Changes to FISMA

Last month the Obama administration announced new standards for agency reporting under FISMA as part of an effort to get agencies to shift from paper-based reports to real-time monitoring of systems. Vivek Kundra, the Federal Chief Information Officer, was interviewed by Federal News Radio in the post "OMB outlines shift on FISMA." Vivek expressed the vision that "What we need to do, when it comes to information security, is shift to a model across the federal government, with a focus that is much more of a real-time basis. And you'll see forthcoming, in terms of the FISMA reporting guidance, more centered on continuous performance monitoring and Cyberscope."

Ben Bain is reporting in the article, "NASA's new FISMA approach and what it means for you" that NASA’s Deputy Chief Information Officer for IT Security Jerry Davis is developing a new program for the security authorization process based on continuous monitoring, automated tools and reducing paperwork. NASA hopes to have it in place for fiscal 2011. “Security is still going to be done. Certification and accreditation will still be done, but the way we do it is going to change significantly and the frequency of it will change,” he said. “Instead of every three years, you’re really going to be doing it, in a sense, on like a weekly or monthly basis, you’re always going to be looking at those controls and adjusting them for changes."

Alan Paller, director of research at the SANS Institute is quoted on how the new approach will help to correct flaws in the original FISMA legislation, "It's a move toward being able to know the status of every machine at every minute. So that when something bad is coming at you, you know where you can target and where you can't so you can act quickly. It's a complete change from what we've had before. This started during the Clinton Administration, and it was the Senate that created it in the bill called GISRA, and then it became FISMA. It was an error made by people who didn't understand the threat, and the error was that you can manage fast-moving attacks with slow moving paper."

Joe Faraone, aka Vlad the Impaler, in his post "Machines Don’t Cause Risk, People Do!" warns that "continuous, repeatable security processes followed by knowledgeable, responsible practitioners are what government needs. But you cannot develop these processes without starting from a larger, enterprise view." Joe writes "Desiring to know everything about everything may seem to some to be a worthy goal, but may be beyond many organization’s budgets. *Everything* is a point in time snapshot, no matter how many snapshots you take or how frequently you take them. Continuous, repeatable security processes followed by knowledgeable, responsible practitioners are what government needs. But you cannot develop these processes without starting from a larger, enterprise view. Successful organizations follow this–dare I say it–axiom whether discussing security governance, or system administration."

Open Government and the Cloud

Effective security approaches being beyond many organization's budget might just be at the heart of the matter. Recall that Vivek Kundra statement that he sees two overarching trends now happening in computing:

1. The increasing use of mobile devices and the app ecosystems they support.
2. There's cloud computing, which can cut IT costs and drastically improve access to information.

With that in mind, it is not surprising that Nick Eaton reports in his post, "Obama's CIO ready to bring government tech up to speed" that the first two major tech initiative launched by the Obama administration consist of:

1. Data.gov, which is a depository for open government datasets that people can access to create applications, do scientific research and more. It launched with 47 datasets and it now includes more than 169,000. Since its launch in May 2009, New York, San Fransisco, Seattle and other local governments have launched similar services. Vivek has stated, that a big difference between public-sector and private-sector technology is that the commercial world is focused on front-end customer needs, whereas government IT is usually focused on the back end. Kundra wants to change that by creating accessible user interfaces to online government services, and as a result make "government cool again."
2. Apps.gov, which is hosted by the U.S. General Services Administration. It's a clearinghouse for hundreds of cloud-computing applications, both free and not, from mostly private vendors.

Cloud computing can be a solution that allow for continuous monitoring and a unified risk based approach across government agencies, all while reducing costs. A major stumbling block is achieving agencies compliance issues in respect to cloud vendors.

GSA Reissues RFQ

The GSA released the RFQ on its E-Buy mid-May asking for bids from IaaS providers on cloud storage services, virtual machines and cloud web hosting. Fed Cloud Blog interviewed Dave McClure, GSA’s Associate Administrator of Citizen Services and Communications, concerning the RFQ and the new contract. Dave discussed several of the differences:

We’re raising the security level to the moderate level. I think that’s where the public sector in general is headed — greater security in these cloud provisioning agreements. So, we’ve raised this up to the moderate level. I think that’s a significant improvement and difference from the prior RFQ. We also are making it much easier and clearer to map the industry offerings to the contract line items in this BPA instrument that we’re using. There was some confusion about whether specific services and prices for some of the industry offerings — how they’ve mapped to the contract line items in this BPA. We’ve gone back and actually cleaned that up and had conversations with industry on how that mapping process can work very effectively. So I think that will also create a much better instrument than what we had before. The third big difference is that things that are awarded off of this instrument will be candidates that will go into the FedRAMP centralized CNA approval process. I think that will make a difference, as well — knowing that your product or service will actually go through one CNA and then be usable across the entire government.

FedRAMP

This month FedRAMP was officially announced. Peter Mell, FedRAMP Program Manager, discusses the program in his presentation from last month. Peter explains FedRAMP is a government-wide initiative to provide joint authorizations and continuous security monitoring services. It provides a unified government-wide risk management and it will allow agencies to leverage FedRAMP authorizations (when applicable).

FedRAMP’s initial focus is on cloud computing with the program working with cloud vendors (currently Microsoft and Google are in pilot mode) to evaluate their overall security environment in relation to government security controls. The controls will be based on the new NIST security framework. There still will be some gaps between civilian, DoD and Intel agencies, so moving to cloud will still require some security work. The goal of FedRAMP is to create a unified risk management process that:

• increases security through focus assessment.
• eliminates duplication of effort and associated cost savings.
• enables rapid acquisition by leveraging pre-authorized solutions.
• provide agency vetted transparent security requirements and authorization packages.
• facilitates multi-agency use of shared systems.
• ensure integration with government-wide security efforts.

Peter states, "An advantage of this program is that [vendors] primary work with one security assessment and authorization body, or one risk management program, and they don't have to independently meet all of the security requirements of the many, many different agencies." In an interview with Eric Chabrow, Mell goes on to state, "Agencies, by leveraging FedRAMP authorization, will save a lot of money and enable rapid acquisition, but they're still in control. They get to choose whether or not they leverage it. They can choose if they want to do additional work to assure systems meet the security needs of their agency."

Mell believes the primary hurdle in securing the government adaption of cloud computing is the lack of government-wide authorization capabilities. Mell states:

Currently, with each federal agency independently doing risk management with these large outsourced systems in cloud computing you have got duplication of effort, but you have got incompatible policies being levied because the Federal Information Security Management Act is all about a framework by which agencies communicate or enforce their policies on a system. So you get 40 agencies together, enforcing their policies on a single system and the interception of those policies is likely not draftable. Likely, they will disagree on the finer points of server configuration, for example, and it just won't be possible and that is a source of great frustration for cloud vendors. It also means that acquisition is very slow, the lengthy compliance processes and then there is inconsistent application of these government-wide security programs.

To solve that, and I think this is common sense, I don't think we are doing anything unexpected or unusual here, it's certainly new, that the proposed solution is found within FedRAMP – the Federal Risk and Authorization Management Program. The idea is to create a government-wide, risk management program that has to be optionally used by the agencies. It provides joint authorization services and continuous monitoring services and again, I will stress that it is optional.

FedRAMP would perform assessment and authorization of these very large systems, these government-wide authorization then can be optionally leveraged by agencies so that they can adopt these services with a minimal of additional security effort required. FedRAMP would perform security, based on an agreed upon government-wide security baseline that agencies can leverage. That is what I mean by most of the work will be done because that baseline will have been assessed and authorized.

Agencies do have unique missions and risk tolerances and security needs, and so agencies are always welcome to do incremental additional security testing, require additional security controls to be implemented and so forth. But again, the idea is to complete the bulk of the work for the agencies; do it once and do it well and thereby reduce an enormous amount of duplication of effort and enable rapid acquisition by federal agencies, eliminate that concern of security requirements not being compatible when multiple agencies levied them on a particular resource pool cloud system. And lastly, ensure consistent application of federal government-wide security programs. The Trusted Internet Connection program or there is ITM, there is Einstein, and the list goes on

As to the question of authorization, Mell explains, "this fits perfectly within existing law, OMB policy, and even NIST security guidance. What we did do is in the new NIST risk management framework, in particular the NIST Special Publication 800-37, we added an Appendix s.6. That appendix talks about this notion of joint authorization being performed by the joint authorization board and then this concept of leveraged authorization where the agencies are leveraging the outcome of this joint authorization. We put the sort of foundational underpinnings of FedRAMP into the new NIST management framework. And by the way, FedRAMP is designed to follow that NIST risk management framework and focus a lot on that continuous monitoring aspect."

There are real issues that need to be worked out as FedRAMP develops. For example, Michael Smith in his post, “NIST Cloud Conference Recap” shares his personal experience with a certifier that said, “we don’t recognize common controls so even though you’re just a simple web application you have to justify every control even if it’s provided to you as infrastructure.” Michael goes on to list several pieces that he has not seen FedRAMP addressed yet (follow the link and read his blog). I will add two more:

1. Vendor Lock in: if a cloud provider is authorized at some point but later stops meeting the security controls causing authorization to be revoked, how do agencies switch cloud providers without cost and/or loss of service?
2. Contamination Containment: when classified material leaks into the cloud, how is that dealt with? It does happen. Current requirements are to have the drives pulled and destroyed. That is not possible under current cloud configuration where the data is spread over thousands of drives.

So, everything is not rainbows and unicorns. It never is in security. There are real challenges to be faced. It is great that a discussion is taking place and folks are working hard at addressing these issues.

Federal Cloud Adoption

This past week, a new Federal CIO Council report, "The State of Public Sector Cloud Computing" was released. The executive summary states, "As we move to the cloud, we must be vigilant in our efforts to ensure that the standards are in place for a cloud computing environment that provides for security of government information, protects the privacy of our citizens, and safeguards our national security interests. This report provides details regarding the National Institute of Standards and Technology’s efforts to facilitate and lead the development of standards for security, interoperability, and portability." Kevin Jackson in his post, "Vivek Kundra – State of Public Sector Cloud Computing" describes how the report "not only details Federal budget guidance issued to agencies to foster the adoption of cloud computing, but it also describes 30 illustrative case studies at the Federal, state and local government level."

Deniece Peterson in the post, "Security, Standards and Budget Initiatives to Spark Cloud Computing Adoption" discusses the NIST forum and workshop she attended (slides are available). Deniece describe the the morning session as including a panel of industry representatives from Intel, Microsoft, the Cloud Security Alliance, Amazon.com and the Center for Democracy and Technology. The panelists' wish list consisted of:

• Keep going with FedRAMP (security certification effort), but don't stop there.
• Develop standards in collaboration with both industry and international stakeholders
• Recognize that interoperability needs can vary case by case; no one size fits all
• Don't stifle innovation by setting standards too quickly; focus on building the framework
• ID management, access control and cryptographic key management are the main security issues surround cloud computing and can have a serious impact on scalability
• Push vendors to be more transparent about their security controls
• Traditional notions based on physical boundaries will need to change
• SLAs must include meaningful metrics for performance and security

"We want to be pragmatic, but aggressive," Kundra told the Washington crowd, noting that the government's consolidation of federal data centers and several other "game-changing approaches" will further fuel the move to the cloud. Andrew R Hickey in his article, "Federal CIO Says Cloud Standards Needed For Government Adoption" describes how NIST has also started the Standards Acceleration to Jumpstart Adoption of Cloud Computing (SAJACC) initiative that will validate and communicate interim specifications to agencies in the areas of security, interoperability and data portability. "We're not trying to write cloud computing standards, but are trying to do some testing on reasonable system interfaces or specifications of systems and make the test results available so people can see something is absolutely possible because the the test results show it," NIST senior computing scientist Lee Badger said. NIST will also launch a publicly accessible Web portal to facilitate collaborative development of standards to support cloud computing requirements, Dawn Leaf, NIST senior executive for cloud computing, told attendees. Leaf expects the portal to be available sometime before the end of 2010. Currently, business use cases are now available on the CIO Web site.

Alex Howard reports that recovery.gov would be moving to Amazon's cloud. Earl Devaney, chairman of the recovery board, stated this move represents one of the "first bricks in the foundation that we're laying" throughout the federal government, in terms of cloud computing. Vivek would direct us to "look at the Department of Interior: The CIO is considering moving 80,000 emails to the cloud. Look at the investments made at GSA or a recent RFI [Request for Information] around email. Across federal government, you're seeing a number of agencies putting in a plan." J. Nicholas Hoover reports in his article "Gov 2.0: Google Readies Government Cloud" that customers Google already has for Google Apps are the city of Los Angeles and Lawrence Berkeley National Laboratory. In the federal sector, more than 100 federal agencies are already customers of Google's other products, including Google Earth, Google Maps, and Google Enterprise Search. Google Enterprise president, Dave Girouard reports "we have a lot of state and local interest, and, increasingly, with FISMA certification arriving soon, think we have an opportunity with the federal sector." Girouard said that in addressing the federal government's unique cybersecurity demands, the majority of Google's work thus far has centered around documenting, clarifying, and explaining Google's security rather than re-inventing or changing its security posture.

Final Thoughts

Mary Engelbreit, famous children's book illustrator, once wrote "If you don't like something change it; if you can't change it, change the way you think about it." Is the government making real challenges? If so, are these the kind of changes necessary to make cloud computing a reality in federal departments?

Lori MacVittie in her post, “Can the Cloud survive regulation?” points out that “we are just beginning to see the impact of what sharing and ‘international’ really means: an increasingly complex web of requirements and regulations. That may very well make the cloud a battle-zone unsuitable for any organizational use until the conflicts between security, regulations, reliability, and privacy are addressed.” Lori also considers that we might just “see the rise of regulated clouds; clouds within clouds specifically designed to meet the demanding needs of the myriad governmental and industry-specific privacy and data protection regulations. Regulated clouds set aside – at a premium of course – for those users and organizations who require a broader set of solutions to remain compliant even in the cloud.”

In the post “Cloud: Security Doesn’t Matter (Or, In Cloud, Nobody Can Hear You Scream)” Chris Hoff offers the opinion, “the only thing that will budge the needle on this issue is how agile those who craft the regulatory guidelines are or how you can clearly demonstrate why your compensating controls mitigate the risk of the provider of service if they cannot.” Chris goes on to state, “We need the regulators and examiners to keep pace with technology — as painful as that might be in the short term — to guarantee our success in the long term.” Chris also recommends organizations “manage compliance, don’t let it manage you.” Novell has done a very funny short video based on the blog (along with other entertaining short videos you will want to check out):

I do not agree with everything that is going on in government. I believe solutions will be found through trained security professionals. Security tools can be empowering but are not the end all solution. A monkey with a computer, even if it is a high performance computer, is no William Shakespeare. Adding more monkeys will not make any difference; it just creates a zoo. I do believe in the possibilities created with change, especially when you find yourself in a place where things are not working. You build upon the knowledge of your people utilizing what does work.

What gives me greatest hope is that the federal government seems to be listening to experts like Chris, Deniece, Joe, Lori, Michael, etc. and making a solid effort to create an environment where it can foster the adoption of cloud computing. These are not just cosmetic changes focused on how we think about computing, but real changes in how we will operate. For those who like the challenges brought on by change, it is an exciting time to be in security.

Related Posts:

• OMB Says Bring on the Clouds: Frightening or Funny?
• Standardization and Interoperability in Security
• Modeling Security into the Clouds
• Recent Cloud Postings
• Provenance and Trust

Miller goes on to report that OMB will require “agencies launch a series of cloud computing pilots across the government in 2010 using the E-Government Fund.” In 2013, Miller reports, agencies must provide OMB “a complete alternatives analysis for mixed life cycle projects where agencies are spending new money-known as development, modernization and enhancement-and steady state or operations and maintenance funding for how they could move to cloud computing.”

Miller quotes a former government official as saying, “They are not saying use it, but are pushing us to look at it and do an analysis of alternatives and make a decision based on our business needs. They are pushing us to look at it, yet giving us the ability to decide whether it makes sense.”

How well does your organization understand cloud computing? How will security be handled? What can you do to prepare? During this time of tight budgets, maybe you do not have the funds and/or time to attend conferences and training events. Fortunately, presentations are being posted regularly to the web, allowing you to keep informed on technological challenges. For example, the ZISC Workshop on Security in Virtualized Environments and Cloud Computing, held September 10-11th in Zurich, recently posted all their presentations:

Following NIST’s involvement in an area like cloud computing can help you judge the direction the government is heading. Tim Grance presented at the 5th Annual IT Security Automation Conference and Expo Presentations and the presentations have been made available. Grance presented on the Security Content Automation Protocol (SCAP) (see my previous post “Standardization and Interoperability in Security” for additional information on SCAP). A cloud computing track consisting only of slides (no video) was also posted. If lack of video does not concern you, the following conferences have posted slides on cloud security:

• CCSW 2009: The ACM Cloud Computing Security Workshop, held November 13th, 2009 in Chicago.
• Digital Government Institute’s Cloud Computing 2010: Focus on Operational Efficiency and Security, held December 9, 2009.
• Cloud Interoperability Roadmaps Session held in Long Beach, CA on December 10, 2009.

If you prefer to listen and do not need to see slides, Tim Grance can be heard on Dana Gardner’s BriefingsDirect podcast, “Panel Discussion: Is Cloud Computing More or Less Secure than On-Premises IT?.” The discussion includes a panel of all stars from the cloud security community, including Glenn Brunette, distinguished engineer and chief security architect at Sun Microsystems and founding member of the Cloud Security Alliance (CSA); Doug Howard, chief strategy officer of Perimeter eSecurity and president of USA.NET; Christofer Hoff, technical adviser at CSA and director of Cloud and Virtualization Solutions at Cisco Systems; and Dr. Richard Reiner, CEO of Enomaly. The podcast was recorded at the Open Group’s 23rd Enterprise Architecture Practitioners Conference in Toronto on July 20-22, 1009, along with:

• Jericho Forum Aims to Guide Enterprises Through Risk Mitigation Landscape for Cloud Adoption where Dana interviews Steve Whitlock, a member of the Jericho Board of Management.
• Cloud and Security Join Boundaryless Information as Top-of-Mind Issues for The Open Group where Dana talked with Allen Brown, president and CEO of The Open Group.
• XDAS Standard Aims to Empower IT Audit Trails from Across Complex Events where Dana talks with Ian Dobson, director of the Security Forum for The Open Group, as well as Joël Winteregg, CEO and co-founder of NetGuardians. XDAS is an open-source standard that is hopefully going to help in compliance and regulatory issues and in the automation of heterogeneous environments.
• New Era Enterprise Architects Need Sweeping Skills to Straddle the IT-Business Alignment Chasm where Dana is joined by James de Raeve, vice president of certification at The Open Group; Len Fehskens, vice president, Skills and Capabilities at The Open Group; David Foote, CEO and co-founder, as well as chief research officer, at Foote Partners, and Jason Uppal, chief architect at QRS.
• Cloud Pushes Enterprise Architects’ Scope Beyond IT into Business Process Optimization Role where Dana is joined by Tim Westbrock, managing director of EAdirections; Sandy Kemsley, an independent IT analyst and architect; and John Gotze, international president for the Association of Enterprise Architects.

For more video presentations on the cloud security, awhile back I posted “CERT, CERIAS, the Academy, and Google Video: Training Online.” Two other sources include the SecurityTube and O’Reilly Webcasts. Below are a few examples of the presentations available:

• The Belgian Beer Lovers Guide to Cloud Security (Brucon 2009) Tutorial by Craig Balding at Brucon 2009: In this presentation Craig covers why talking about “cloud” is akin to walking into a Belgian bar and asking for “beer”; the common cloud architectures and their implications for you – the security dude; what the beer brewing Trappist Monks can teach us about cloud security; attacking clouds (aka getting free beer); and dealing with the hangover: cloud incident response & forensics.
• Evolution of Security (Fsecure) Tutorial by F-Secure: an animated series on the various threats out there on the Internet and also talks about their state of the art AV (self promotion) They also talk about “cloud security” and how the next generation AV will be in the cloud and not isolated.
• Cloud Security and Privacy by Tim Mather, Subra Kumaraswamy, Shahed Latif: discusses cloud computing’s SPI delivery model, and its impact on various aspects of enterprise information security (e.g., infrastructure, data, identity and access management, security management), privacy, and compliance. Security-as-a-Service and the impact of cloud computing on corporate IT is also discussed.
• Architecting Applications for the Cloud by Jorge Noa: This presentation analyzes aspects of the Amazon EC2 IaaS cloud environment that differ from a traditional data center and introduces general best practices for ensuring data privacy, storage persistence, and reliable DBMS backup.
• Cloud Computing: The Next Frontier for Open Source by Bernard Golden: discusses how the trends of open source and cloud computing reinforce one another, and why cloud computing is a significant driver of enterprise open source adoption.
• Getting Started with Amazon Web Services by Cloud Security Deep Dive by Subra Kumaraswamy, Shahed Latif, Tim Mather: will take a deep dive into cloud security issues and focus on three specific aspects: (1) data security; (2) identity management in the cloud, and; (3) governance in the cloud (in the context of managing a cloud service provider with respect to security obligations). Each of these three topics will be covered in a 30 minute segment that will include a presentation and Q&A with the audience.
• Cloudburst (Hacking 3D and Breaking Out of VMware) Blackhat 2009 by Kostya Kortchinsky: VMware products include implement a lot of functionality, and as such have a decent chance to include some bugs. CLOUDBURST is the combination of 3 of those found in the virtualized video device (more specifically the 3D code). Combined, these allow a user in a Guest to execute code on the Host. Since the virtualized device code is the same for all the branches of the products, this impacts Workstation, as well as Fusion or ESX. Immunity, Inc. will present the various vulnerabilities and the techniques used to exploit the bug reliably, even on platforms with ASLR or DEP such as Vista SP1. Once exploited, Immunity will demonstrate how to establish MOSDEF between the Host and Guest.
• Virtualization: Resource Coupling and Security across the Stack by Dennis Moreau, Configuresoft: The session briefly addressed extension to the cloud and utility computing infrastructures to address how to use configuration and behavioral information to address the increased complexity of security, compliance and risk assessment in virtualized environments.

Other BruCON Security Conference (held September 18-19, 2009) videos are available at their vimeo channel. O’Reilly maintains on YouTube an O’Reilly Media Channel along with an area to sign up for future webcasts. Blackhat DC 2009 video, audio, whitepapers, and slides are also available. Content is ever changing, so keep checking the sites.

Remember that Vivek Kundra, Chief Information Officer (CIO) of the United States of America, outlined as his team’s priorities:

1. Innovation
2. Lowering the cost of Government
3. Transparency
4. Engaging Citizens
5. Ensuring a safe computing environment

In response, FedScoop! started hosting one event each quarter around these pillars. On October 14 at the Newseum, they did their first event bringing together executives in the White House and federal CIO’s, CTO’s, and decision-makers to talk about lowering the cost of government with technology. Check out the video of the Cyber Security Panel. Since one of the topics was cloud computing, FedScoop! scheduled a follow-up event. On December 9th, 2009, they hosted and posted the “Cloud Computing Shoot Out.”

FederalNewsRadio has posted a three part video series on secure cloud computing. The panelists include Jim Flyzik, President of the Flyzik Group; Henry Sienkiewicz, Technical Program Director, Computer Services, Defense Information Systems Agency; Ronald Bechtold, Army Architecture Integration Center at Headquarters, Department of the Army, Chief Information Office/G6; Curt Aubley, Chief Technology Officer CTO Operations & Next Generation Solutions, Lockheed Martin Information Systems & Global Services; Dale Wickizer, Chief Technology Officer-Public Sector, NetApp, Inc.; and Aileen Black, Vice President of Public Sector VMware Inc.

CNET’s editor of Webware, Rafe Needleman and senir writer Stephen Shankland talked with Christofer Hoff on the Reporters’ Roundtable podcast about the “Dangers of Cloud Computing.” Chris also presented at Microsoft’s BlueHat, “Cloudifornication: Indiscriminate Information Intercourse Involving Internet Infrastructure.” Any presentation with such a great title must be watched. There is a short interview with Chris from Bluehat.

One of my favorite stories of Abraham Lincoln involved the McCormick-Manny case of 1855 where Lincoln was one of Manny’s lawyers. Lincoln basically was pushed aside and humiliated. After the trial, he told Ralph Emerson, a young lawyer who was present at the trial, “I am going home. I am going home to study law.” Emerson asked, “Mr. Lincoln, you stand at the head of the bar in Illinois now! What are you talking about?” Lincoln replied, “Ah, yes, I do occupy a good position there, and I think that I can get along with the way things are done there now. But these college-trained men, who have devoted their whole lives to study, are coming West, don’t you see? And they study their cases as we never do. They have got as far as Cincinnati now. They will soon be in Illinois.” Emerson stated Lincoln turned to him, his countenance suddenly assuming that look of strong determination which those who knew him best sometimes saw upon his face, and said, “I am going home to study law! I am as good as any of them, and when they get out to Illinois, I will be ready for them.”

Change is coming. If you try just to get along, the future will overwhelm you. While we do not live in a world of unlimited funds for conferences and training, people are sharing a wealth of information. Take advantage of it and get ready for whatever might be heading your way.

The Security Content Automation Protocol (SCAP) is an attempt to help defenders by providing a collection of XML schemas/standards that allow technical security information to be exchanged between tools. For example, SCAP can help organizations looking for a way to respond appropriately to new vulnerabilities and threats by helping prioritize, allowing the most significant ones to be addressed sooner. It can also benefit those looking to provide interoperability across system security tools. There is even an effort to “encouraging the use of SCAP as a de-facto standard across the ICT industry for deploying trusted cloud computing services.”

Background

To help understand what exactly SCAP is, let us turn to the U.S. National Institute of Standards and Technology (NIST) Special Publications (SP) 800-117, “DRAFT Guide to Adopting and Using the Security Content Automation Protocol (SCAP):”

SCAP comprises a suite of specifications for organizing and expressing security-related information in standardized ways, as well as related reference data, such as identifiers for software flaws and security configuration issues. SCAP can be used for maintain the security of enterprise systems, such as automatically verifying the installation of patches, checking systems security configuration settings, and examining systems for signs of compromise.

NIST this month is looking for public comments on the first public draft of SP 800-126, “The Technical Specification for the Security Content Automation Protocol (SCAP).” Back in May, NIST released the draft for SP 800-117.

SCAP components consists of:

• Common Configuration Enumeration (CCE): provide unique identifiers to system configuration issues in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools.
• Common Platform Enumeration (CPE): a structured naming scheme for information technology systems, platforms, and packages.
• Common Vulnerability Enumeration (CVE): a dictionary of publicly known information security vulnerabilities and exposures.
• Common Vulnerability Scoring System (CVSS): a vulnerability scoring system designed to provide an open and standardized method of rating IT vulnerabilities. NIST has even provided a calculator for creating CVSS vulnerability severity scores.
• eXtensible Checklist Configuration Description Format (XCCDF): a specification language for writing security checklists, benchmarks, and related kinds of documents. NIST has released the NIST Interagency Report 7275 Revision 3 “Specification for Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.4.”
• Open Vulnerability Assessment Language (OVAL): an information security community standard to promote open and publicaly available security content, and to standardize the transfer of this information across security tools and services.

The National Checklist Program (NCP), outlined in NIST SP 800-70, is the repository for SCAP-expressed checklists. The checklists provide detailed low level guidance on setting the security configuration of operating systems and applications.

In June, MITRE hosted the Security Automation Developer Days conference, which focused on the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP). MITRE has made the minutes available, which includes discussion on NIST SP 800-126. Michael Smith has provided some great highlights from the conference in his post, “Security Automation Developers Conference Slides.” The problem with Michael is that it is difficult not to quote his whole blog, which is bad web etiquette. Please follow the link for some real insight concerning the slides. You can also view below Michael’s presentation, “Security Content Automation Protocol and Web Application Security:”

Back in September 2008, NIST sponsored the Fourth Annual Security Automation Conference. The Presentations are available. Ian Charters attended and posted his thoughts, “NIST and SCAP; Busting a cap on intruders Part 1.” The 5th Annual IT Security Automation Conference will be held October 26-30th, 2009 at the Baltimore Convention Center.

Make sure to check out below the OWASP video talk from SnowFROC 2009 by Ed Bellis (from Orbits) on vulnerability management titled “Doing more with less? Automate or die.”

Ed’s has also written an article for CSO Online, “How SCAP Brought Sanity to Vulnerability Management.”

Possible Problems

Some may argue that SCAP is overly complicated and people are better off relying solely on their vendor’s products and reports. That assumes that a single vendor product is sufficient to meet tomorrow’s security needs. Some organizations buy into the platform simplification model where basically they purchase a single vendor line of products in order to avoid interoperability problems. The problems is that one vendor frequently only does a few things well. The agility of the organization to adapt to changes in the security world becomes dependent solely on that single vendor. After investing so much into that one vendor, organizations find that they are completely locked in. Probably that is not the best position to be in when facing a very volatile IT environment.

Consider the below list where NIST outlines areas SCAP validation will cover (Source: NIST Interagency Report 7511 “Security Content Automation Protocol (SCAP) Version 1.0 Validation Program Test Requirements (DRAFT)):”

• FDCC Scanner: the capability to audit and assess a target system to determine its compliance with the FDCC requirements.
• Authenticated Configuration Scanner: the capability to audit and assess a target system to determine its compliance with a defined set of configuration requirements using target system logon privileges.
• Authenticated Vulnerability and Patch Scanner: the capability to scan a target system to locate and identify the presence of known vulnerabilities and evaluate the software patch status to determine compliance with a defined patch policy using target system logon privileges.
• Unauthenticated Vulnerability Scanner: the capability of determining the presence of known vulnerabilities by evaluating the target system over the network.
• Intrusion Detection and Prevention System (IDPS): the capability to monitor a system or network for unauthorized or malicious activities. An intrusion prevention system actively protects the target system or network against these activities.
• Vulnerability Remediation: the capability to install patches on a target system in compliance with a defined patching policy.
• Misconfiguration Remediation: the capability to alter the configuration of a target system to bring it into compliance with a defined set of configuration recommendations.
• Asset Scanner: the capability to actively discover, audit, and assess asset characteristics including: installed and licensed products; location within the world, a network or enterprise; ownership; and other related information on IT assets such as workstations, servers, and routers.
• Asset Database: the capability to store and report on asset characteristics including: installed and licensed products; location within the world, a network or enterprise; ownership; and other related information on IT assets such as workstations, servers, and routers.
• Vulnerability Database: a catalog of security-related software flaws labeled with CVEs where applicable. This data is made accessible to users through a search capability or data feed and contains descriptions of software flaws, references to additional information (e.g., links to patches or vulnerability advisories), and impact scores. The user-to-database interaction is provided independent of any scans, intrusion detection, or reporting activities. Thus, a product that only scans to find vulnerabilities and then stores the results in a database does not meet the requirements for an SCAP vulnerability database (such a product would map to a different SCAP capability). A product that presents the user general knowledge about vulnerabilities, independent of a particular environment, would meet the definition of an SCAP vulnerability database.
• Misconfiguration Database: a catalog of security-related configuration issues labeled with CCEs where applicable. This data is made accessible to users through a search capability or data feed and contains descriptions of configuration issues and references to additional information (e.g., configuration guidance, mandates, or other advisories). The user-to-database interaction is provided independent of any configuration scans or intrusion detection activities. Thus, a product that only scans to find misconfigurations and then stores the results in a database does not meet the requirements for an SCAP misconfiguration database (such a product would map to a different SCAP capability). A product that presents the user general knowledge about security-related configuration issues, independent of a particular environment, would meet the definition of an SCAP vulnerability database.
• Malware Tool: the capability to identify and report on the presence of viruses, worms, Trojan horses, spyware, or other malware on a target system.

It is difficult to imagine a single security product that is capable of doing all the above services well. There is a need to be able to share information between various systems performing these functions.

Game Changing Technology

Considering past statements by Aneesh Chopra, the first Chief Technology Officer of the United States, does not SCAP sound like an area that will be getting additional support by the U.S. government? ZDnet has posted a very interesting podcast of Chopra talking at the Computer History Museum. Chopra wrote a few months back:

If confirmed, I would emphasize a research program on “game-changing” ideas in cybersecurity, to find new ideas that might transform the nation’s information infrastructure to be more secure and simpler to understand and use. The goal is to make it “easy to do the right thing, hard to do the wrong things and easy to recover when the wrong thing happens anyway.”

Tim O’Reilly, one of the most insightful person around in respect to IT, wrote back in April “Why Aneesh Chopra is a Great Choice for Federal CTO.” Tim’s points out items that Chopra has accomplished in Virginia:

1. the first officially-approved open source textbook in the country, the Physics Flexbook;
2. integrating iTunes U with Virginia’s state education assessment framework;
3. the Learning Apps Development Challenge, a competition for the best iPhone and iPod Touch applications for middle-school math teaching;
4. a Ning-based social network to connect clinicians working in small health care offices in remote locations;
5. a state-funded “venture capital fund” to allow government agencies to try out risky but promising new approaches to delivering their services or improving their productivity;
6. a lightweight approval and testing process that allows the government to try out new technologies before making a full, expensive commitment.

Back in April 2007, Chopra was behind Virginia’s 95 agencies opening up their databases to the Google search engine, in order to make them widely accessible to the public. Chopra at that time stated the top priority of the state’s strategic plan for information technology, which was adopted last year, is increased access to government information. A great thing to do, provided security is insuring only the information you want is being accessed in the manner intended.

John Dvorak offers a different opinion of Chopra in his post “Special Report: Is US Chief Information Officer (CIO) Vivek Kundra a Phony?” Dvorak states, “It would be logical to assume that Kundra managed to get his buddy Chopra the CTO job despite the fact that Chopra’s technology background is essentially nil.” Whether O’Reilly or Dvorak is correct, Chopra needs to start reading the Guerilla CISO for great insight into security solutions. Michael outlines a plan on fixing government patch and vulnerability management through SCAP in the post, “Federated Vulnerability Management.” Here are a few of the ideas discussed in the post:

• Every IT asset reports into a patch management system of some sort. Group the assets allowing for identification of who is responsible when something has a problem.
• Do periodic network scanning.
• The orchestrator will correlate network scans with patch management status and gives a ticketing/alert/whatever where unmanaged devices are identified.
• The NVD feed is pushed down to the agencies/departments which are sent out as vulnerability alerts along with the checks to see if systems are vulnerable.
• Hardening guides are pushed from the agencies/departments in SCAP form and audit information is pulled of IT assets. Differences are automatically entered into a workflow and reporting system.

Imagine the additional possibilities when intrusion detection/prevention systems, patch remediation, asset scanner, and malware tools start sharing information.

SCAP and the Cloud

Aneesh Chopra should also read Christofer Hoff’s rational Survivability blog. In Hoff’s post, “Extending the Concept: A Security API for Cloud Stacks“, he considers building on the capabilities of SCAP to embed a “standardized and open API layer into each IaaS, PaaS and SaaS offering (see the API blocks in the diagram below) to provide not only a standardized way of scanning for network vulnerabilities, but also configuration management, asset management, patch remediation, compliance, etc.” Hoff goes on to write, “Further (HT to @davidoberry who reminded me about my posts on the topic) we could use TCG IF-MAP as a comms. protocol for telemetry.”

Hoff is another person who is difficult to quote without including his complete post. He makes the point that you gain “automated audit and security management capability for the customer/consumer and a a streamlined, cost effective, and responsive way of automating the validation of said controls in relation to compliance, SLA and legal requirements for service providers.” By doing so, Hoff points out, you are “not reinventing the wheel and we have lots of technology and standardized solutions we can already use to engineer into the stack.”

Update: Hoff pointed out (see comments area) some of the excellent work done by Iron Frog (Ben) in not only his post “Some thoughts for addressing the Assurance component of A6,” but also his series of post “Can we do the Security Stack API RESTfully? (parts 1, 2, 3, 4, and 5).”

Peter Mell, who recently changed positions at NIST from the SCAP validation program manager to the leader of the agency’s Cloud computing project, will likely agree with Hoff’s points. Expect NIST efforts in the Cloud to take SCAP into consideration.

Final Thoughts

As Michael Smith points out, in the Cloud one faces the same problems as a managed service provider, mainly how to allow the auditing of systems and the underlying infrastructure. An API could allow a managed services environment making security tasks much easier to customers. To quote Michael Smith, “we have in SCAP is Common Platform Enumeration (CPE) which allows you to specify the hardware and software (ie, how the infrastructure that you don’t know about is built) and eXtensible Configuration Checklist Description (XCCDF) which specifies the audit/compliance checks. Package them together and you have a way of describing what the infrastructure looks like and the technical auditing standard to go along with it.” Sounds like some game changing ideas that could transform the nation’s information infrastructure, helping it be more secure. I hope you are listening, Aneesh Chopra.

Take a look at the Cloud framework in the Jericho Forum’s paper “Cloud Cube Model: Selecting Cloud Formations for Secure Collaboration“:

Now compare that to the table Hoff developed in his post, “The Vagaries Of Cloudcabulary: Why Public, Private, Internal & External Definitions Don’t Work…”

Notice the similarities in how both organize the multi-dimensional elements of Cloud Computing. The Jericho Forum has released a short video titled “Securely Collaborating in the Clouds:”

While I do not have any video of Hoff, he has made available the slides in his post “The Frogs Who Desired a King: A Virtualization & Cloud Computing Fable [Slides].”

Forrester analyst James Staten interviewed more than 30 companies and concluded that cloud computing has been “wildly popular” with small businesses but large companies have been skeptical. Forrester has posted the report, “Is Cloud Computing Ready For The Enterprise?” Staten blogged about his report in the post “Are Fabrics Web 3.0?.” Larry Dignan sums up some of the notable benefits in his post, “Cloud computing hasn’t gone Fortune 500 yet, but it’s coming” as:

• Deployment speed. One big hang-up for enterprises is figuring out how to procure and provision infrastructure to support a new application. In other words, you can develop an application in two weeks, but wait six weeks to procure and then install the servers that support it. Toss in capacity planning and the time to market expands more.
• Costs. To acquire those additional servers to support a new app requires budget. Staten notes you can’t just run out and buy a server anymore.
• Businesses want fast prototypes. Corporations can deliver faster prototypes by using cloud computing services. Simply put, it makes sense to use cloud computing as a testbed for projects that don’t have a fully-baked business case. For instance, research and development projects, low priority business applications and collaboration services are all good candidates for the cloud.

Dana Gardner in his post, “Cloud computing for enterprises, work it through your head” discusses a Hiperware white paper” that “goes on to detail several enterprise computing use-case scenarios that show how cloud computing architectures and methodologies, if enterprise developers can exploit them, will rapidly advance cost-benefits.” Gardner goes on to argue that “the new neat trick will be managing how the clouds and SOAs relate and interact. And that spells more integration as a service, and more federated policy management and enforcement as a service. It’s a whole new abstraction for middleware.”

Now everything is for from perfect in the cloud world. A few things holding cloud computing back:

Take Me Back

First, in case you are not familiar with cloud computing, below is a general overview:

A few months back I did the post “Provenance and Trust” where I examined how provenance and trust relates to the relatively new IT architectures, such as cloud computing. I was recently asked to provide a few links to help people understand the concept of cloud computing. I thought I would share the information.

Let’s us return back to Larry Dignan, and a few industry leaders, at Web 2.0 Expo doing a great job discussing what they think cloud computing is:

Tim Mather, Chief Security Strategist for RSA Conference, makes the point in relation to IT architecture:

First, computing resources needed for scientific purposes are often huge, and yet infrequently used. What company wants to maintain enormous computing capabilities only to have such used infrequently? That’s simply not cost efficient. So effectively ‘renting’ computing capabilities (e.g., from Amazon’s Elastic Computing Cloud – EC2) can be much more cost efficient. (Of course, this is the same usage model employed by national supercomputer centers for years – timesharing.)

The IEEE Computer Society has posted their featured article, “What’s Hot for 2009?” Cloud computing holds the first sport. According to IDC:

The current economic meltdown coincides with the availability of rapidly maturing cloud-based services that are offered by a wide range of vendors. New mode of acquiring and delivering services promises the valuable benefit of low up-front costs combined with usage-based pricing are now available. These benefits alone will ensure that this new model will be considered as a viable alternative to traditional delivery models and as a result, IDC forecasts that the use of cloud-based services will increase in 2009 despite, and because of, the economic conditions. IDC also predicts rationalization and consolidation among the cloud vendors, with struggling vendors having strong vertical offerings being acquired by larger, more diversified players.

A Rose By Any Other Name

Taking a moment to look over at other service focused technologies, this month Anne Thomas Manes, a Research Director with the Burton Group asserted in her post “SOA is Dead; Long Live Services.” Manes stirred up the SOA marketplace when she wrote, “SOA met its demise on January 1, 2009, when it was wiped out by the catastrophic impact of the economic recession. SOA is survived by its offspring: mashups, BPM, SaaS, Cloud Computing, and all other architectural approaches that depend on “services.” Manes’ real point, to quote her is that “we should not be talking about an architectural concept that has no universally accepted definition and an indefensible value proposition. Instead we should be talking about concrete things (like services) and concrete architectural practices (like application portfolio management) that deliver real value to the business.”

David Linthicum, on his podcast, “Anne Thomas Manes and I talk about the ‘SOA is dead’ thing,” discuss her post. A most entertaining show.

Private Clouds

Linthicum also had the very interesting post, “Will SOAs morph into private clouds?” Private clouds address the need some organization shave to keep their resources within the company while moving to a more sharable computing infrastructure. Basically, private clouds work in the same way as public cloud services, but are run by the enterprises. Linthicum makes the statement, “as I look at the emerging patterns of use, I see a lot of crossover from SOA, and that’s not a bad thing.” Linthicum in his post, “It’s all architecture!” makes the point “SOA is an architectural pattern, and cloud computing is an instance of an architecture, private or not. It’s all architecture, nothing really changes other than where and how we deploy services, processes, and information management. Not much of a shift, but we do have new technology to play with, and sometimes that can be distracting.” Anne Thomas Manes identifies common patterns tp private clouds:

• shareable resources
• the ability to reuse storage, database, transactional, and business process management services
• they typically have governance frameworks surrounding them

Growing the Pie

Mikael Ricknäs has posted the article, “Battle brewing over next-generation private clouds,” where he suggests that “Enterprises could make their datacenters more efficient by turning them into private computing clouds — but the biggest winners could be companies like EMC, Cisco Systems, and Sun Microsystems, which stand to gain a larger share of datacenter spending.” Ricknas points that these large companies “will also use this as an opportunity to lock customers into their own solutions, Butler said. The message is that tying yourself to only one vendor will help you achieve the full benefits of a private cloud, according to Butler.”

Dana Gardner in his post, “Services consumers and developers must now mount pressure for cloud computing neutrality” argues that “we should also be concerned about any cloud provider exerting too much influence or setting de facto standards early on that diminish the cloud services market as a whole.” Gardner points out that the cloud computing “pie needs to grow first, and the market leaders can seek domination in some way later when the playing filed is established and perhaps somewhat level.” He suggest “making savvy choices that favor data portability, and recognizing that APIs that carry over from one hosting provider to another make for good market drivers that entice more consumers that can exercise more choice.”

Stephen O’Grady, industry analyst and founder of redmonk, in his post “Cloud Interop: The Wrap Up” discusses how he “collected some of the best and brightest in the cloud computing industry yesterday to look at what I consider to be a crucial question for the future of the industry: how do we protect customers from being locked in to platforms over which they have little or no control?” Their conclusion: you don’t. O’Grady goes on to explain, “As with any technology – cloud or on-prem – a certain degree of lock-in is borderline inevitable. Open source, as was discussed yesterday, can help, but it is no panacea. Protecting your technical investments, both now and in future, is and will remain more aspirational than achievable end.”

Security Concerns

Jon Brodkin in the Network World article, “Gartner: Seven cloud-computing security risks,” list the seven security issues Gartner identified that customers should raise with vendors before selecting a cloud vendor:

• Privileged user access
• Regulatory compliance
• Data location
• Data segregation
• Recovery
• Investigative support.
• Long-term viabilit

Thomas Bittman brought up the important matter of privacy in his post, “Virtual Cloud Privacy is Gray.” Bittman points out that variations of isolation in a cloud computing architecture. When it comes to vendors, one has to be very careful about what is
truly “private” and what is truly “shared”

The World Summit of Cloud Computing has posted videos for the two day summit. Craig Balding presentation on cloud computing and security, titled “Cloud Computing: The Need for a Security Conversation.” Balding explains his main point in his post, “IGT2008 World Cloud Computing Summit Videos Now Online” as:

We are venturing into the great unknown with layers of offerings, greater trust transitivity and new (and old) technologies meshed together in ways we frankly don’t understand. We need to progress the dialogue beyond crying out that the ‘Cloud is insecure’ or just saying ‘the biggest Cloud issue is security’ and get into the nitty gritty details. But my argument is we can only do that if the providers engage in that conversation. It’s one of the reasons I encourage Cloud providers to reach out and talk security – most large enterprises have responsibilities that mean they cannot treat the Cloud as a black box.

There was also a security panel discussion hosted by Sam Bercovici, Professor Barton P. Miller and Alexis Richardson, and Balding.

Jon Greaves, CTO of Carpathia, has made available the first chapter of their book titled “The Datacenter of the Future.” The chapter describes the evolution of security and privacy as we’ve progressed from issues such as the Morris worm of 1988 to today’s “it’s in the cloud” attitude. There are some very good insights in the chapter which explain how the past evolution of technology will influence the types of offerings ISPs and hosting companies will provide in the next decade. Ron Gula, Tenable Network Securities’ Chief Technology Officer, explains that he “answer specific questions on how cloud computing can impact our security posture, what sort of functions should/could be outsourced and how organizations can minimize their operating costs with virtual systems.”

Rich Mogull and Chris Hoff on the Network Security Podcast got into a discussion on cloud security recently. Specifically, their focus was on programming “our web applications to run on top of a cloud infrastructure, not dedicated resources in a colo or a ‘traditional’ virtual server.” A basic overview of their thoughts:

• Secure development (somewhat) breaks
• Static and dynamic analysis tools (mostly) break
• Vulnerability assessment and penetration testing… mostly don’t break
• Web application firewalls really break
• Application and Database Activity Monitoring break

Hoff in his post, “Hoff’s Upcoming VirtSec/CloudSec Presentations in 2009,” discusses how he is working on three major VirtSec/CloudSec presentations for 2009:

• Frogs-Cover The Frogs Who Desired a King
• Cloudifornication: Indiscriminate Information Intercourse Involving Internet Infrastructure
• Mozart’s “The Marriage of Figaro”: Complexity & Insecurity Of the Cloud

I mention these presentations to get you interested in visiting Hoff’s site. Hoff regularly posts on cloud computing and security.

There was a panel discussion on “Security and Risk in the Cloud” from the “Computing in the Cloud” workshop put together by the Center for Information Technology Policy at Princeton University:

On January 14, 2009, the State of the Net conference was held in DC. The audio from the session “Policy Issues Facing Cloud Computing” has been released. David Schellhase, Salesforce.com acted as moderator with the superstar panel of Susie Adams, Chief Technical Advisor Microsoft, Alan Davidson, Google, and Jim Dempsey, Center for Democracy and Technology.

Final Thoughts

In this post, I tried to address a few of the basic concepts behind cloud computing along with a few important issues and finish with some thoughts involving security. Cloud computing will bring with it advantages and disadvantages, especially in the world of security. This post has not even scratched the surface. In a two thousand word post, all I can do is to try and get you interested in the subject and then show you the way to a wealth of additional information. Like Dorthy and the yellow brick road, follow the links. They will take you to the experts that have been working with issues involving the cloud for quite awhile now.

Trust Me, I’m from the Government

When bloggers fail to gain a level of trust through linking back to original sources, you should not trust a word that is said. Anyone can write a blog for a multitude of reasons. Why should you trust these anonymous people? Why should you trust me? How exactly are you handling valuable information that you encounter in a blog whose source you may not know or be able to trust?

In the world of blogging, consider George Siemens’ distinction between collective intelligence and connective intelligence. Collective intelligence is “a form of intelligence that emerges from the collaboration and competition of many individuals”. George defines connective intelligence as “individual creation of information, ideas, and concepts which are then shared with others, connected, and re-created and extended based on the interaction.” George goes on to state, “simply, collective means blending together. Connective means connecting while retaining the original (though others may build on it in their own spaces).” Put another way, “the collective presents a melting pot of ideas. The connective represents a mosaic of ideas.” Collective, provided there are enough people telling the truth and setting the record straight, will wash out incorrect information. Connective by retaining the original thought, and source, provides a degree of provenance and trust.

Concepts and Terminologies

The issue of provenance and trust is something security has been grappling with since the beginning. Some folks may be unfamiliar with the term “provenance.” The National Science Foundation defined provenance as:

Provenance refers to the knowledge that enables a piece of data be interpreted correctly. It is the essential ingredient that ensures that users of data (for whom the data may or may not have been originally intended) understand the background of the data. This includes elements such as, who (person) or what (process) created the data, where it came from, how it was transformed, the assumptions made in generating it, and the processes used to modify it.

Tim Mather, Chief Security Strategist for RSA Conference, posted “More on Data Integrity” where he explains, “For the vast majority of data, whether structured or unstructured, data lineage is sufficient. For scientific data, however, provenance is often required. For example, exactly how were the testing results of that new drug compound derived?” Tim goes on to make the point:

By now, after four years of SOx (for many companies in the United States), practitioners have a good understanding of data lineage – tracing relevant financial data through various applications within scope of the audit within the enterprise (or through 3rdparties’ SAS 70 Type II audits where required). This includes getting answers to such questions as where did the data originate? Where was it processed, stored, etc.? However, for other uses of data, “simple” data lineage is not good enough Some data requires further knowledge of its provenance (e.g., scientific data)

Scientific Research

It is interesting to take a brief look at some of the work being done in the scientific community where reliably reproducible results should be of paramount importance. Massive experiments are being carried out using computer systems with thousands of processors producing enormous amounts of data. This data needs to be captured, transported, stored, accessed, visualized and interpreted to extract knowledge. Jon Udell has written a post, “Trident: A workflow system for doing data-intensive science with reproducible results,” which discusses Trident. Trident is a “system for authoring, running, and tracking the provenance of scientific workflows — that is, sequences of computational steps that bridge the gap between the data produced by the Neptune sensor array and the COVE visualization system.” Roger Barga, a principal architect with Microsoft’s Technical Computing Initiative, describes Trident’s provenance capabilities as:

Think about it in terms of art. For a given piece of art, we’re able to establish through authorities that it’s original, where it came from, and who’s had their hands on it through its lifetime. Provenance for a workflow result is the same thing. Minimally we want to be able to establish trust in a result. If you think about how that happens, it often starts by considering who wrote the workflow. So with Trident you can click on a result and interrogate the history of the workflow: who wrote it, who reviewed it, who revised it, when it first entered the system.

We do versioning as well, so you can look at an old result and know that it was created by an old version of the workflow. And then have the ability to run the new version on the old dataset to see if it makes a difference.

We capture execution provenance so you know exactly how your result was created. We capture provenance on the workflows themselves so you know who created them, and who’s touched them.

You might be thinking about creating a community, where you click on a workflow and can say: “OK, I trust that post-doc.

In the area of networks, Wenchao Zhou , Eric Cronin, and Boon Thau Loo wrote the paper “Provenance-aware Secure Networks.” The paper examines network accountability and forensic analysis as a means of “performing network diagnostics, identifying malicious nodes, enforcing trust management policies, and imposing diverse billing over the Internet.” The paper:

1. Shows how network accountability and forensic analysis can be posed generally as data provenance computations and queries over distributed streams.
2. Proposes a taxonomy of data provenance along multiple axes, and show that they map naturally to different use cases in networks.
3. Suggests techniques to efficiently compute and store network provenance, and provide an initial performance evaluation on the P2 declarative networking system with modifications to support authenticated communication and provenance.

New Architectures

Let us examine how provenance and trust relates to the relatively new IT architectures, such as cloud computing. Just for a little background, and because I really like the video, below are a few IT leaders at Web 2.0 Expo providing a great job discussing what they think cloud computing is:

Tim makes the point in relation to IT architecture:

First, computing resources needed for scientific purposes are often huge, and yet infrequently used. What company wants to maintain enormous computing capabilities only to have such used infrequently? That’s simply not cost efficient. So effectively ‘renting’ computing capabilities (e.g., from Amazon’s Elastic Computing Cloud – EC2) can be much more cost efficient. (Of course, this is the same usage model employed by national supercomputer centers for years – timesharing.)

The article “Data provenance in SOA: security, reliability, and integrity” adds some additional insight into provenance and security. The article states, “consider data provenance, which concerns security, reliability, and integrity of data as they are being routed in the system…In an SOA system, however, one also needs to consider origins and routes of data and their impact, i.e., data provenance.” Consider that SOA is just an architect where basically you operate similar to a distributed computing system. In the end, it is all about the data, making the same points applicable to a distributed environment.

Returning to the issue of trust. There are multiple factors that may affect the data trustworthiness. The whole Internet is grappling with this idea and how to assigns trust scores to both data and data providers. Such trust scores represent key information based on which data users may decide whether to use the data and for what purposes. The paper, “An Approach to Evaluate Data Trustworthiness Based on Data Provenance” proposes a “data provenance trust model which takes into account various factors that may affect the trustworthiness and, based on these factors, assigns trust scores to both data and data providers. Such trust scores represent key information based on which data users may decide whether to use the data and for what purposes.”

In the article, “On Homeland Security and the Semantic Web: A Provenance and Trust Aware Inference Framework” a different approach that attempts to discover and evaluates semantic associations of information provided by many different sources. The paper describes, “how trust and provenance can be represented/obtained in the Semantic Web and then be used to evaluate trustworthiness of discovered semantic association and to make discovery process effective and efficient.”

Final Thoughts

In this post we have discussed the ideas of provenance and trust. Everything old is new again. New IT architectures were related to these basic ideas to demonstrate that no matter how cutting edge the IT ideas might be, everything gets back to the basic concept of trust. One cannot trust any information unless one know who or what created the data, where it came from, how it was transformed, what assumptions were made in generating it, and what processes were used to modify it.

Walter Dykas, senior researcher at the Oak Ridge National Laboratory (ORNL), recently said to me:

Security comes down to protecting your infrastructure. To do so, you must:

1. Enforce access rights at the lowest level possible.
2. Secure the trust infrastructure.
3. Implement assurance verification.

You can never have (1) without (2). If you have (2), (1) will follow. Finally, (3) is just watching the watchers. ‘Trust infrastructure’ is broad enough to cover technology and people. For example, an organization must have infrastructure for trusted communications and authorization, which again infers technology and people.

The The Open Group’s Jericho Forum agrees with Walter (see June’s Security Roundtable podcast for a good discussion on the group). The Jericho Forum argues that traditional network boundaries are disappearing in favor of complex online interrelationships that require more innovative security approaches. Deb Radcliff in her article “Information AND network protection: Finding the right mix“, explains how the group “advocates assigning priorities to data, focusing on the most critical areas, and applying secure communications and encryption around these classified resources.” Steven Bellovin, professor of computer science at Columbia University and co-creator of the Usenet online discussion system, summed it up in this way, “We need to think about the problem in a different way because what we’re doing [with perimeter protections] isn’t working. What we need is a more data-centric architecture with strong protections around the important data because security holes in the perimeter are inevitable.”

It is like my dear old dad would say, “You are not going to win any games if you don’t have the fundamentals down.” Of course he was talking about football, but the same rules apply to IT. Ori Brafman and Rom Brafman, authors of “Sway: The Irresistible Pull of Irrational Behavior” spoke at the Churchill Club with basically the same message. People due to fear and other motives move away from what they know are the fundamentals with disastrous results. ZDNet has posted this very interesting discussion.

One needs to keep focused on the fundamentals of protecting one’s infrastructure. Otherwise any attempts to implement the latest architectures and technologies is doomed to failure. In today’s world we are all interconnected and regrettably folks can be quite hostile. The Native Americans after Columbus’ landing learned this lesson the hard way. With that said, have a great Columbus and Native Americans’ Day.