IT AGENDA 2009
5 IT priorities for 2009
Info sharing, indentity management, security, IPv6 are high on the list
WHAT’S ON THE AGENDA for agency information technology managers in 2009? Undoubtedly, the new administration will bring fresh challenges, but there is still unfinished business from 2008 that must be addressed.
Some initiatives are in the form of mandates — with deadlines — from Congress or the Office of Management and Budget. Others are technical matters that could help agencies carry out their missions more effectively.
Here is a short list of imperatives that will likely demand the attention of administrators and executives in 2009.
Domain Name System Security Extensions. DNSsec is a tough nut to crack — and IT administrators of the .gov top-level domain have until the end of the year to crack it. DNSsec helps ensure the integrity of Internet names and addresses by digitally signing requests and responses from servers. The technology must be enabled on .gov name servers this year. But doing it right will not be easy, said Paul Parisi, chief technology officer at DNSstuff. “The first couple of times you try it, it’s not going to work,” he said.
Encrypting data at rest. OMB told civilian agencies in 2006 that they should be encrypting sensitive data on all mobile devices within 45 days of OMB’s announcement. But more than a year later, only about 30 percent of laptop PCs and handheld devices had been protected. The Defense Department set a Dec. 31, 2008, deadline for encrypting all laptop PCs and removable media, but David Hollis, program manager for the governmentwide Data at Rest Tiger Team encryption effort, said DOD was not expected to meet that deadline. “There has been a lot of progress,” Hollis said. “That being said, there is still a long way to go.”
Information sharing. A failure to make meaningful connections among information in various intelligence reports has often been cited as a reason why the government was unable to prevent the 2001 terrorist attacks. But the federal Information Sharing Environment, which Congress mandated in 2004, remains a work in progress four years later. Overseen by a program manager in the Office of the Director of National Intelligence and supported by a council of senior representatives from 16 departments and agencies, ISE had a goal of June 2009 for completion. But the program is behind schedule. “There is no ‘school solution’ to the problem of information sharing,” wrote ISE program manager Thomas McNamara in a June letter to Eileen Larence, director of homeland security and justice issues at the Government Accountability Office. “One size does not fit all, and implementation plans must be flexible and dynamic to adjust to the unforeseen and the unintended.”
The ability to identify a user and associate that identity with access privileges is necessary for effectively protecting and sharing data. The government has established a technical platform for that effort with its personal identity verification (PIV) and Common Access Card (CAC) programs, but the technology is the easiest part, said Gary Gordon, a senior scholar in identity management at the Indiana University School of Law. There are still issues of policy, process and education — as well as technology — to address, and a trusted environment is necessary for law enforcement agencies and the government to share data. “Government is looking for game-changing ideas to move forward in the next couple of years,” Gordon said.
And finally, an opportunity rather than a requirement:
Putting IPv6 to work. The deadline has passed, and government backbone networks are enabled for IPv6. How can you use the technology to get your job done? Think in terms of video, voice over IP (VOIP) and radio frequency identification (RFID) devices — that is, anything that benefits from multicasting, mobility, quality of service, peer-to-peer connections and an increase in endpoints. “The intent is to use IPv6 so that you can be expansive,” said David Rubal, regional manager for federal unified communications at Cisco Systems.
Our list is not comprehensive, but it covers a number of primary areas of concern administrators are likely to be dealing with in the coming year as they wrap up work from last year.
1. Enabling DNSsec
DNS is a critical element underlying the Internet. It translates plain-language domain names into IP addresses so requests and data can be routed. Unfortunately, it is vulnerable to attacks that can allow hackers to poison cached data on name servers or misdirect traffic by intercepting requests.
Vulnerabilities in some implementations of DNS software have been around for a while, but security researcher Dan Kaminsky’s discovery last summer of a flaw in the DNS protocols raised concerns about the system’s viability. The fix for the vulnerability adds more randomization to requests to make them harder to spoof. But it is only a stopgap measure, which prompted the federal government to implement DNSsec within the .gov domain. DNSsec uses digital certificates to sign requests and responses to ensure their trustworthiness.
In an August 2008 memo, OMB gave a deadline of January 2009 for deploying DNSsec on authoritative .gov root zone servers and gave agencies a deadline of December 2009 for deploying DNSsec on their information systems.
“It’s going to be bad,” Parisi said. “Unfortunately, DNSsec even without a deadline is very complex,” and most IT shops lack expertise with DNS because it typically requires little attention. “DNSsec, once it runs, will run fairly automatically. [But] getting it to run is not trivial.”
The industry needs to produce step-by-step deployment guides to help customers, Parisi said, adding, “We’re working on that.”
DNSsec typically requires using Version 9 of Berkeley Internet Name Domain (BIND), the most widely deployed DNS server. “Windows doesn’t really support DNSsec right now,” Parisi said.
Few organizations use Windows for outside DNS servers, but some experts fear that when administrators start looking at their DNS infrastructures, they will find more Windows servers in their enterprises than they expected.
One company has responded by building DNSsec into DNS servers. InfoWeapons’ SolidDNS comes as an appliance running BIND and includes support for IPv6, said Lawrence Hughes, chairman, founder and chief software architect at InfoWeapons.
“You can set up signing requirements when setting up the appliance,” Hughes said. “Check one box, the domain is signed. You’re done.” The task of managing digital certificates and signing keys is simplified by using the parent key to sign the root servers. “We have it set up to inherit the parent key, so only the root certificate is needed.”
If an organization cannot afford to replace its DNS servers, implementing DNSsec is likely to be stressful. But Parisi said he is confident agencies can meet the deadline. “It will be painful, but it will get done,” he said.
2. Encrypting data at rest on mobile devices
A number of high-profile data breaches prompted OMB to issue a memo in June 2006 reminding agencies of basic security practices that they should have already been using. The measures included encrypting “all data on mobile computers/ devices which carry agency data unless the data is determined to be nonsensitive, in writing, by your deputy secretary or an individual he/she may designate in writing.”
Because agencies should have already been following the practices, OMB allowed a quick 45 days for compliance. DOD chimed in the following year, setting a deadline of Dec. 31, 2008, for similar encryption measures at its agencies.
The initial response wasn’t good. GAO reported in June that, “from July through September 2007, the major agencies collectively reported that they had not yet installed encryption technology to protect sensitive information on about 70 percent of their laptop computers and handheld devices.”
However, the Data at Rest Tiger Team, formed in 2006 to spur the use of encryption, helped set up 12 blanket purchase agreements through which agencies bought 1.4 million encryption licenses at sizable discounts from July 2007 through July 2008, Hollis said.
Given the progress being made, “I’m hoping in the next year or two we can put this away,” Hollis said.
The team’s primary achievement has been to reach a consensus on minimum requirements for data encryption products and award BPAs based on those requirements to 10 vendors for 12 products. The BPAs are co-branded under the DOD Enterprise Software Initiative and the General Services Administration’s SmartBuy program.
“For the most part, DOD is making progress,” Hollis said late in 2008. “There are some areas where we’re not going to make” the Dec. 31 deadline. For some ships at sea, compliance means a visit to port for a refitting of tactical systems, and waivers are being issued in those cases. Given the huge number of devices to be protected at military and civilian agencies, “it’s a very large monster to defeat,” he added.
3. Deploying the Information Sharing Environment
ISE was created under the Intelligence Reform and Terrorism Prevention Act of 2004 to help agencies that acquire, process and use information about potential threats use that information more effectively. Rather than specify technologies, the act describes the environment as “an approach that facilitates the sharing of terrorism and homeland security information, which may include any method determined necessary and appropriate.”
McNamara issued an implementation plan in November 2006 and continued to update it through March 2008. But a GAO study of ISE progress released in June faulted the program for not defining its scope, establishing desired results and milestones, and choosing metrics for measuring those results. GAO said officials had established broad goals and incorporated a number of federal, state and local information-sharing initiatives into the plan. However, officials are behind schedule for completing the 89 action items identified in the plan for deploying ISE by June 2009.
The issues that make information sharing a high-risk program are complex and more than technical, McNamara said. “The challenge lay in reconciling myriad policy, process and technology differences among multiple organizations tasked to perform a variety of disparate missions,” he said.
McNamara told GAO that ISE is a governmentwide transformational effort and evolutionary process and that there is no road map for that kind of work.
“We are pioneering, at least within the federal government, in building a true, extensive, governmentwide information-sharing environment,” he wrote. “No one, to my knowledge, has attempted this before. No one, to my knowledge, knows with certainty the correct path or sees a clear end state of the ISE. Indeed, there is no end state in the true meaning of that term, only a vision.”
GAO recommended that officials fully define the program’s scope and desired results and develop performance measures for improving information sharing.
4. Enhancing identity management
The government has made significant progress in creating a technology platform for identity management by deploying PIV cards in the civilian sector and CACs at DOD.
But putting the technology to use can be more difficult than creating it. To be effective, identity management must be integrated with business processes, applications, and front- and back-end systems for a multitude of missions.
Individuals can possess multiple identities or roles in an organization, and facilities, information systems and applications have different levels of risk and security. Those different needs are why multiple identity management and access control systems have evolved and why each user has so many passwords, personal identification numbers, tokens and other credentials.
The nonprofit Center for Applied Identity Management Research was created in Washington last year to identify gaps in identity management solutions and foster research to fill them.
“We are trying to determine what the key challenges are,” said Gordon, who is the center’s executive director. “Until we have a handle on that, it is difficult to answer the question of why identity management is so hard.”
The center will work on seemingly abstract problems, such as coming up with a common set of definitions for discussing identity management issues, but its goal is to produce quick, practical results. Officials expect to release a report early this year that will be a blueprint for multidisciplinary applied research and development.
Center members include academic institutions such as Indiana University and the University of Texas at Austin, companies such as IBM, and customers such as banks, the Secret Service and the U.S. Marshals Service.
Progress must come quickly to be practical because the technology, its uses and the threats are changing so quickly. But Gordon said the standardized, interoperable credentials the government developed for employees and contractors are a good first step.
“It gives them a common way of dealing with employees and vendors,” he said. “It becomes a logical way of organizing and developing trusted relationships.”
5. Exploring IPv6’s potential
We are still waiting for the killer app that will take advantage of IPv6 and make it a must-have technology. Some industry observers say we won’t have to wait long.
“What’s going to change this are applications like video,” Cisco’s Rubal said. IPv6 can simplify multicasting and give more people access to resources. “In an IPv6 setting, it is much more dynamic. I believe video will be the application that will shape and accelerate the use of IPv6.”
Mobility applications are also starting to bubble up, he added.
Hughes said voice over IP is the technology to watch. “VOIP will be one of the big ones,” he said. Session Initiation Protocol “on IPv6 can do away with a lot of the complexity and problems associated with VOIP.” SIP is an Internet Engineering Task Force standard for initiating an interactive user session that involves multimedia functions such as video, voice, chat, gaming and virtual reality.
Some VOIP equipment already incorporates IPv6. CounterPath’s eye- Beam softphone uses the new protocols, as does the open-source Asterisk IP private branch exchange server. Infoweapons plans to release a dual-stack IPv4/6 PBX server early this year.
Also coming this year is the RFID3 standard for addressable devices, which will provide information on location and conditions using IPv6. The devices can be used for sensors and logistics, and IPv6’s expanded address space makes it feasible to use them in large numbers for public health, weather monitoring, materiel tracking and many other applications.
One of the keys to taking advantage of IPv6 is doing away with the restrictions imposed by the limited address space in Version 4. IPv4 has worked around its limited address space by using network address translation, which imposes limitations.
“NAT comes at a big cost,” Hughes said. “It turned the Internet into a one-way channel.”
However, Rubal said he expects that situation to begin changing as IPv6 is put into use. “We’re going to see the NAT curtain dropping somewhat in the next 12 months,” he said.