from anywhere, with any device, and often look to access the cloud. Additionally, there is continuing need for contractors requiring access to government network resources, as well as cross-department access and information sharing between various agencies. These demands create an increasing pressure that CIOs in the government have to face. This diversity also means the weakest link in security policy enforcement could exist almost anywhere in the agency infrastructure. Many CIOs are wondering how they can accommodate the exponential growth of new devices and applications on their agency network in real-time, as well as how to secure, determine and manage who, what, when, where, how and how many users and devices access that network?

  So what technologies are available today for CIOs to bridge the gap and strike a good balance between the BYOD craze and uniform distributed policy enforcement and compliance management?

  CIOs permitting BYOD in their respective agencies should automate the process to register and track the mobile devices based on device type, user authentication and risk status. There are some unique solutions available in the marketplace today – such as Cisco Identity Services Engine (ISE) – that enable self-registration of the device and eliminate the need for employees, contractors or guest users to deal with an IT Help Desk.  Cisco ISE allows the agencies to create and enforce security and access policies for various endpoint devices connected to the agency network. You might recall that I attended the Cisco Summit a couple of weeks ago and their demonstration of this capability, which offers the ability to quarantine the ‘unknown device’ to allow for proper assimilation into the environment based on policy or rules, was quite impressive.  Today, if an agency doesn’t have that kind of discovery tool in its wireless network, they will either risk the enterprise by opening it up for usability, or have a manual procedure for users to meet with an on-site team to ‘allow’ this access. These are all very burdensome and truly not achievable considering the magnitude of devices entering and leaving an agency daily.

  As part of the BYOD strategy, CIOs need to have a good handle over device management. Mobile Device Management (MDM) solutions like AirWatch or MobileIron let agencies assess devices for high risk factors such as jail-breaking or someone using non-approved rogue applications like YouTube or Angry Birds. MDM solutions are very effective in managing the complete life cycle of a customer’s handheld device including device configuration, asset management, remote wipe and restore.

  What other management tools are already out there or are coming soon?  Cisco Prime is a tool that provides end-to-end visibility for applications, services, users and devices across the network, but also allows the administrators to correlate user identity with policy. The advancements now are tremendous from just a year or two ago. Other leading vendors like Symantec have come out with many effective solutions for data loss prevention (DLP) and endpoint security for mobile devices.  These solutions help to deny confidential information, such as sensitive PII data, from moving to or from mobile devices or unauthorized non-approved storage locations, which we might use personally but in the enterprise, is a huge breach of data security.

  There is no doubt that BYOD brings several benefits and cost savings to the agencies. However, with all the benefits, there is also risk and vulnerability.  Agency CIOs need to enforce strict policies and make sure compliance requirements are being met. The supporting policies have to be clearly spelled out, should be easy to understand and should be automated and enforced by tools like those I mention above. The agencies need to bridge the gap and implement solutions for password protection, data encryption, 802.1X authentication using secure VPN, data leakage prevention, device monitoring, remote wipe, continuous monitoring and e-discovery.   The devices are coming into the workplace – this is unavoidable – but agencies can manage how they approach their use. As a CIO, you might not be ‘ahead’ of the influx of devices, but with the technologies available today, it is possible to manage your security efficiently and cost effectively.   Let me know your thoughts. Follow me on Twitter at GTSI_Architect.

   

  Reply Cancel reply

  Required fields are marked *

  Name *

  Email *

  Website

  

   
• 

  jim sweeney 1:53 pm on May 9, 2012 Permalink | Reply  

  Will you be in the Cloud by New Year’s Day? 

  Recently, Rob Wolborsky, CTO for SPAWAR, was interviewed by Defense Systems magazine (read article: http://defensesystems.com/articles/2012/03/28/chief-view-rob-wolborsky-navy-data-center-consolidation.aspx?s=ds_160412).  In the interview, Rob shared several somewhat startling facts:

  • There are over 120 data centers that support Navy and Marines, but there is no existing reliable measure of what each of those centers costs.
  • SPAWAR has put together ten working teams to undertake a substantial effort to understand what each center is costing them, and why, so they can determine how to consolidate appropriately.
  • They have completed just a third of the assessments so far. Based on what they’ve found, they estimate they can close nearly 60 (50%) of the data centers without decreasing services, with close to 20 closing in just the first year.

  The US Navy is a large organization and this program is a major undertaking. But it leads me to a couple of interesting questions which apply equally to an agency with just a handful of data centers. To be on track to take advantage of the Cloud by year-end 2012, you need to be able to answer yes to every question. Can you?

  • Do you know what each of your data centers costs you today?  Further, do you have an understanding of the individual cost to run each application within each data center?
  • Are you nearly finished with consolidating and virtualizing the Operating Systems, System Images, Databases and the like that your data centers currently operate, in preparation for full-scale data center consolidation?
  • Have you identified the final list of which applications will move to the Cloud, to provide more cost-effective, available and reliable service now, and in preparation for moving your remaining data-center-based applications into the smallest serviceable footprint in the future?

  These are questions that each agency must be able to answer.   Pete Tseronis has urged federal government agencies to come up with more than the required three Cloud candidates by the end of the year.   But where do you start? I recommend starting with:

  • Find the data center that has the lowest operating costs (square foot x utilities x servers)
  • Profile your  applications. Rank your applications based on criticality, usage (daily, monthly, and seasonal surge), need for redundancy, and the level of importance within your agency.
  • Structure a plan to address the required three (if not more) Cloud requirements.

  GTSI has an established methodology for migrating applications to the Cloud; we call it “GCAM” or the GTSI Cloud Assurance Model. The Model has seven discrete steps:

  • Identify the costs to run a particular application as it is configured and running today, versus the cost to run that application in the Cloud
  • Quantify the performance of that application as it is configured today
  • Identify the policies, procedures and governance changes that will be required if this application is migrated to the Cloud
  • Migrate the application
  • Implement the policy, procedure and governance changes identified in (3) above
  • Measure the performance to ensure it is better than (2) above
  • Provide proof of the cost reduction goal as identified in (1) above

  This model can provide structure to simplify execution of such a large project, while helping to migrate applications to the Cloud successfully and demonstrate that success in real terms.

  I still maintain that while data center consolidation an important component of an agency’s cost management strategy, it will not completely address the planned budget cuts on the horizon. Identifying applications that can move to the Cloud will be a necessary step to further reduce your server footprint. There may be some applications which cannot and should not be moved to the Cloud, but moving what you can will avoid greater hardships when budgets shrink in the coming years.

  As always, thanks for reading.

  Follow me on twitter at @GTSI_CTO

  Jim