A well-defined perimeter is only half the battle.

Agencies must also protect their most valuable data.

By Michael Biddick

W
informationweek.com/government

hen IT security is a focal point of the State of the Union address, as

it was in President Obamas February speech, government IT pros
had better take notice.
Foreign adversaries are seeking the ability to sabotage our power grid,
our financial institutions and our air traffic control systems, the president
warned. We cannot look back years from now and wonder why we did

@michaelbiddick

nothing in the face of real threats to our security and our economy.
Federal government data centers are at the center of this discussion. The systems and databases within those data centers house
everything from the personal information of U.S. citizens to law enforcement case records and classified intelligence.
Federal agencies have been shoring up their data center defenses

Copyright 2013 UBM LLC. Important Note: This PDF is provided solely as a reader service. It is not intended for reproduction or public distribution. For article
reprints, e-prints and permissions please contact: Wrights Reprints, 1-877-652-5295 / ubmreprints@wrightsreprints.com

March 2013 5

for years, but much more needs to be done.

Security experts report not only a growing
number of attacks, but also successful
breaches. Throwing money at the problem
isnt the answer, nor is it an option. The federal IT budget remains flat and sequestration, which went into effect March 1, triggered across-the-board cuts. Federal CIO
Steven VanRoekel, in a February interview
with InformationWeek Government, warned
that sequestration could cause agencies to
lose momentum in their efforts to improve
cybersecurity. Agency CIOs have to be smart
and selective in how they invest their limited
resources.
The problem is much bigger than it was three
or four years ago, says Omar Khawaja, head of
product marketing for data center operator
Verizon Terremark, which provides hosting and
cloud services to federal agencies. Youve got
more threats, more vulnerabilities and the assets are more critical than ever before.
Shortly after the State of the Union address,
Mandiant, a security vendor, released a report
that traced a Chinese hacker group, dubbed
APT1 and suspected of economic espionage
against at least 141 companies and government agencies over seven years, to a district
in residential Shanghai thats home to a unit
informationweek.com/government

Federal IT Security Incidents, Fiscal 2012

Improper usage

20%

Under investigation/other

38%
18%

Malicious code

7%
17%
Scans, probes, attempted access

Unauthorized access

Data: GAO analysis of 48,562 security incidents reported to US-CERT

of the Peoples Liberation Army. It was the

most detailed in a growing body of evidence
that the Chinese military may be involved in
probes of U.S. computer systems. The New York
Times, Google and Apple all reported security
breaches at about the same time.
Federal agencies are targets, too. In February,
the Department of Energy revealed that online attackers had penetrated its network and
obtained personal information on hundreds
of employees and contractors. The departments Joint Cybersecurity Coordination Center and federal law enforcement agencies are
investigating the incident. In a memo to em-

ployees, DOE recommended that they encrypt all files and emails that contain personal
information, including files stored on hard
drives or on the shared network.
The Department of Defense, even with its
U.S. Cyber Command operations, remains vulnerable as well. The Defense Science Board, a
civilian committee that provides scientific and
technical advice to the Pentagon, said in a report this month that the DOD isnt prepared
to defend against sophisticated international
cyber attacks. The report pointed to inherently insecure architectures, inadequate intelligence and the sheer limits of technology
March 2013 6

Gated entrance to Verizon Terremarks

Culpeper, Va., data center

in defending against emerging cyber threats.

It encourages the DODs CIO to work with the
military branches to create an enterprise security architecture that includes minimum
standards to ensure a reasonable level of defensibility and increase the probability that attacks are detected.
Robust data center security starts outside the
brick-and-mortar building. Verizon Terremark
serves federal customers from a 30-acre complex in northern Virginia thats protected by
12-foot beams, DOD-approved fences, blastproof walls and motion-sensor cameras. But its
informationweek.com/government

the systems, software and processes inside the

data centers used by government agencies
some owned and operated by contractors, others by the agencies themselves that are the
urgent focus of federal IT teams.
Threat Landscape
The number of cyber incidents reported by
federal agencies to the U.S. Computer Emergency Readiness Team rose from 41,776 in fiscal 2010 to 48,562 in fiscal 2012, a 16% increase over two years, according to a report
issued this month that was based on testi-

mony by Gregory Wilshusen, the Government

Accountability Offices director of information
security issues.
The incidents reported included scans,
probes, attempted access, unauthorized access, malicious code and improper usage.
Threats to systems supporting critical infrastructure and federal information systems are
evolving and growing, Wilshusen told Congress.
While cyber intrusions happen in many
ways, data center servers and applications
are prime targets. As agencies consolidate
servers and applications and pack more
data into them, they become more attractive.
Hackers look for and exploit any vulnerability they find, causing buffer overruns, releasing viruses, stealing data and interrupting
user access. Denial-of-service attacks prevent
access to applications, while virtualization attacks target server infrastructure weaknesses,
such as user authorizations that arent well
implemented. When hackers get through,
they can prevent access to applications and
data, or worse. The prospect of data theft is
what worries information assurance pros the
most.
Data center security isnt just a function of
March 2013 7

Previous

Next

Table of Contents

firewalls and intrusion-detection systems. Government employees fall victim to phishing attacks, inadvertent file sharing and malware-infected USB drives, or they simply lose their
iPhones and BlackBerrys. And as the State Department learned in the WikiLeaks case, agencies must take precautions to protect off-limits
documents and other data from employees
and other insiders who would sneak them
outside the firewall. In many cases, the same
centralized IT security systems and processes
that protect the data center play a role in detecting and responding to these soft spots.
The trend toward smart data centers, those
with automated cooling and power management, may be the next thing to worry about.
Malware can be used to access and harm automated systems through a back door in much
the same way that the Stuxnet virus infected
controllers at one of Irans nuclear power
plants.

Steps Of Risk
Management

1. Categorize the federal information system

based on a FIPS 199 impact analysis.

2. Select baseline security controls based on

system impact level.

3. Implement security controls; document the

design, development and implementation.

4. Assess the extent to which controls are well

implemented and producing desired results.

5. Authorize system operation based on

determination of risk to organization,
individuals and the nation, and that the risk
is acceptable.
6. Monitor security controls to determine
their effectiveness, any changes to the system
or environment, and compliance with policies,
regulations and standards.
Data: NIST SP 800-53, Risk Management Framework

Constant Attention
The Office of Management and Budget, the
National Institute of Standards and Technology and other federal departments with responsibility for government-wide IT security
continue to ratchet up the requirements.
In February, NIST released an updated catainformationweek.com/government

log of IT security regulations to include new

threats and allow for more flexibility and tailoring of regulations by agencies. The Federal
Information Security Management Act mandates that agencies apply the controls detailed in the document, as appropriate. This

latest revision addresses application security,

distributed systems, mobile and cloud computing, and developmental and operational
assurance, with controls for advanced persistent threats, supply chain risks and insider
threats.
The White Houses IT security strategy
hinges largely on continuous monitoring,
which, as it sounds, involves the use of new
software and security tools to keep an eye on
computer systems and networks in near real
time. According to a report issued earlier this
month by U.S. cybersecurity coordinator
Michael Daniel, 78.4% of the federal governments IT assets were being continuously
monitored in the first quarter of 2013. Thats
a slight decline since the fourth quarter of
2012, when implementation was measured at
79.5% of IT assets. The report attributes the
downward tick to adjustments in the measurement process. The goal is to reach 95% implementation in the coming fiscal year (fiscal
year 2014).
Theres no fast and easy way to roll out continuous monitoring across an agencys IT infrastructure. Data center managers must pull
together vulnerability- and network-scanning
tools and use software to link patterns from
those and other products to detect and preMarch 2013 8

vent attacks.
Software tools can help with these tasks.
They include SolarWinds monitoring software, ManageEngines OpManager, IBMs Internet Scanner, Lumetas IPsonar network discovery product and Ciscos Security Manager.
IBM Tivolis Continuous Data Protection for
Files, FalconStors Continuous Data Protector
and Ideras auditing products can track data
leaks and prevent other issues by limiting
users ability to transport data.
Security incident and event management
(SIEM) is also part of the answer. HewlettPackards ArcSight, EMCs RSA, Sensage, IBM
Q1 Labs and NitroSecurity offer products in
this category. Those SIEM systems collect
events from firewalls, intrusion-detection systems, access control and authentication systems, and switches and routers, and then correlate those events to identify security
violations. They log violations and can take action to prevent or limit impact.
Such capabilities help IT organizations comply with rules and regulations around storing
and analyzing log data, and they provide a
mechanism for investigating incidents after
the fact. Log storage and review are fundamental security practices accomplished with
tools such as LogRhythm, Splunk and WhatsUp
informationweek.com/government

Log Management. The differentiator in this

market is the ability to do impact analysis
across the life cycle of a threat.
The endgame is to give agencies the wherewithal to report on security violations and to
detect and prevent attacks. The next step is
knowing what to do when an attack is detected. IT teams must be able to switch hardware, network paths and servers rapidly. This
ability requires tight coupling of monitoring
software and application and network automation tools. Thats tough to do on a small
scale and helps make the case for consolidating data centers, where centralized management and security can be brought to bear.
Cloud Security
Two of the major areas of activity in the
data center virtualization and cloud computing introduce other trouble spots if
not done properly, according to security firm
Trend Micro. The threats include data-stealing malware, spam, phishing, Trojans, worms,
viruses, spyware and bots. As agencies modernize and virtualize their IT infrastructure,
they sometimes deploy the security software
intended for their physical servers. That
wont cut it. They must take additional preventive steps to guard against virtual ma-

chine attacks, mixed trust-level VMs, hyperjacking malware and other compromises.
Federal agencies are halfway into a five-year
plan to consolidate hundreds of data centers,
and that initiative is accelerating the pace of
virtualization and cloud adoption, highlighting the need for secure cloud data centers.
Private clouds in a well-managed data center have the potential to be more secure than
distributed systems. But because multiple organizations use shared hardware under this
model, theyre also bigger targets. For that
reason, the data center controls discussed
above continuous monitoring, event management, real-time response are just as important in cloud environments.
Public cloud services are a bigger concern
because, in some cases, theyre delivered from
data centers that have not previously been
vetted by security-minded federal agencies.
The Federal Risk and Authorization Management Program is meant to raise confidence in
cloud services by bringing a standard approach to security assessment and authorization. Started in December 2011, FedRAMP
only recently has begun assessing cloud
providers.
Those assessments include a close evaluation of the service providers data center facilMarch 2013 9

ities and practices. In fact, cloud providers

must satisfy nearly 300 security controls to
pass FedRAMP muster. (The Department of
Defense may institute even stricter controls.)
Once a cloud service provider gets the FedRAMP stamp of approval, other agencies will
be able to subscribe to that vendors services
with some assurance that the services, and the
data center from which theyre offered, have
met the governments rigorous requirements.
This approve once, use often approach
should yield time, staff and dollar savings.
Even so, FedRAMP doesnt cover every single
security requirement of ever y federal
agency. Some agencies will still need to certify and authorize agency-specific requirements not covered by FedRAMP.
New Approaches
As the number of threats, attacks and vulnerabilities rises, the challenge for federal IT
teams, says Verizon Terremarks Khawaja, is to
make security smaller.
A good place to begin is to identify the data
most in need of protecting, he says. The
process of data detection, identification and
classification makes it possible to focus on securing personally identifiable information and
valuable or sensitive information such as fiinformationweek.com/government

Steel mesh protects the servers and raised floors

in Verizons data center

nancial data. Apply analytics to security logs

and incidents to uncover evidence of suspicious activity that may be ongoing, what
Khawaja calls crime in motion.
Federal agencies should also move beyond standard firewalls to conduct deep
packet inspections using the latest technologies. The newest generation of data
center hardware from vendors such as Fortinet, Juniper Networks and Palo Alto Networks is better able to analyze network activity as it happens.
Also consider security-as-a-service for new
capabilities. For example, Mandiant Cloud
Alert is a subscription-based service that
monitors the health of an organizations net-

work, looking for active command and control activity between network IPs and suspect
domains. The service provides real-time notifications when computers attempt to connect to malicious networks, with details on
the malware involved, time stamps and destination hosts.
Ultimately, progress with data center security depends on a combination of new technologies and better business practices. With
so many threats coming from so many
sources, data center managers must focus
their resources and efforts on those actions
that stand to have the greatest impact.
Of course, sturdier walls physical and
virtual will only get you so far. Fresh
thinking is required, too. Says Khawaja: This
notion of getting smarter about security is
absolutely critical.
Michael Biddick is CEO of integrator Fusion PPT. Read more
stories by him at informationweek.com/michaelbiddick.
Write to us at iwletters@ubm.com.

March 2013 10