Tip

NSA best practices for data security

Richard W. Walker, Contributor

As they move toward a continuous monitoring model, federal security managers will still have to show compliance with government security mandates and regulations. But, more fully integrating security into everyday information technology management will help ensure both compliance and systems security, according to federal security experts. And automating data gathering of everyday IT operations is at the heart of it.

    Requires Free Membership to View

Inside the NSA's trusted computing strategy

In this interview from the second annual NSA Trusted Computing Conference in Orlando, the NSA"s Tony Sager discusses why the concepts of trusted computing are of foremost importance to the NSA and how they’re being put to work to solve the network and endpoint integrity problems faced by the public and private sector alike.
 

“The future has to be this--the vast majority of the data that’s created should flow as a byproduct under IT management, not as separate data,” said Tony Sager, chief operating officer for the Information Assurance Directorate at the National Security Agency. “People dream up a [Federal Information Systems Management Act], [or] this oversight and that compliance, and then say, ‘You must give me a report.’ There’s been no other way to do it. We treat it as separate thing. That’s just crazy.”

What Sager called proactive “network hygiene” will go a long way toward managing 80 to 90 percent of security issues.

“Here’s one of the great unspoken secrets of this business: the vast majority of the problems have a known solution,” he said in a discussion on NSA best practices for data security. “Believe me, a well-run network is a hard target.”

The key to better network hygiene and stronger security will be automation. “The goal is to demonstrate compliance with data generated off of IT,” Sager said. “We’ve got to automate a lot more of this stuff so we put the precious few humans we have to work on really hard problems—not patching, configurations, that kind of stuff.”

Initiatives such as Common Weakness Enumeration (CWE), a software-community project sponsored by Mitre Corp. and designed to encourage industry to create security tools, will help drive security automation. The goal of CWE is to create an online catalogue of software weaknesses and vulnerabilities, to better understand flaws in software and to create automated tools that can be employed to identify, fix and prevents those flaws.

“There are 46,600 vulnerabilities, but root causes are fewer than a thousand,” said Joe Jarzombek, director of software assurance at the Department of Homeland Security. “We [need to] attack the root cause. You still have to do all the patches because you’ve got all this legacy stuff. But simply patching for known vulnerabilities that were discovered by somebody else is just reactive,” he added. “You have to go after the root cause of common weaknesses. There are tools and services that [can do that]. Otherwise, you’re always trying to play catch up.”

Here are a couple of points to keep in mind:

  • Security and astute IT management go hand in hand. “Changing this notion of security to something not that we create up front and lock forever but to something that we measure and manage is a really important conceptual change and is the underlying theme behind continuous monitoring,” Sager said.
  • Compliance and policy are still important. “It’s not that compliance isn’t important,” Sager said. “It’s really important. Oversight and policy -- these things matter but they’ve been misaligned with technology. If policy says…‘protect this information because it is really important’ but it doesn’t recognize the technology paths to get there, then we’ll never get there.”

This was first published in November 2011

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.