Shawn McCarthy | IPv6 could be a boost for access control
Federal agencies are facing multiple enterprisewide transitions, including system consolidation, application virtualization, migration toward IPv6, multiple security upgrades and new identification systems. In this time of tight budgets and spending limits, they also are facing renewed scrutiny of proposed projects from the Office of Management and Budget.
In the midst of this chaotic situation, one important issue is in danger of being left on the back burner ' enterprise security that takes into account configuration management and access control.
The Government Accountability Office issued at least two reports this spring (GAO-07-364 and GAO-07-256) stating that agencies should consider taking more of an enterprise approach to both access control and configuration management. It also found government agencies still significantly lagging in their implementation of agencywide controls that could address multiple security problems.
Why is this? Budgeted security spending for all civilian agencies is $2.3 billion for fiscal 2007, and Defense Department security spending is budgeted at $2.7 billion. But a closer look at this spending ' outlined in agencies' Exhibit 53 reports ' reveals a piecemeal approach often focusing on specific systems, individual projects and one-off solutions. This makes it more difficult ' though not impossible ' to build a fully integrated enterprise approach to security management.
Luckily, there is a strong catalyst at work, although agencies might not immediately recognize it.
That catalyst is the required migration to IPv6 of Internet backbone networks ' and eventually, the majority of net-connected systems. Because IPv4 and IPv6 have different configuration settings, the time is ripe to take enterprise configuration management and security settings more seriously.
In anticipation of this transition toward enterprise security, agencies should consider the following measures.
- Stop investing in single-issue security fixes and take an enterprise risk management approach to all security investments.
- Build security considerations and investments into every new agency project. The security budget is not the only money available for targeting security issues under an enterprisewide security plan.
- Combine projects with a security focus to achieve enterprise operational efficiencies: network management, IPv6 upgrades and platform consolidation, for example.
- Use a risk evaluation and management approach to assign proper priority to enterprisewide security investments.
With these considerations in mind, configuration and security management could become more standardized and manageable across a typical enterprise.
Unfortunately, this is not the way most agencies tend to target their limited security budgets, so the frustrating piecemeal approach is likely to continue.Shawn P. McCarthy is senior analyst and program manager at IDC Government Insights, in McLean, Va. E-mail him at email@example.com.