Three to watch in coming year

No one has to tell government IT managers that the challenges they face don't suddenly change when one year passes into the next.

Enterprise architecture, security and IT management were hot in 2004 and will continue to be in 2005.

But the tools and technologies used to deal with these challenges will mature, evolve or simply gain better acceptance. Among the 2005 technology trends, experts tell GCN that service-oriented architectures, network user authentication and managed IT services will be fertile ground for agencies in the coming year.

Service-oriented architecture

The emerging concept of a service-oriented architecture promises to fulfill one of the IT community's most enduring dreams: software reuse. Implement an SOA in your agency, and one group's programs could be easily reused elsewhere within your network.

Now, as Web services have matured and enterprise architecture initiatives are taking hold at agencies, experts see SOA use as inevitable.

'SOA is about finally realizing the benefit of software reuse, without the cost or pain of software reuse,' said Art Fritzson, vice president at Booz Allen Hamilton Inc. of McLean, Va.

Web services provide a common technical foundation for building an SOA, said Pradeep Nair, product marketing manager for asset management software provider MRO Software Inc. of Bedford, Mass. By submerging the fine-grained implementation details, an SOA frees managers to think about optimizing business processes.

'Instead of exposing your objects and having your end users understand the intricate details about how your methods and properties work, you provide a service layer at a business level,' Nair said.

In an SOA, a Web services application exposes its features and functionality to the outside world as reusable components.

For instance, MRO's Maximo logistics software could offer a service such as the ability to create a work order. To help users'and other machines'find these services, an agency sets up a central directory using the Universal Description, Discovery and Integration standard.

Not surprisingly, SOA is a close relative of enterprise architecture and stands to play a major role in streamlining agencies' IT.

As agency heads map lines of business under their EAs, they realize, in many cases, that they have excess capacity, said Mark Forman, former administrator for e-government and IT at the Office of Management and Budget. Applying SOA to EA lines of business can provide agencies with a map they can use to consolidate operations and share resources.

How does an agency start down the SOA path? The first step comes in the IT procurement process, before ever building a thing, said Fritzson. Agencies should ensure the software, hardware and systems they procure are compliant with open Web services standards. Such gear can be easily reappropriated for missions outside their intended function, Fritzson said.

Like any new technology, SOAs still have implementation issues. Billing is one. If one office provides a service heavily used by others, how does the office justify the cost of maintenance?

Forman sees the creation of 'IT services brokers' that keep track of what resources are being used by whom. 'There are models out there' to resolve this problem, he said.

'It's amazing we have gotten as far as we have, given the fact we reinvent software every time we need it,' Fritzson said. 'It feels like we're poised on an era where software reuse becomes a reality.'

'Joab Jackson

Password security

According to the CERT Coordination Center at Carnegie Mellon University, poor passwords account for up to 80 percent of network security problems. Still, this legacy authentication technique is so ingrained in IT infrastructures it is unlikely to disappear anytime soon.

'Passwords are here for a long time,' said Burt Kaliski, chief scientist for RSA Labs, a division of RSA Security Inc. of Bedford, Mass. But new twists are coming.

The problem with passwords is that the same factors that make them difficult to crack also make them difficult to remember without writing them down. And writing a password down is a no-no.

Passwords can be hashed for storage and salted with random numerical values to help foil hackers and dictionary attacks. But when passwords threaten to become too complex for a user to remember, a second factor for authentication can be added to raise the level of security.

America Online Inc. began offering a second factor for account protection in September with its PassCode premium service. The service uses RSA's SecurID token, which generates a new six-digit code every 60 seconds. An algorithm on the authenticating server generates the same sequence of codes. The current code is required along with the password to access protected accounts.

Recently, Entrust Inc. of Addison, Texas, launched what it calls IdentityGuard to do away with tokens. The system uses a random grid of alphanumeric characters that can be stored on a wallet-size card or in a downloaded file. When signing on to a protected account, the user is challenged with a set of coordinates from the grid. To gain access, the user must supply the characters that correspond to the coordinates, along with his regular password.

Other new technologies to improve password protection are still in development. RSA began work two years ago on its Nightingale system to eliminate a single point of compromise for stealing passwords. To foil hackers, it uses technology that mathematically splits passwords apart and stores the parts on separate servers.

The Institute of Electrical and Electronics Engineers is developing a standard for an encrypted-key exchange protocol, which Kaliski described as a hybrid between
public-key cryptography and password cryptography. Passwords are used to protect public keys, which are used to set up connections with protected resources. The math involved is not trivial. But if implemented correctly, the system could effectively authenticate both the user and the server.

The protocol won't replace plain passwords anytime soon, and it requires that both the server and the client are enabled for the new standard. But any improvement over current password authentication methods will help agencies live up to their security requirements.

'William Jackson

Managed network services

Call it outsourcing, call it seat management, call it what you will, but managed network services in government IT are finally coming on strong, from simply monitoring traffic to network security.

According to IT executives, managed services in the federal, state and local IT arena will continue to grow'and change'over the next few years. The issues driving their adoption this year will be security, performance-based contracts and the ever-present drive to improve government IT infrastructures.

'Most governments are keenly interested in becoming more efficient,' said Cheryl Janey, vice president of state and local enterprise solutions for Northrop Grumman Corp.'s IT unit in Herndon, Va. But traditional outsourcing may not be the best way to achieve this.

Governments might decide on 'some sort of hybrid approach'a mix of asset management, transactional management and managed services,' Janey said.

Minneapolis officials breathed a sigh of relief when they turned over the management of the city's IT operations to Unisys Corp.

Under the city's seven-year, $56 million managed services contract, the company handles all of Minneapolis' technology operations, overseeing about 2,700 PCs, more than 100 servers, the e-mail system, printers and peripherals.

Minneapolis decided on the managed services contract because 'IT wasn't a core competency of the city,' said Bill Beck, Minneapolis' deputy CIO and director of planning and program management for the city's Business Information Services Division.

The city no longer owns any computer equipment, Beck said. 'Unisys owns it all.'

Managed services contracts will continue to grow by double digits in the years ahead, but the 'megadeals are over,' said Phil Smith, vice president of solutions for Unisys' global infrastructure services sector. 'I believe there will be a lot more smaller deals. Unisys will handle the network and data center, and someone else will get the desktop work.'

Smith even expects an uptick in managed services contracts that cover IT security. Historically, this has been one area that governments were loath to surrender to an outside organization, but Smith sees that fear abating. 'As issues of identity theft become more alarming, security is going to be a huge issue over the next couple of years,' he said.

'Trudy Walsh

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above