FedTech - Technology Solutions That Drive Government https://fedtechmagazine.com/rss.xml en How the Intelligence Community Will Make Use of Microsoft’s Azure https://fedtechmagazine.com/article/2018/06/how-intelligence-community-will-make-use-microsofts-azure <span>How the Intelligence Community Will Make Use of Microsoft’s Azure </span> <span><span lang="" about="/user/6191" typeof="schema:Person" property="schema:name" datatype="">phil.goldstein_6191</span></span> <span>Tue, 06/19/2018 - 12:00</span> <div><p>The intelligence community can always use <strong>more technological capabilities</strong> as it seeks to conduct espionage and ferret out national security threats.</p> <p>That’s a key reason why last month the IC struck an agreement with <a href="https://www.cdwg.com/content/cdwg/en/brand/microsoft.html" target="_blank">Microsoft</a> to use the software giant’s <a href="https://www.cdwg.com/content/cdwg/en/brand/microsoft/windows-10.html" target="_blank">Windows 10</a> platform and Cloud for Government, including <a href="https://www.cdwg.com/content/cdwg/en/brand/office365.html" target="_blank">Office 365</a> U.S. Government and <a href="https://www.cdwg.com/content/cdwg/en/brand/microsoftazure.html" target="_blank">Azure</a> Government. <a href="https://www.bloomberg.com/news/articles/2018-05-16/microsoft-wins-lucrative-cloud-deal-with-intelligence-community" target="_blank">As Bloomberg News reports</a>, “Microsoft’s new deal renews and expands a previous agreement” between the Office of the Director of National Intelligence (ODNI) and <a href="https://www.cdwg.com/content/cdwg/en/brand/dell-emc-interstitial.html" target="_blank">Dell</a>, which licenses Microsoft’s products to the federal government.</p> <p>In an interview <a href="https://federalnewsradio.com/ask-the-cio/2018/05/intelligence-community-brings-on-microsoft-as-key-piece-to-second-epoch-of-icite/" target="_blank">with Federal News Radio</a>, John Sherman, CIO in the ODNI, says that the agreement not only gives the nation’s 17 intelligence agencies<strong> access to cloud-based productivity services via Office 365 but cognitive computing capabilities in Azure</strong>. The cloud platform enables the IC to more rapidly adopt artificial intelligence, which has been <a href="https://fedtechmagazine.com/article/2017/10/why-intelligence-agencies-are-so-interested-ai">a key area of focus for the country’s spy agencies</a>.</p> <p>Under the agreement,<strong> each agency can choose whether and when to adopt Microsoft’s cloud</strong>, Dana Barnes, the vice president of Microsoft’s national security group, tells Bloomberg.</p> <p><a href="https://fedtechmagazine.com/register?newsletter"><strong>SIGN UP:</strong> Get more news from the <em>FedTech </em>newsletter in your inbox every two weeks!</a></p> <h2>Microsoft Deal Helps Intelligence Community Adopt AI</h2> <p>Sherman has made clear that the intelligence community will not be locked into any one vendor and will continually go in search of new IT capabilities to fulfill its mission.</p> <p>“One of the things I’ve got clear guidance on is <strong>we will always be looking for new technologies, new industry capabilities on cloud computing</strong>,” Sherman tells Federal News Radio.</p> <p>“One of the priorities we have in the IC is to move to artificial intelligence and machine learning, and this cloud computing foundation is absolutely critical in getting us there,” he notes. The Microsoft platform is “complementary to the broader arrows in our quiver.”</p> <p>Indeed, Toni Townes-Whitley, Microsoft's corporate vice president of industry, <a href="https://blogs.microsoft.com/blog/2018/05/16/microsoft-dell-enter-into-transformative-agreement-with-the-us-intelligence-community-for-microsoft-cloud-services-for-government/" target="_blank">writes in a company blog post</a> that the deal “positions Microsoft to help the IC achieve its mission at home and around the world with a trusted cloud and modern workplace solution that keeps critical data secure, <strong>while delivering advanced capabilities including artificial intelligence, machine learning </strong><strong>and</strong><strong> large-scale data analysis</strong>.”</p> <p>Among the capabilities Townes-Whitley touts for Microsoft’s Cloud for Government platform are “the power of deep learning across applications, through Microsoft’s AI solutions such as <a href="https://azure.microsoft.com/en-us/services/cognitive-services/" target="_blank">Cognitive Services</a>.”</p> <p>Under the deal, the IC will have “access to Azure for some types of cognitive services” says Sherman. The inclusion of Microsoft along with other cloud services means that executives, operators and analysts within the IC will be able to analyze information and make decisions even faster.</p> <p>Sherman says that there are<strong> “some eye-watering things we are doing” on counterterrorism, as well as following state and nonstate actors</strong> “who mean to do this country harm.” The IC can now stay ahead of those threats more readily, he says, whereas two decades ago analysts like Sherman would be looking at satellite imagery and “would have to feed this into a very manual process.”</p> <p>“We are at a very different place now to have to stay ahead of the reams of data that come in from all the different intelligence collectors,” he says.</p> <h2>IC Also Aims for Cloud-Based Office Productivity</h2> <p>In addition to AI capabilities, the intelligence community is turning to Microsoft for <strong>more prosaic cloud-based office productivity tools</strong>.</p> <p>“After recent Windows iterations here, we were under the impression that there would not be any more [Office] offerings like they used to do,” Sherman tells Federal News Radio.</p> <p>“We are excited about what Microsoft products and services we can leverage, and O365 is a real coin of the realm capability that all 17 agencies need and this was almost a no-brainer for us to leverage it this way and have a software-as-a-service capability like this,” he says, referring to Office 365.</p> <p>With Office 365, IC employees “can stay productive from anywhere, using virtually any device, with <strong>a seamless platform experience and leading capabilities for mobility, teamwork, analytics, accessibility and AI-driven search</strong>,” Townes-Whitley notes.</p> <p>To ensure world-class security, Azure Government’s eight geographically distributed, highly available government-only data center regions host no commercial data, according to Townes-Whitley. Only U.S. federal, Defense Department, state and local governments and their partners have access to this dedicated instance of Azure, which is operated by screened U.S. persons.</p> </div> <div> <div class="field-author"> <div id="taxonomy-term-" class=""> <div class="author-photo"> <a href="/author/phil-goldstein"><img src="/sites/fedtechmagazine.com/files/styles/face_small/public/people/CoMfravQ_400x400.jpg?itok=W9IAwS8L" width="58" height="58" alt="Phil Goldstein" typeof="foaf:Image" /> </a> </div> <div class="author-info"> <span>by </span><a rel="author" href="/author/phil-goldstein"> <div>Phil Goldstein</div> </a> <a target="_blank" class="twitter" href="https://twitter.com/intent/follow?region=follow_link&amp;screen_name=philgoldstein&amp;tw_p=followbutton&amp;variant=2.0"><span>Twitter</span></a> </div> <div class="author-bio"> <p> <div><p>Phil Goldstein is a web editor for <em>FedTech</em> and <em>BizTech</em>. Besides keeping up with the latest in technology trends, he is also an avid lover of the New York Yankees, poetry, photography, traveling and escaping humidity.</p> </div> </p> </div> </div> </div> </div> Tue, 19 Jun 2018 16:00:22 +0000 phil.goldstein_6191 40991 at https://fedtechmagazine.com The End of the Common Access Card Could Be in Sight https://fedtechmagazine.com/article/2018/06/end-common-access-card-could-be-sight <span>The End of the Common Access Card Could Be in Sight</span> <span><span lang="" about="/user/6191" typeof="schema:Person" property="schema:name" datatype="">phil.goldstein_6191</span></span> <span>Mon, 06/18/2018 - 13:43</span> <div><p>The official start of summer is almost here, and so is the beginning of the end of the Common Access Card.</p> <p>The Defense Department <a href="https://fedtechmagazine.com/article/2016/12/dod-start-testing-secure-alternatives-common-access-cards-after-christmas">has long sought</a> to <a href="https://fedtechmagazine.com/article/2017/07/dod-tests-replacement-cac-card">move beyond</a> the <a href="https://fedtechmagazine.com/article/2018/01/dod-wants-transform-its-authentication-technology">CAC</a> to authenticate users’ identities, but now it’s getting serious about doing so. The Defense Information Systems Agency, the Pentagon’s IT services branch, <strong>plans to roll out the first CAC replacement prototypes this summer</strong>, according to top DISA officials.</p> <p>The shift, which will begin with the initial rollout of prototype authentication devices this summer, is part of a broader plan within DISA to deploy new ways to validate users’ identities through biometrics that <strong>go beyond the normal methods of authentication, and include a user’s gait, or manner of walking</strong>.</p> <p>DISA has been working to develop a suite of seven multifactor authentication tools. In <a href="https://www.youtube.com/watch?v=5-BuGc9TQc4" target="_blank">a video DISA posted in December</a>, the seven factors include GPS location, voice recognition, facial recognition, device orientation, trusted peripherals and trusted networks, as well as gait.</p> <p>“Prototype devices for establishing assured identity are being developed right now,” Vice Adm. Nancy Norton, DISA’s director, said at an AFCEA cybersecurity operations conference in Baltimore in May, <a href="https://fcw.com/articles/2018/05/15/cac-disa-replacement.aspx" target="_blank"><em>FCW</em> reports</a>. “The first few will arrive this summer to assist with determining the right test parameters,” <strong>with the agency planning to distribute 75 devices later this fall</strong>.</p> <p><a href="https://fedtechmagazine.com/register?newsletter"><strong>SIGN UP:</strong> Get more news from the <em>FedTech</em> newsletter in your inbox every two weeks!</a></p> <h2>DISA Plans Overhaul of Authentication Tech</h2> <p><a href="http://www.cac.mil/common-access-card/" target="_blank">The CAC</a> is a “smart” card about the size of a credit card, and it’s the standard identification issued to active-duty uniformed service personnel, selected reserve, DOD civilian employees and eligible contractors, the DOD notes. It is also the principal card used to <strong>grant physical access to buildings and controlled spaces, and it gives users access to DOD computer networks and systems</strong>. Last year, <a href="https://fedtechmagazine.com/article/2017/07/dod-tests-replacement-cac-card">the DOD tested alternatives to the CAC</a>.</p> <p>However, the DOD wants to make authentication via biometrics easier for soldiers in the field. Identity management is becoming more critical as war fighters become more mobile. DISA wants to <strong>provide ways for officers and DOD officials to access classified and sensitive data on the go</strong>.</p> <p>At the AFCEA conference, Norton said DISA will deploy an additional prototype that will give DOD testers “a more convenient alternative to using a CAC for authentication, decryption, and signing operations in [a] Microsoft Windows PC environment,” according to <em>FCW</em>.</p> <p><a href="https://www.nextgov.com/emerging-tech/2018/05/pentagon-has-big-plan-solve-identity-verification-two-years/148263/" target="_blank">According to Nextgov</a>, the authentication pilot program is being developed by an unnamed private company with DISA funding. The technology, which will be embedded in smartphones, <strong>will use a variety of unique identifiers, such as the hand pressure and wrist tension when a user holds a smartphone and the user’s gait</strong>, Steve Wallace, technical director at DISA, tells Nextgov.</p> <p>The publication reports:</p> <blockquote><p>Organizations that use the tool can combine those identifiers to give the phone holder a “risk score,” Wallace said. If the risk score is low enough, the organization can presume the person is who she says she is and grant her access to sensitive files on the phone or on a connected computer or grant her access to a secure facility. If the score’s too high, she’ll be locked out.</p> </blockquote> <p>Wallace tells Nextgov the new tool will be able to continuously gather and verify encrypted identifying information.</p> <p>After the pilots this fall and after kinks have been worked out, Wallace says that the tool will be embedded inside smartphone chipsets, and <strong>smartphone makers that supply the DOD with equipment will need to update their phones to take advantage of it</strong>. Wallace tells Nextgov he expects the technology to be commercially available within a couple of years and that the capabilities will be available “in the vast majority of mobile devices.”</p> <p>It’s unclear how many smartphone makers or DOD organizations will use the tool, but<strong> it will be up to DOD components on whether they want to use it</strong>, Wallace tells Nextgov. DISA worked with some private-sector organizations, including in the financial sector, to gather data on whether the verification tool also meets their needs, according to Wallace. “We foresee it being used quite widely,” he says.</p> </div> <div> <div class="field-author"> <div id="taxonomy-term-" class=""> <div class="author-photo"> <a href="/author/phil-goldstein"><img src="/sites/fedtechmagazine.com/files/styles/face_small/public/people/CoMfravQ_400x400.jpg?itok=W9IAwS8L" width="58" height="58" alt="Phil Goldstein" typeof="foaf:Image" /> </a> </div> <div class="author-info"> <span>by </span><a rel="author" href="/author/phil-goldstein"> <div>Phil Goldstein</div> </a> <a target="_blank" class="twitter" href="https://twitter.com/intent/follow?region=follow_link&amp;screen_name=philgoldstein&amp;tw_p=followbutton&amp;variant=2.0"><span>Twitter</span></a> </div> <div class="author-bio"> <p> <div><p>Phil Goldstein is a web editor for <em>FedTech</em> and <em>BizTech</em>. Besides keeping up with the latest in technology trends, he is also an avid lover of the New York Yankees, poetry, photography, traveling and escaping humidity.</p> </div> </p> </div> </div> </div> </div> Mon, 18 Jun 2018 17:43:14 +0000 phil.goldstein_6191 40986 at https://fedtechmagazine.com Review: NetApp AFF A700s Integrates Government Data Center and Cloud Storage https://fedtechmagazine.com/article/2018/06/review-netapp-aff-a700s-integrates-government-data-center-and-cloud-storage <span>Review: NetApp AFF A700s Integrates Government Data Center and Cloud Storage</span> <span><span lang="" about="/user/6191" typeof="schema:Person" property="schema:name" datatype="">phil.goldstein_6191</span></span> <span>Fri, 06/15/2018 - 09:55</span> <div><p>Small is relative when it comes to federal agencies — the Office of Management and Budget <a href="https://www.gao.gov/products/GAO-14-344" target="_blank">defines it as 6,000 workers or fewer</a> — but those agencies are often divided into even smaller components that still have big storage needs.</p> <p>Few vendors can deliver a storage system that can scale from a handful of users to thousands. Enter <a href="https://www.cdwg.com/product/NETAPP-AFF-A700S-HA-24X7.6TB-40GBE/4853105" target="_blank">the NetApp AFF A700s</a>, which <strong>retains the simplicity of a small system while scaling to a multinode cluster that can support thousands of users</strong>.</p> <p>The four-unit rackmount chassis accommodates dual controllers, 24 solid-state drives (SSDs) and eight PCIe expansion slots (for additional network ports), and can support 8-, 16- and 32-gigabit-per-second Fibre Channel, 40 Gigabit Ethernet, and <strong>both storage area network (SAN) and network-attached storage (NAS) functionality</strong>.</p> <p>Included ONTAP data management software makes it simple to start with one system and add as many as 24 in a cluster, then expand with cloud-based storage for cheaper replication targets and offsite fault tolerance or to support workloads that migrate from the data center to the cloud.</p> <p><a href="https://www.cdwg.com/content/cdwg/en/brand/netapp.html" target="_blank">NetApp</a> specifies as many <strong>as 7 million input/output operations per second </strong>(IOPS) and an effective capacity of up to 155 petabytes, with a maximum raw capacity of 39PB in NAS configuration, or 19.8PB raw and 77.8PB effective in SAN configuration. Of course, effective capacity depends on both compression and deduplication, which can boost results exponentially — up to five or six times raw capacity, depending on the type of data being stored.</p> <p>A single node can hit 600,000 IOPS, with an effective capacity of up to 13PB.</p> <p>Configuration of a single A700s is simple, and adding it to an existing cluster is<strong> straightforward, given </strong><strong>the large</strong><strong> number of options</strong>. The installation wizard makes the initial configuration easy for any administrator familiar with data storage concepts, even without NetApp training or support. Both are available online or over the phone.</p> <p><a href="https://fedtechmagazine.com/register?newsletter"><strong>SIGN UP: </strong>Get more news from the <em>FedTech </em>newsletter in your inbox every two weeks!</a></p> <h2>Intuitive User Interface Makes Storage for Feds a Snap</h2> <p>Creating volumes and setting up replication was <strong>very intuitive, with a well-developed user interface</strong>. The same can be said about enabling compression and deduplication, and enabling SAN protocols over Fibre Channel or iSCSI, or NAS protocols using NFS or CIFS/SMB.</p> <p>A clustered system <strong>adds both resiliency and performance</strong>: The failure of any one node will not result in downtime, and performance increases with each node.</p> <p><img alt="NetApp AFF A700s product features" data-entity-type="" data-entity-uuid="" src="/sites/fedtechmagazine.com/files/Q0218-ST_PR-Harbaugh-NetApp_product.jpg" /></p> <h2>Enter Hybrid Storage That Scales for Agencies </h2> <p>The AFF A700s easily scales to 24 nodes to deliver fault-tolerant, high-performance and high-capacity storage that can be administered from a single dashboard.</p> <p>When demand calls for even more storage, <strong>the system adds cloud capacity from multiple vendors as well as </strong><strong>legacy</strong><strong> hard drive–based storage systems in the data center</strong>.</p> <p>ONTAP data management software can automatically move data between tiers to maximize performance for the most active data. (Data that hasn’t been used for a while can be moved to a less expensive storage tier.) The software also migrates data to keep it with the server instance that needs it.</p> <p>As workloads move from one virtual machine to another (on a server in the data center or in the cloud), keeping the data with the app becomes more complex. NetApp’s software simplifies that process, <strong>allowing a new snapshot of the existing data to be created for a new version of the app, or for the existing data to migrate from one storage volume to another</strong>.</p> <p>Within a system where an app may need to shift from one data center to another, such flexibility becomes even more important.</p> <h3 id="toc_0">NetApp AFF A700s Specifications</h3> <p><strong>Max Drives</strong>: 24 SSDs<br /><strong>Max Capacity</strong>: 39PB<br /><strong>Max IP Routes</strong>: 20,000 IPv4; 6,000 IPv6<br /><strong>Rackmount Size</strong>: 4U<br /><strong>Ports</strong>: 8 Fibre Channel, 12 40GbE, 24 10GbE, 8 SAS<br /><strong>Storage Networking</strong>: FC, iSCSI, NFS, CIFS/SMB</p> </div> <div> <div class="field-author"> <div id="taxonomy-term-" class=""> <div class="author-photo"> <a href="/author/logan-g-harbaugh"><img src="/sites/fedtechmagazine.com/files/styles/face_small/public/author/logan_harbaugh.jpg?itok=P-ASBGv_" width="58" height="58" alt="" typeof="foaf:Image" /> </a> </div> <div class="author-info"> <span>by </span><a rel="author" href="/author/logan-g-harbaugh"> <div>Logan G. Harbaugh</div> </a> </div> <div class="author-bio"> <p> <div><p>Logan G. Harbaugh is a longtime technology journalist with experience reviewing a wide range of IT products.</p> </div> </p> </div> </div> </div> </div> Fri, 15 Jun 2018 13:55:31 +0000 phil.goldstein_6191 40981 at https://fedtechmagazine.com Is Your Agency Ready for a Move to the Cloud? https://fedtechmagazine.com/article/2018/06/your-agency-ready-move-cloud <span>Is Your Agency Ready for a Move to the Cloud? </span> <span><span lang="" about="/user/6191" typeof="schema:Person" property="schema:name" datatype="">phil.goldstein_6191</span></span> <span>Thu, 06/14/2018 - 09:03</span> <div><p>The White House <a href="https://fedtechmagazine.com/article/2017/12/white-house-releases-final-it-modernization-report">has made it clear</a>: federal agencies must accelerate their adoption of commercial cloud solutions. Some agencies, like the Navy, are <a href="https://fedtechmagazine.com/article/2018/03/navy-plans-complete-massive-cloud-migration-2021">undertaking ambitious cloud migrations</a>. </p> <p>While many agencies have placed simple workloads in the cloud, some are resisting a more aggressive move. By placing more of their workloads in public, private and hybrid clouds, agencies can achieve benefits including flexibility, agility and cost savings — but only if they do so strategically. The first step is to<strong> assess the agency’s existing environment to set goals, identify potential stumbling blocks and determine which resources to move first</strong>.</p> <p>“Everybody’s ‘ready’ for the cloud, but the real question is,<strong> ‘How prepared are you?’</strong>” says <a href="https://www.forrester.com/Lauren-E.-Nelson" target="_blank">Lauren Nelson</a>, a principal analyst with Forrester. “What you find out about your organization during a preparedness assessment doesn’t change your ability to move, but it may affect your timeframe and require you to make additional investments.”</p> <p><a href="https://fedtechmagazine.com/register?newsletter"><strong>SIGN UP: </strong>Get more news from the <em>FedTech </em>newsletter in your inbox every two weeks!</a></p> <h2>How to Recognize the Challenges for an Agency Cloud Migration </h2> <p>The considerations surrounding a move to the cloud can feel overwhelming: Which workloads should you start with? What workloads may prove difficult to migrate? <strong>Does the agency have the networking and data center capacity to support cloud resources?</strong> <strong>Should workloads move to a public, private or hybrid cloud?</strong></p> <p>The truth is that IT and agency leaders who are considering these challenges are already better positioned than many of their peers. While Nelson says organizations shouldn’t use horror stories as an excuse to drag their feet, many have made the mistake of starting “too big” — led by broad executive mandates, rather than a strategic focus on business goals.</p> <p>“People grab onto case studies and talk about moving their entire organizations to the cloud in 20 days,” Nelson says. “That’s where people get grandiose ideas and plans that are flawed from the start. Many exciting popular case studies include a good deal of marketing that strips out key limitations to seemingly grandiose plans”</p> <p>Ivan Oprencak, director of product marketing for <a href="https://www.cdwg.com/content/cdwg/en/brand/vmware.html" target="_blank">VMware</a> Cloud, says that <strong>“pretty much all” of the customers he speaks with have incorporated public cloud somewhere in their IT strategies</strong>. “The differences lie in how much of their environment will be public cloud, which workloads make sense, and how far organizations are on their journey to execute their strategies,” Oprencak says. “Customers are still, for the most part, trying to figure that out.”</p> <p>Failures frequently occur, Oprencak says, when leaders make the mistake of thinking that<strong> the simplicity of cloud computing models will translate into simple migrations</strong>. “People often have a mindset of, ‘This is simple, and I can do it quickly,’” he says. “The reality is, that’s often not the case.” Oprencak cites the example of one organization that set out to migrate 400 workloads in 18 months, but only ended up completing five of those migrations. “Some workloads are easier to move than others,” he says.</p> <p>Tim Hanrahan, principal for <a href="https://www.cdw.com/content/cdw/en/solutions/cloud/cloud-experts.html" onclick="javascript:CdwTagMan.createElementPageTag(window.cdwTagManagementData.page_name, 'Rich Text|Cloud Overview | Cloud Computing, Storage &amp; Custom Solutions |');" title="Meet our Cloud Experts">Cloud Client Services at CDW</a>, says that some customers have told him they want to shift their entire data center to the public cloud, <strong>only to reveal that they haven’t even implemented virtualization</strong>. Further, many of their legacy applications are still running on operating systems not supported by major cloud providers. Rather than blindly pursuing this sort of “all-in” push, he says, organizations should examine how the cloud can help them <strong>drive efficiency given their existing environments, and then prepare accordingly</strong>.</p> <p>“It’s not about implementing cloud for the sake of implementing cloud,” Hanrahan says. “It’s about looking at the business strategy and finding where cloud fits.”</p> <h2>Get Started on Moving Your Agency to the Cloud </h2> <p>Agencies often begin their cloud journeys by <strong>experimenting with workloads that aren’t mission-critical</strong>, and that won’t hamper operations if performance or availability issues arise. <strong>Disaster recovery</strong> is one popular use case.</p> <p>However, in agencies that have made the cloud a significant part of their IT strategies, leaders may want to place more critical resources in the cloud earlier on, t<strong>o quickly learn lessons about managing and maintaining applications in the cloud over time</strong>. In these instances, it is typically much easier to first build out new applications, rather than migrate existing resources.</p> <p>“A lot of disappointment comes from ‘lift and shift,’” says Oprencak. “<strong>When organizations design something from scratch for the cloud, it tends to be more successful.</strong>”</p> <p>Many agencies rely on a third-party partner to help them determine their organizational readiness and take their first steps toward the cloud. During such cloud engagements, consultants can assist organizations with integration plans, infrastructure reviews, planning analyses, financial modeling and validation for available cloud options.</p> <p>“You need <strong>tools to scan your environment.</strong> There’s a lot of data to collect and process to make educated decisions. Leveraging tools and experience from people who have actually gone that route accelerates and optimizes migration strategies,” says Nelson. “Migrating existing workloads is so intensive that I have very rarely seen anybody do it alone.”</p> <p><a href="https://www.cdwg.com/content/cdwg/en/solutions/cloud/overview.html" target="_blank">Learn more about</a> how CDW can help you select the right cloud provider and design the perfect solution for your agency.</p> </div> <div> <div class="field-author"> <div id="taxonomy-term-" class=""> <div class="author-photo"> </div> <div class="author-info"> <span>by </span><a rel="author" href="/author/fedtech-staff"> <div>FedTech Staff</div> </a> </div> <div class="author-bio"> <p></p> </div> </div> </div> </div> Thu, 14 Jun 2018 13:03:01 +0000 phil.goldstein_6191 40971 at https://fedtechmagazine.com Infrastructure that Adapts Can Boost Feds' Cybersecurity https://fedtechmagazine.com/article/2018/06/infrastructure-adapts-can-boost-feds-cybersecurity <span>Infrastructure that Adapts Can Boost Feds&#039; Cybersecurity </span> <span><span lang="" about="/user/6191" typeof="schema:Person" property="schema:name" datatype="">phil.goldstein_6191</span></span> <span>Wed, 06/13/2018 - 14:21</span> <div><p><a href="https://fedtechmagazine.com/article/2018/03/how-your-agency-should-think-about-legacy-system-modernization-perfcon">IT modernization</a> is the foundation upon which government security rests. The need for updated and properly integrated systems drives funding requests and agency spending. However, these initiatives may also<strong> introduce vulnerabilities by expanding network footprints and creating integration challenges </strong>among vendors and services. The advent of <a href="https://fedtechmagazine.com/article/2018/04/AFCEA-IoT-Technology-Summit-2018-IoT-Saves-Agencies-Time-Money-Manpower">the Internet of Things</a>, <a href="https://fedtechmagazine.com/article/2017/04/government-cloud-storage-its-uses-and-benefits">cloud storage</a> and other external services result in an increasingly blurred network perimeter, making it <a href="https://fedtechmagazine.com/article/2018/03/feds-need-iot-security-goes-beyond-perimeter">difficult to apply traditional perimeter-based security controls</a>.</p> <p>As government agencies increase their digital transformation and modernization efforts, they must choose <strong>multilayered security solutions that not only provide an effective defense against modern threats but also keep an eye toward the future</strong>. Agencies adopting a defense-in-depth approach to cybersecurity will find themselves well-positioned to combat these future threats.</p> <p>For example, an agency may wish to <a href="https://fedtechmagazine.com/article/2017/11/race-protect-feds-laptops-and-mobile-devices" target="_blank">harden its endpoints against external intruders</a> while making sure that routine patch management activities close security weaknesses within the network. At the same time, agency cybersecurity teams should monitor user behavior and other patterns of activity on the network, watching for anomalies and outliers that may indicate insider misuse or external attackers.</p> <p>Here is a rundown of the essential infrastructure elements that agencies can use to create an adaptive cybersecurity strategy. </p> <p><a href="https://fedtechmagazine.com/register?newsletter"><strong>SIGN UP: </strong>Get more news from the <em>FedTech</em> newsletter in your inbox every two weeks!</a></p> <h2>The Basics Feds Need to Guard Against Sophisticated Threats</h2> <p><strong>Malware protection:</strong> As many security threats arrive via malware vectors, agency cybersecurity teams should ensure that they are taking proactive, detective and reactive steps to protect systems against malware-borne threats. These controls should include d<strong>eploying frequently updated anti-virus protection on servers, endpoints and network gateways</strong>. Agencies should also consider the use of advanced botnet and malware detection tools that incorporate threat intelligence information and provide a robust defense against evolving threats.</p> <p><strong>User training: </strong>Cybersecurity starts and finishes with the user. No matter how robust an agency’s cybersecurity controls, a single mistake by an end user can undermine those efforts, providing attackers with access to sensitive information or granting them a foothold on internal agency networks. Combating these efforts <strong>requires regular security awareness training</strong> that helps users understand the threats facing the agency and their<strong> individual role in protecting the confidentiality, integrity </strong><strong>and</strong><strong> availability of government information and systems</strong>. These efforts should include a particular focus on phishing and spoofing attacks.</p> <p><strong>Network monitoring: </strong>Network activity is one of the most important sources of information for cybersecurity teams seeking to maintain situational awareness and identify active threats. Network monitoring activities fit into two major categories: <strong>passive and active</strong>. Passive network monitoring <strong>simply captures network</strong> traffic as it travels from point to point and monitors it for unusual activity. Active network monitoring <strong>actually manipulates network traffic</strong> by injecting test activity onto the network and observing its performance. This also plays an important role in network troubleshooting and performance monitoring.</p> <p><strong>Network access control: </strong>In addition to regularly monitoring network activity, agencies should consider the implementation of network access control technology that regulates devices allowed to connect to the network. NAC technology permits agencies to<strong> require user and/or device authentication prior to granting access to wired and wireless networks as well as VPN connections.</strong> NAC solutions also provide posture-checking capability, which verifies that a device is configured in compliance with the agency’s security policy before it is allowed on the network.</p> <h2>Feds Can Restrict Access to Agency Networks</h2> <p>Once the basic steps have been implemented, agencies must move to a second layer of security:</p> <p><strong>Endpoint protection: </strong>Once a device is permitted on the network, agency IT teams should ensure that it remains secure over time. Endpoint protection technologies extend beyond traditional anti-virus software to provide additional security tools, <strong>including automated patch management and application control</strong>. Patch management<strong> e</strong>nsures that the operating systems and applications installed on devices receive current security patches; application control technology limits the software that may run on a device by either blocking prohibited software or only allowing preapproved software.</p> <p><strong>Next-generation firewalls: </strong>Agencies already use network firewalls to build perimeters between networks of differing security levels — in particular, separating an internal network from the public internet. Firewalls operate based on rules that allow administrators to define authorized traffic and block anything that doesn’t match those rules.</p> <p>Next-generation firewalls (NGFWs) enhance traditional firewall technology by providing administrators with additional flexibility. While traditional firewalls are limited to rules based on network characteristics, such as IP addresses and ports, <strong>NGFWs provide additional context</strong>, allowing administrators to create rules based upon <strong>the identity of the user, the nature of the application, the content of traffic and other characteristics</strong>.</p> <p><strong>Secure web gateways: </strong>Malicious websites are a significant source of security incidents. Users are tricked into visiting a malicious link and then either fall victim to password phishing attacks or have malware installed on their systems. Secure web gateways offer a solution to this problem by <strong>providing administrators with an opportunity to control the websites visited by network users</strong>. They act as a proxy, making requests to web servers on behalf of end users and perform filtering to remove malicious traffic and block access to known malicious sites, preventing users from accidentally harming agency security.</p> <p><strong>Data loss prevention: </strong>Agencies can restrict the flow of sensitive information outside of controlled environments through data loss prevention systems. These systems may reside as a hardware appliance that monitors network traffic, a software solution that resides on endpoints and monitors user activity or a cloud-based solution that filters email and web traffic. <strong>DLP technology identifies sensitive information using two primary techniques. </strong>The first, <strong>pattern recognition</strong>, understands the formatting of sensitive data elements such as Social Security or credit card numbers and watches for data matching those patterns. The second approach, <strong>watermarking</strong>, applies digital tags to sensitive files and then watches for those tags leaving the secure network in an unauthorized fashion.</p> <p><strong>Internet of Things security: </strong>Modern networks are becoming increasingly complex as agencies deploy Internet of Things solutions in support of smart office programs, smart city initiatives and public safety programs. These IoT solutions use a broad network of sensors that require the same monitoring and maintenance as any other networked device. They often contain embedded operating systems that require security patches;<strong> left unmaintained, these may serve as access points for intruders</strong>. Before deploying any IoT solution, agencies should ensure that they have <a href="https://fedtechmagazine.com/article/2018/03/will-there-be-government-standard-iot-security">appropriate security controls in place to segment IoT from other networked devices,</a> <strong>controlling access and maintaining a secure operating environment</strong>.</p> <h2>Analytics Tools Can Reveal Risks for Agencies</h2> <p>Today’s networks are growing complex enough that even the toughest defenses need backup:</p> <p><strong>Security analytics:</strong> The security infrastructures deployed by government agencies generate massive amounts of information. From anti-virus alerts on endpoints to intrusion alerts on the network, cybersecurity analysts must handle a deluge of information. <strong>Security information and event management solutions</strong> help manage this problem by receiving and aggregating information from a wide variety of security tools. They also use artificial intelligence and machine learning algorithms to correlate information received from different tools, watching for signs of compromise that might otherwise go unnoticed.</p> <p><strong>Security assessments and penetration testing: </strong>Even the most well-designed security infrastructure experiences issues. From accidentally created firewall rules to undetected software vulnerabilities, unexpected events can create sudden and significant cybersecurity risks. Agency cybersecurity teams should complement existing security controls <a href="https://www.cdwg.com/content/cdwg/en/solutions/cybersecurity/security-assessments.html" target="_blank">with a set of security assessment tools</a> designed to <strong>continuously evaluate the security of their infrastructure</strong>. Vulnerability management systems scan networked devices, searching for signs of vulnerabilities and tracking remediation efforts. Software testing tools watch for critical flaws in production code.</p> <p><strong>Penetration tests</strong> are the ultimate security assessment. During these tests, skilled cybersecurity professionals take on the role of an attacker and seek to break into a network using common hacking tools and techniques. If they gain access, they report back the vulnerabilities that they exploited, allowing agency cybersecurity teams to correct them and lower the risk of an actual attack.</p> <p><em>Learn how federal agencies can address the growing threats they face in the CDW white paper, “<a href="https://fedtechmagazine.com/resources/white-paper/managing-cyber-risks-public-sector-environment">Managing Cyber Risks in a Public Sector Environment.</a>”</em></p> </div> <div> <div class="field-author"> <div id="taxonomy-term-" class=""> <div class="author-photo"> </div> <div class="author-info"> <span>by </span><a rel="author" href="/author/fedtech-staff"> <div>FedTech Staff</div> </a> </div> <div class="author-bio"> <p></p> </div> </div> </div> </div> Wed, 13 Jun 2018 18:21:12 +0000 phil.goldstein_6191 40966 at https://fedtechmagazine.com Embrace Agile Development by Training Everyone at Once https://fedtechmagazine.com/article/2018/06/embrace-agile-development-training-everyone-once <span>Embrace Agile Development by Training Everyone at Once</span> <span><span lang="" about="/user/6191" typeof="schema:Person" property="schema:name" datatype="">phil.goldstein_6191</span></span> <span>Tue, 06/12/2018 - 09:00</span> <div><p>Many agencies are intrigued by <a href="https://fedtechmagazine.com/article/2018/06/usds-teams-cms-spur-it-modernization">the idea of an agile workplace</a>, one that would allow them to shift resources easily, break down silos between teams and departments and <a href="https://digital.gov/2016/01/04/how-agile-development-can-benefit-federal-projects/" target="_blank">deliver projects more efficiently.</a> But where to begin?</p> <p>One starting point should be <strong>a training event that involves all employees</strong>. In-house instruction allows the majority of the group that develops software, as well as those that have or manage requirements for software, to get in the same room at the same time and learn the concepts together.</p> <p>Most offices send only a few key leaders, or perhaps a couple of software developers, to agile training. <strong>This is ineffective. </strong>Those few individuals come back with radically different ideas that no one else in the office may understand or accept.</p> <p><a href="https://fedtechmagazine.com/register?newsletter"><strong>SIGN UP: </strong>Get more news from the <em>FedTech</em> newsletter in your inbox every two weeks!</a></p> <h2>How to Get Employees to Buy into Agile Development </h2> <p>The adoption of agile, a very different method of work than the step-by-step waterfall most developers are used to, <strong>requires a broad understanding from multiple points of view throughout the organization</strong>. This won’t happen unless a large segment of the organization goes through instruction together — in particular, <strong>those who will be using agile in their daily work</strong>.</p> <p>Unlike online training, instruction provided to all employees at the same time can <strong>encourage on-the-spot discussion</strong>. They’ll be able to discuss more easily — with each other and with their instructor — the details associated with their office’s idiosyncrasies related to existing processes, users and current products. The process of change can begin immediately, at the same time as they’re learning the concepts.</p> <p>When only a limited number of staff are trained, employees may have a difficult time adopting the new methods, and the response to this failure to change is <strong>often blamed on the agile method itself</strong>. Comments such as, “We tried agile, but it never took off,” or “Bob and Jane had Scrum training, but nothing became of it; I guess it wasn’t important,” can also be seen as criticism of the perceived capabilities of individual employees.</p> <p>But the reality is that, in such cases, the method doesn’t have a chance of being adopted; those looking to transform their office aren’t taking into account t<strong>he wide-reaching cultural, organizational and process changes that have to take place</strong>. A mass training event can help ensure that the push for change gains momentum within the workforce. And it allows leadership the opportunity to build understanding within their workforce, gives them the chance to consider how the method will change their work style — and lets them discuss these details with their coworkers during and after training.</p> <h2>Mass Training Events Give Workers a Voice in Transition to Agile </h2> <p>Mass training events allow everyone involved in software development to start a conversation on how they might want to change how they work, from overall workflow to the small details critical to a successful implementation. An agile workplace brings with it many small, necessary decisions that must be made, and it’s<strong> typically most efficient for these decisions to be made at the lowest level possible</strong>.</p> <p>Take the question, “What software should be used to manage and prioritize your office’s backlog?” This should be discussed among those leading the development teams, the developers and the stakeholders. Managers may have an opinion, but the available systems should be tested, and those who will be using them should be involved. This creates buy-in. <strong>People are more likely to adopt a particular change if they have a voice in it.</strong></p> <p>In-house mass training events create an opportunity for everyone to gain <strong>a more complete understanding of what the agile method means for the organization</strong>. They allow discussions to start regarding work roles, changes to existing processes and how the office may need to reorganize to facilitate teaming and effective feedback.</p> <p>Perhaps most important, a mass training event lets leaders spread the opportunity to lead change throughout the organization — enlisting many to help shape and drive the method to improve their software, reduce costs and improve overall service to their users.</p> </div> <div> <div class="field-author"> <div id="taxonomy-term-" class=""> <div class="author-photo"> <a href="/taxonomy/term/11351"><img src="/sites/fedtechmagazine.com/files/styles/face_small/public/people/brian-fox.jpg?itok=S4TLMWAf" width="58" height="58" alt="Brian Fox" typeof="foaf:Image" /> </a> </div> <div class="author-info"> <span>by </span><a rel="author" href="/taxonomy/term/11351"> <div>Brian Fox</div> </a> </div> <div class="author-bio"> <p> <div><p>Brian Fox is systems development branch chief at the U.S. Geological Survey’s National Geospatial Technical Operations Center.</p> </div> </p> </div> </div> </div> </div> Tue, 12 Jun 2018 13:00:00 +0000 phil.goldstein_6191 40961 at https://fedtechmagazine.com Agencies Can Hit the DMARC Target with These Simple Tips https://fedtechmagazine.com/article/2018/06/agencies-can-hit-dmarc-target-these-simple-tips <span>Agencies Can Hit the DMARC Target with These Simple Tips</span> <span><span lang="" about="/user/6191" typeof="schema:Person" property="schema:name" datatype="">phil.goldstein_6191</span></span> <span>Mon, 06/11/2018 - 09:33</span> <div><p>In October 2017, the Department of Homeland Security <a href="https://cyber.dhs.gov/bod/18-01/" target="_blank">mandated that federal agencies use</a> the <a href="https://dmarc.org/" target="_blank">Domain-Based Message Authentication, Reporting </a><a href="https://dmarc.org/" target="_blank">and</a><a href="https://dmarc.org/" target="_blank"> Conformance protocol</a>. DMARC enables email servers to <strong>determine whether an email is actually from the sender, then deletes forged emails or marks them as spam</strong>. Without it, anyone can send emails with a forged sender address, and recipients would be unaware of the forgery.</p> <p>Some DMARC requirements were due for adoption in January; others have an October deadline. <a href="https://www.fedscoop.com/month-later-agencies-still-lagging-vulnerable-move-dmarc/" target="_blank">Recent reports</a> indicate that many agencies are not yet using the protocol or <a href="https://www.globalcyberalliance.org/white-house-e-mail-domains-lack-basic-phishing-spoofing-security/" target="_blank">don’t have it configured correctly.</a> Here are some tips for how your agency can get up to speed with DMARC:</p> <p><a href="https://fedtechmagazine.com/register?newsletter"><strong>SIGN UP: </strong>Get more news from the <em>FedTech</em> newsletter in your inbox every two weeks!</a></p> <h2>1. Do an Initial DMARC Deployment in Report-Only Mode</h2> <p>DMARC uses your existing servers, so deployment is usually not a burden. To support it, you will need to <strong>configure your email servers and possibly add a few features</strong>. You will also need to add records to your DNS servers. Each DMARC resource record specifies how the protocol should be configured for a particular domain.</p> <p>Each agency domain and subdomain should have its own record. For initial DMARC use, set the policy to “none” (p=none). DMARC will <strong>passively monitor all email activity and generate reports on what it observes without interfering with email delivery</strong>. See <a href="https://dmarc.org/overview/" target="_blank">dmarc.org/overview</a> for more details on how to configure DMARC resource records.</p> <h2>2. Verify the Accuracy of the DMARC Resource Records</h2> <p>Errors can have serious consequences, either by allowing forged emails to go unnoticed or by inadvertently preventing genuine messages (often from misconfigured email systems) from reaching their destinations. To verify records:</p> <ul><li><strong>Visually check</strong> every record for syntax errors, typos and other mistakes.</li> <li>Confirm that each domain and subdomain has a record. You may want to <strong>use scanners and other tools</strong> to help compile a list of domains and subdomains.</li> <li>Review the DMARC reports and <strong>confirm that they reflect the settings from the resource records</strong>.</li> </ul><h2>3. Gradually Change Policy Setting from “None” to “Quarantine”</h2> <p>As you gain confidence in the accuracy of your DMARC implementation, changing the settings to “quarantine” will change DMARC’s behavior, and it will <strong>begin to flag emails as spam if it suspects they have forged sender addresses</strong>. By making this change slowly, you can reduce the growing pains that come with any new security control implementation, such as responding to user complaints about incorrectly flagged emails.</p> <h2>4. Change Policy Setting from “Quarantine” to “Reject” by October </h2> <p>The “reject” setting is the final step. This setting causes DMARC to <strong>fully enforce the policies on the domains and subdomains, blocking emails with forged senders</strong>. At this point, your agency should be in compliance with DHS requirements.</p> </div> <div> <div class="field-author"> <div id="taxonomy-term-" class=""> <div class="author-photo"> <a href="/author/karen-scarfone"><img src="/sites/fedtechmagazine.com/files/styles/face_small/public/people/KarenScarfone.jpeg.jpg?itok=JzlESD2H" width="58" height="58" alt="" typeof="foaf:Image" /> </a> </div> <div class="author-info"> <span>by </span><a rel="author" href="/author/karen-scarfone"> <div>Karen Scarfone</div> </a> </div> <div class="author-bio"> <p> <div><p>Karen Scarfone is the principal consultant for Scarfone Cybersecurity. She previously worked as a senior computer scientist for the National Institute of Standards and Technology.</p> </div> </p> </div> </div> </div> </div> Mon, 11 Jun 2018 13:33:39 +0000 phil.goldstein_6191 40956 at https://fedtechmagazine.com How Government Can Prepare for the Multicloud Future https://fedtechmagazine.com/article/2018/06/how-government-can-prepare-multicloud-future <span>How Government Can Prepare for the Multicloud Future</span> <span><span lang="" about="/user/6191" typeof="schema:Person" property="schema:name" datatype="">phil.goldstein_6191</span></span> <span>Thu, 06/07/2018 - 11:33</span> <div><p>The Defense Department’s new <a href="ttps://fedtechmagazine.com/article/2018/03/dod-sheds-light-cloud-future-its-jedi-project">Joint Enterprise Defense Infrastructure (JEDI) contract</a>, which would move the DOD’s entire cloud ecosystem to a single public cloud provider, has <a href="https://www.fedscoop.com/jedi-cloud-rfp-delayed-dod-pentagon/" target="_blank">attracted significant attention in recent weeks</a>.</p> <p>At first glance, consolidating multiple clouds seems like a good idea that would streamline services. However, for an organization as large as the DOD, with tens of thousands of applications, millions of endpoint devices and an incredibly diverse and challenging operation environment, a single cloud is not a realistic path forward.</p> <p>Instead, government agencies should be investing in a<strong> </strong><strong>multicloud</strong><strong> strategy that leverages the strengths of both public and private clouds to achieve better security, flexibility and cost savings for the American taxpayer</strong>.</p> <p>According to the <a href="https://www.gsa.gov/cdnstatic/2017_Hybrid_Cloud_Almanac.pdf" target="_blank">General Services Administration</a>, today’s average cloud user operates as many as <strong>six different clouds</strong> that are distributed across multiple geographies and combine both public and private clouds.</p> <p>To successfully manage a multicloud environment like this, agencies need to have <strong>complete visibility of their network and they must react quickly to possible threats</strong>. One of the best ways to achieve this is by integrating automation tools throughout their multicloud environment.</p> <p><a href="https://fedtechmagazine.com/register?newsletter"><strong>SIGN UP: </strong>Get more news from the <em>FedTech</em> newsletter in your inbox every two weeks!</a></p> <h2>Automation Allows Agencies to Secure Multiple Clouds</h2> <p>Automation helps implement high-level security policies that can be difficult to manually apply across an entire organization and multiple clouds. With automation, you can i<strong>mmediately update and deploy new security policies across a network</strong>, which would typically take a team of programmers weeks or months to do. Detailed security policies can be automatically generated and deployed across firewalls, switches and other components, whether they are managed in-house or through a cloud provider.</p> <p>Another way that automation can help is by<strong> improving response actions</strong>. Some government agencies have sensors that detect malware or denial of service attacks, but humans are still manually sharing these threat reports.</p> <p>Automating the process of detecting and responding to threats is essential to defeating sophisticated cyber adversaries. Information can be automatically fed into the appropriate systems to develop threat response actions.</p> <p>When a red flag emerges, the system can parse the data and<strong> automatically create and deploy the necessary countermeasures to combat the threat.</strong> Likewise, after the threat has been countered, automation can speed recovery actions such as deploying patches and even reinstalling an entire data center without human intervention.</p> <p><strong>Machine intelligence </strong>can be an essential tool in defending against malware attacks. Historical data can be used to predict and respond to impending attacks. The more data a system compiles over time, the more intelligent that system becomes and the better it gets at preventing an intrusion.</p> <p>Automation helps administrators <strong>analyze their files and applications for potential dangers, regardless of where that information resides</strong>. It also helps to isolate unknown malware and render security policies in real time to avoid potential damage.</p> <p>Further, automation will help to achieve better end-to-end security across the data center, campus, branch and the cloud. This lowers the risk of distributed denial of service attacks, allows for greater innovation, improves reliability and increases flexibility for agencies to quickly scale services up or down based on need.</p> <p>As the federal government slowly moves legacy systems to multiple clouds, agencies will need to adopt strategies that unify and secure these systems by integrating automation throughout their networks. Most government agencies are too big to operate a single homogeneous cloud capable of providing all the applications that an organization needs. Instead, they will need to operate <strong>a mosaic of public and even private clouds</strong>.</p> </div> <div> <div class="field-author"> <div id="taxonomy-term-" class=""> <div class="author-photo"> <a href="/author/david-mihelcic"><img src="/sites/fedtechmagazine.com/files/styles/face_small/public/people/D.MihelcicHeadshot%20%281%29%20%281%29.jpeg.jpg?itok=M1wYJMQI" width="58" height="58" alt="" typeof="foaf:Image" /> </a> </div> <div class="author-info"> <span>by </span><a rel="author" href="/author/david-mihelcic"> <div>David Mihelcic</div> </a> </div> <div class="author-bio"> <p> <div><p>David Mihelcic is the federal chief technology and strategy officer for Juniper Networks, supporting the company’s federal sales, engineering and operations teams. David joined Juniper Networks in February 2017 following 18 years with the Defense Information Systems Agency, where he retired as CTO, a position he held for more than 12 years.</p> </div> </p> </div> </div> </div> </div> Thu, 07 Jun 2018 15:33:38 +0000 phil.goldstein_6191 40941 at https://fedtechmagazine.com Managing Cyber Risks in a Public Sector Environment https://fedtechmagazine.com/resources/white-paper/managing-cyber-risks-public-sector-environment <span>Managing Cyber Risks in a Public Sector Environment </span> <div><p>In the wake of recent high-profile data breaches at the Office of Personnel Management, Indiana’s Medicaid program and other government entities, cybersecurity has moved to the top of the priority list for federal, state and local government agencies. The sense of urgency is building <strong>as agencies seek to avoid becoming the next cybersecurity headline</strong>.</p> <p>Government technology leaders know, however, that cybersecurity can quickly become an all-consuming effort that requires significant resources. The challenge is to <strong>develop and implement a cybersecurity strategy that protects the agency and its constituents from </strong><strong>breaches,</strong><strong> but does so within financial and logistical constraints</strong>. Governments need holistic, costeffective IT solutions that adjust rapidly and repeatedly to a constantly changing threat environment. This approach builds a robust, defense-in-depth approach to security that remains resilient against future threats.</p> <p>Agencies build cybersecurity programs to protect the confidentiality, integrity and availability of information. Increasingly, however, they are also faced with evolving regulatory frameworks guiding the selection, design and deployment of cybersecurity controls. Download the white paper to learn more.</p> </div> <span><span lang="" about="/user/6191" typeof="schema:Person" property="schema:name" datatype="">phil.goldstein_6191</span></span> <span>Wed, 06/06/2018 - 12:10</span> <img src="/sites/fedtechmagazine.com/files/document_images/FedTech-Cyber-June6.jpg" width="1440" height="560" alt="Cybersecurity abstract image " typeof="foaf:Image" /> <div> <div>Document File</div> <div><span class="file file--mime-application-pdf file--application-pdf"><a href="https://fedtechmagazine.com/sites/fedtechmagazine.com/files/document_files/white-paper-managing-cyber-risks.pdf" type="application/pdf; length=1154314">white-paper-managing-cyber-risks.pdf</a></span> </div> </div> Wed, 06 Jun 2018 16:10:02 +0000 phil.goldstein_6191 40931 at https://fedtechmagazine.com Why Feds Face an Array of Cybersecurity Threats https://fedtechmagazine.com/article/2018/06/why-feds-face-array-cybersecurity-threats <span>Why Feds Face an Array of Cybersecurity Threats </span> <span><span lang="" about="/user/6191" typeof="schema:Person" property="schema:name" datatype="">phil.goldstein_6191</span></span> <span>Wed, 06/06/2018 - 11:32</span> <div><p>The federal government needs to take “bold” appraoches to increasing the cybersecurity of agencies, according to a report the White House released a report last week, which found <strong>serious deficiencies in the government’s risk management abilities</strong>.</p> <p>In the “<a href="https://www.whitehouse.gov/wp-content/uploads/2018/05/Cybersecurity-Risk-Determination-Report-FINAL_May-2018-Release.pdf" target="_blank">Federal Cybersecurity Risk Determination Report and Action Plan</a>,” the Office of Management and Budget and Department of Homeland Security determined that <strong>71 of 96 agencies (74 percent) </strong>participating in a federal risk assessment process “have cybersecurity programs that are either at risk or high risk.” OMB and DHS also found that agencies are “not equipped to determine how threat actors seek to gain access to their information.”</p> <p>The report recommended specific actions agencies need to take to enhance their IT security posture:</p> <ol><li><strong>Increase cybersecurity threat awareness among </strong>agencies by implementing the Director of National Intelligence’s <a href="https://www.dni.gov/index.php/cyber-threat-framework" target="_blank">Cyber Threat Framework</a> to prioritize efforts and manage cybersecurity risks. </li> <li><strong>Standardize IT and cybersecurity capabilitie</strong>s to control costs and improve asset management.</li> <li><strong>Consolidate agency Security Operations Centers</strong> to improve incident detection and response capabilities.</li> <li>Drive accountability across agencies through <strong>improved governance processes, recurring risk assessments, and OMB’s engagements with agency leadership</strong>.</li> </ol><p>Clearly, there is a great deal for agencies to do. However, there has been some clear progress. <a href="https://fedtechmagazine.com/article/2017/10/elc-2017-new-era-approaches-dhss-cdm-cybersecurity-program">Recent investments</a> in cybersecurity by <a href="https://fedtechmagazine.com/article/2018/04/gitec-2018-cybersecurity-cant-be-an-afterthought-during-it-modernization">federal agencies</a> have been driven by the rapidly changing threat environment. Attackers are increasing their focus on government targets; technology environments are becoming more complex and prone to vulnerabilities; and <strong>attack tools are becoming more sophisticated and difficult to detect</strong>.</p> <p>Agencies manage most modern threats with a holistic, enterprise approach to cybersecurity, but legacy technology and slow adoption of modern IT solutions — some because of funding and acquisition considerations — complicate the effort to secure data and systems. Malware, advanced persistent threats, the Internet of Things and legacy technology are just some of the dangers agencies must protect against.</p> <p><a href="https://fedtechmagazine.com/register?newsletter"><strong>SIGN UP: </strong>Get more news from the <em>FedTech</em> newsletter in your inbox every two weeks!</a></p> <h2>Malware Remains a Threat to Federal Agencies </h2> <p>Malicious software, or malware, is perhaps the oldest cybersecurity threat, with viruses and worms tracing their roots back to the 1980s. The authors of malware keep pace with improvements in security technologies, and in an ongoing cat-and-mouse game, go to great lengths to keep a foothold in upgraded operating systems and applications by developing stealthier and more effective malware.</p> <p>Some malware authors focus on <strong>compromising numerous systems, regardless of their owner or purpose</strong>. For example, <a href="https://www.fortinet.com/blog/threat-research/the-growing-trend-of-coin-miner-javascript-infection.html" target="_blank">CoinMiner</a> malware infects systems via malicious code embedded in online advertising and then uses the purloined computing capacity to mine bitcoin or other cryptocurrencies. Similarly, the <a href="https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless" target="_blank">Kovter Trojan</a> infects systems via malicious email attachments and then generates advertising revenue via click fraud schemes. These unfocused malware attacks are a nuisance to agency IT staff who must rebuild infected systems.</p> <p>Other malware, however, has more focused purposes and can be dangerous on government computer systems. <a href="https://krebsonsecurity.com/tag/nanocore-rat/" target="_blank">NanoCore</a>, for example, is a remote access Trojan that allows hackers to gain complete control of infected systems, where they can then either <strong>steal sensitive information or use the system as a jumping-off point for attacks on the rest of the network</strong>.</p> <p><strong>Ransomware</strong> is a specific type of malware that poses a significant threat. After ransomware infects a target system, it uses strong cryptography to encrypt the contents with a secret key. If the victim wishes to decrypt the information and regain access, he or she must pay a ransom to the attacker. Recent ransomware outbreaks, such as <a href="https://fedtechmagazine.com/article/2017/10/when-wannacry-ransomware-attack-struck-feds-were-ready">WannaCry</a> and <a href="https://fedtechmagazine.com/article/2017/06/dhs-promises-coordinated-response-petyanyetya-ransomware-attack">Petya</a>, found victims at all levels of government, ranging from Britain’s National Health Service to local law enforcement agencies across the United States.</p> <h2>Agencies Are Targets for Sophisticated Attackers </h2> <p>Government agencies are often the targets of extremely talented attackers and <strong>well-funded attacks known as advanced persistent threats</strong>. These attackers, typically sponsored by nation-states, are quite patient and focus on very specific targets. Once they gain access, they operate with stealthy techniques, placing a high priority on avoiding detection. During <a href="https://fedtechmagazine.com/article/2016/01/nsa-chief-warns-more-hacks-those-hit-opm">the 2015 Office of Personnel Management breach</a>, attackers believed to be associated with the Chinese government operated within the agency’s network undetected for more than a year, <strong>stealing massive quantities of sensitive </strong><strong>personnel</strong><strong> information</strong>.</p> <p>In 2018, <a href="https://www.justice.gov/opa/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic-revolutionary" target="_blank">the U.S. government accused Iran’s Mabna Institute</a> of conducting a four-year-long attack in at least 20 countries against hundreds of universities and dozens of government agencies, including the <a href="https://www.dol.gov/" target="_blank">U.S. Labor Department</a>, the <a href="https://www.ferc.gov/" target="_blank">Federal Energy Regulatory Commission</a> and the states of Hawaii and Indiana.</p> <p><a href="https://www.dni.gov/files/documents/ICA_2017_01.pdf" target="_blank">The intelligence community believes</a> that during the 2016 U.S. election cycle, APT attackers associated with the Russian government gained access to computer servers belonging to the Democratic National Committee and used the information gained to discredit the Hillary Clinton presidential campaign. Researchers also believe that Russian operatives successfully targeted and scanned voting systems used by many states.</p> <h2>Legacy Federal IT Poses a Security Risk </h2> <p>One often-overlooked threat to cybersecurity comes <a href="https://fedtechmagazine.com/article/2018/03/how-your-agency-should-think-about-legacy-system-modernization-perfcon">in the form of legacy systems</a>, which were designed to operate in <a href="https://fedtechmagazine.com/article/2018/03/tony-scott-agency-cios-need-get-away-1970s-tech">a completely different threat and technical environment</a>. Their <strong>lack of modern cybersecurity controls provides hackers with an easy path into government networks</strong>. Agency technology staff should search all systems for outdated hardware and software that may require upgrading or replacement.</p> <p>As agencies seek to replace legacy technology, they also often undertake digital transformation initiatives that upgrade and enhance technologies. Recent examples of these initiatives include the <a href="https://statetechmagazine.com/article/2017/09/dispatch-centers-upgrade-911-systems-face-cyberthreats">Next Generation 911</a> and <a href="https://statetechmagazine.com/article/2018/03/att-gets-go-ahead-begin-firstnet-network-build-out">FirstNet programs</a>, which are designed to enhance public safety communications efforts nationwide.</p> <div class="sidebar_wide"> <h3>Why Insider Threats Also Pose a Problem for Feds</h3> <p>While cybersecurity teams often focus on the ominous threats posed by external and foreign attackers, <a href="https://fedtechmagazine.com/article/2016/04/commerce-state-departments-take-steps-combat-insider-security-threats">risk often comes from within</a>. Employees with legitimate access to agency systems <strong>may misuse that access for financial gain, to satisfy their own curiosity or to engage in industrial or foreign espionage</strong>.</p> <p>In 2017, three employees from the inspector general’s office at the Department of Homeland Security <a href="https://www.nytimes.com/2017/11/28/us/politics/homeland-security-personal-data-software-stolen.html" target="_blank">were accused of stealing an agency computer system</a> containing personal information on more than 246,000 DHS employees. Their motivation was not identity theft; instead, they were searching for test data they could use to develop their own version of an agency case management system, which they could market to other government agencies.</p> </div> <p><em>Learn how federal agencies can address the growing threats they face in the CDW white paper, “<a href="https://fedtechmagazine.com/resources/white-paper/managing-cyber-risks-public-sector-environment">Managing Cyber Risks in a Public Sector Environment.</a>”</em></p> </div> <div> <div class="field-author"> <div id="taxonomy-term-" class=""> <div class="author-photo"> </div> <div class="author-info"> <span>by </span><a rel="author" href="/author/fedtech-staff"> <div>FedTech Staff</div> </a> </div> <div class="author-bio"> <p></p> </div> </div> </div> </div> Wed, 06 Jun 2018 15:32:40 +0000 phil.goldstein_6191 40936 at https://fedtechmagazine.com