May 08 2008

Time for Security

In the vanguard of collapsing Internet access, DOD has experience that other agencies can exploit to meet the TIC mandate.

The move to fewer Internet gateways clearly unnerves agencies: When the Office of Management and Budget asked agencies to provide a list of the gateways they wanted to keep, they identified more than 1,900 in all — roughly 1,850 more than OMB wants agencies to use governmentwide.

As a starting point, OMB estimates the government maintains about 4,000 Internet gateways, says Karen Evans, administrator for e-government and IT. Agencies can keep a gateway if they can justify a unique need.

Essentially, OMB based the Trusted Internet Connection plan on the Defense Department’s successful consolidation of Internet gateways. DOD now runs all traffic through 15 to 19 gateways, says Defense Deputy CIO David Wennergren.

Making the shift engenders a classic turf battle, he says. The control freaks in the agencies won’t want to cede their gateway jurisdictions, he says. It’s the job of IT to help program managers understand the benefits of moving to fewer gateways, which include better security and fewer management concerns, Wennergren says. Plus, “there’s no reason that anyone has to take a performance hit when you consolidate your Internet access points.”

Here are pointers Wennergren offers, drawn from DOD’s consolidation effort:

  • Develop a process that’s repeatable. The number of gateways that an agency needs will fluctuate, so define the rules for when to set one up and when to shutter one.
  • Institute a standard enforcement process for gateway governance so that IT can monitor what managers need from their Internet gateways to achieve their mission goals.
  • Create a demilitarized zone so that you can have a place where both trusted and untrusted connections can occur. The DMZ will let you keep users out of your production networks — “crucial in the Web-based world.”
  • Keep the total number of gateways at fewer than two dozen. “With more than a couple dozen, you can’t afford to monitor and you can’t get the job done.”
  • Make sure you have agency buy-in. Because gateway needs will change and this effort demands governance, “the agency chief has to care about this, and they have to care more than one time.”
  • Consider partnering with other agencies to create classification and log-review organizations because it’s fairly expensive to do this research and to review mass volumes of traffic.