You've been involved in network security projects at the federal level under the Trusted Internet Connections initiative. What is your take on the White House declassifying the executive summary of the Comprehensive National Cybersecurity Initiative?
It's good to see that they've declassified the CNCI, because if you're going to solve critical infrastructure kind of problems, 85% of critical infrastructure is in private hands, and we really need a partnership that we can all work on. Lumeta has clearances and we work with some of our clients on their classified networks, but you want to be able to bring the best and brightest to the table and I think the declassification of some of the security initiatives certainly does that.
On the TIC initiative specifically, the government is trying to drop the number of Internet access points it has to some manageable number. It's no different than what a lot of corporate organizations have done over the last several years. The government is unique that they have offices all throughout the country. You can think of everything from the ranger station at the Grand Canyon to VA medical centers to military installations and you can imagine the tens of thousands of internet connections that are out there. The TIC initiative is an initiative to drop that number to bring it to some manageable number and then monitor those gateways to ensure they understand the traffic that is coming out as well as the traffic that is coming in to the government networks. I think a lot of agencies have made progress towards consolidation and we're now at the point where we're looking at those hard connections. How intriguing is the Einstein System to you from what we know of it?
Einstein III is really to monitor these connections. They want to know what's flowing into and out of government networks. While the specific under workings of Einstein have not been publicly announced, we can all assume that it's deep packet inspection at wire line kind of speeds, looking at the actual content. So I think it's an important component of controlling access to government classified data.
Network security projects:
White House declassifies CNCI summary, lifts veil on security initiatives: Summary document outlines ongoing initiatives to improve cybersecurity at the federal level as well as the security of the supply chain and private networks of critical infrastructure facilities.
Network Access Control Learning Guide: From PDAs to insecure wireless modems, users have myriad options for connecting to -- and infecting -- the network. Learn how to block and secure untrusted endpoints, and control access to sensitive data.
How to select a set of network security audit guidelines: A network security audit can be a daunting task, but there are resources that can help.
In a privacy panel at the 2010 RSA Conference some of the experts talked about having the government mandate Internet service providers (ISPs) to conduct deep packet inspection and root out malware and other nefarious traffic. What are your thoughts on that?
The government certainly has the right to do it on their own networks. They manage and monitor their own networks. If you think about doing that at an ISP kind of level, you certainly get into privacy issues, but with the botnets we're seeing, the Trojans and worms and the general nuisance kind of stuff, in theory you would like your service providers to start to filter out that kind of malicious behavior. I understand the privacy concerns around them reading email, but I think there's clearly middle ground where you talk about things like denial of service (DOS) attacks; obviously service providers have tools to monitor that kind of traffic. Why not just take that traffic and flow it into a black hole so it doesn't affect the end user? I think we're really going to have to talk about it. We do it with other forms of communications and with other systems. Let's talk about what many enterprises are doing with their network defenses. Has the way enterprises gone about implementing network defenses changed over the last five or so years?
There's clearly a maturity curve. If you talk about government, financial services and pharmaceuticals, those guys are really out there fine tuning their systems. They've deployed a defense-in-depth strategy, they've got control of all the assets on their network, they control their ingress and egress points and they're really looking at fine tuning their systems. What I've seen over the last five years is more industries, more businesses moving along that curve to get to the point where the financial service firms are today. Even traditional businesses like manufacturing or petrochemical, about five or 10 years ago they really didn't have a concern about cybersecurity. But now that their control systems – the SCADA networks and power grids – are all becoming IP enabled, you see those organizations really moving forward, taking big leaps in their security posture. It is good basic blocking and tackling. Identify critical assets, deploy a defense-in-depth strategy, actively monitor your perimeter, and understand the insider threat. It's all stuff that the financial services arena and pharmaceuticals have been talking about for a decade. It's just now spread into the rest of the world.
How is cloud computing changing the way companies approach their network defenses?
Being a network guy at heart, I can say we've had cloud computing for a long time. X.25 networks or frame relay networks, we're really cloud networks. They were public clouds that were shared by multiple users and organizations like AT&T were providing storage and other kinds of services over that network. So, I don't tend to think of [cloud] as new, I think of as renamed. But we face a couple of problems. As we look at the different layers of cloud computing at a basic software-as-a-service kind of cloud, companies are concerned about application and data sharing. When you move to the platform-as-a-service level, you imagine Salesforce.com hosting a large data center where they've got multiple clients logging in and they face some physical connectivity issues – making sure that VLANs are set up properly, making sure that access control lists and firewalls are doing what they're supposed to be doing. And then when we're talking about cloud, I think we're ultimately talking about this infrastructure-as-a-service. Even in the federal government, Defense Information Systems Agency (DISA) has its own cloud that's built inside of DISA to provide services to the different agencies. It's called rapid area computing environment (RACE). But these infrastructure as a services are really analogous to the old frame relay networks where you have multiple users on the same network – how do you separate the traffic? How do you make sure they're being tunneled properly? And it's really good old blocking and tackling. It's about understanding what you have and making sure that your access control lists and firewalls are doing what they're supposed to be doing. The payment industry is grappling with the issue of protecting card holder data traveling through different networks. We hear a lot about end-to-end encryption of card data flowing through the network. Do you think that end-to-end encryption is possible?
End-to-end encryption is part of the solution. It's not a panacea. We just can't put everything on the Internet and expect end device to end device to encrypt for each other and transfer the data. Certainly you would want to protect the network that the secure connection is going over and even within that secure connection you would probably want to encrypt the data depending upon the level of security you would want. I think of this as defense-in-depth. Protect the data, whether it is at rest or in motion, protect the connection – that secure tunnel, and then protect the network as a whole. If you layer these defenses on, you've got a much better chance of ensuring that you get that secure transaction and nobody is hijacking that credit card information.