Sramana Mitra: Let’s talk about information security as it applies to the government and from the perspective of the cloud. What are the key drivers? What is the government’s level of concern about cyber crimes, and what are the drivers in that situation?
Joseph Beal: We focus a lot [on] APT, which is advanced persistent threat. Are such threats the nation states that are trying to get in and pull our information out? Are they the hactivists who are trying to make a name for themselves or just trying to penetrate systems? Are they criminally driven, financially backed cyber criminals who have the ability to pull the information for their own financial gain?
From the security standpoint, where the challenges are is as you move systems to the cloud, whether it be a public, hybrid, or private cloud, you want to make sure you have the same level of security you have when you’re able to manage those systems. I’ve talked about this over and over again – the philosophy has changed. Even as the government or a network manager in the government, as they move their most critical systems or applications, there’s a 50/50 chance they feel they may have lost something in that transition.
You can touch and feel your systems, turn them on, turn them off, know that you’re responsible for ensuring that they’re updated and patched. Then move them to the cloud, you’re relying on someone else to both provide that function and understand what your data is. You’ve now moved from the role of being a network or service provider and network manager to being a data owner. Now the questions that are most important to you are, where’s my data? Where does it reside? Is encrypted at rest? Is it encrypted in transit? That’s a major philosophy change we have right now in moving people into the cloud.
There have been a lot of steps to assist with this change. There’s FED RAMP, which are basic requirements on how the government’s going to move forward with securing the cloud. There are controls. The National Institute of Standards and Technology (NIST) has put out multiple documents, NIST 800 series special publications (SP) such as 800-53 A and 800-53 Rev 4 go in and talk about how we manage the controls and how we implement and assess those controls for the government. If there are vendors out there that are trying to work with the government, one of the important points to understand is that [there is] a lot of guidance and a lot of mandates, especially coming from this. If such vendors come in to the government and offer their silver bullet, as they call it, if they can sell it to the point where they say it addresses every security control that an agency must abide by per NIST, or even create a matrix [to show] that their new solution or application meets, that’s going to open a lot of doors for the people who are trying to step into the government or start to do work with the government.
All too often, we sell a product and say it does all these great things, but why is it important to the government? The government commercializes a little differently because there are a lot of things that are profit driven, and the government’s not a profit center. If you look at different ways to sell aspects of your services or applications, the best way to do so is to look at the guidelines by which the government must abide by per NIST, or even create a matrix [to show] that their new solution or application meets [security/control], that’s going to open a lot of doors for the people who are trying to step into the government or start to do work with the government. On the security side, NIST 4300 A, if you can map what your application, service, or product does, you can start to show how you provide value-add for the government.
Right now they have an ROI, but it’s not necessarily financially driven. Their concern is, how do I provide services for the people we need to provide services for, which are the taxpayers.