Daily cloud architecture rebuilds could enhance security, NGA says
- By Mark Rockwell
The National Geospatial-Intelligence Agency wants to "reinvent security" by taking advantage of the cloud's flexibility.
By tearing down the agency's IT architecture and rebuilding it every day, hackers would confront a confusing operating environment and have limited time to enjoy launch attacks, according to Jason Hess, the NGA's chief of cloud security.
To get that flexibility, a drastic reduction in the time it takes to secure authority to operate certification for cloud services would be required. ATOs traditionally can take as long as six months; the goal is 24-hour turnaround.
So far, using software and DevOps development techniques, the NGA has managed to get ATOs within seven days, Hess said at the Cyber Resilience Summit on March 21.
NGA's "fast architecture churn," said Dr. Ron Ross, fellow at the National Institute of Standards and Technology, "is something to watch" in protecting networks and data in the coming years.
The NGA approach isn't for everyone, but speakers at the conference agreed that just installing technology at the edge of a network to ward off suspect traffic is obsolete.
"Cybersecurity is something you do, not something you buy," said Dale Meyerrose, a retired Air Force major general, who was also the first appointed CISO for the intelligence community.
"We lie about what we can do" with cybersecurity capabilities, he said. The federal government in general does not compare favorably to industry in detecting cyber intrusions on networks, and cybersecurity programs, with their response teams and other reactive elements, are too passive. "We need a hunt and destroy attitude," Meyerrose said, and an emphasis on integrating cybersecurity into agency missions rather than thinking of it as a separate effort.
At NIST, Ross is pushing an integrated approach. The standards agency's NIST's 800-160 security engineering guidebook that was issued last November urges organizations -- including federal agencies and commercial equipment and service providers -- to address security throughout their systems engineering processes rather than "bolting on" firewalls, encryption and monitoring systems to operating systems and applications after they are purchased.
New approaches must also be developed to get people to live and breathe cybersecurity as part of their agencies mission, the speakers said.
Mark Rockwell is a staff writer at FCW.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at firstname.lastname@example.org or follow him on Twitter at @MRockwell4.