NGA looks to ‘reinvent security’ with fast-churn cloud architecture
Connecting state and local government leaders
The National Geospatial-Intelligence Agency wants the flexibility to tear down its cloud architecture and rebuild it every day so that would-be attackers confront a confusing operating environment.
To better protect the nation’s intelligence networks, the National Geospatial-Intelligence Agency is moving most of its IT operations to the cloud and looking to "reinvent security" in the process.
Jason Hess, the NGA's chief of cloud security, wants to take advantage of cloud’s flexibility to tear down the agency's IT architecture and rebuild it every day so that would-be attackers will confront a confusing operating environment and enjoy limited time-on-target.
That flexibility, of course, would require a drastic reduction in the time it takes to secure authority to operate certification for cloud services. ATOs traditionally can take as long as six months; the goal is 24-hour turnaround.
So far, using software and DevOps development techniques, the NGA has managed to get ATOs within seven days, Hess said at the Cyber Resilience Summit on March 21.
NGA's "fast architecture churn," said Dr. Ron Ross, fellow at the National Institute of Standards and Technology, "is something to watch" in protecting networks and data in the coming years.
The NGA approach isn't for everyone, but speakers at the conference agreed that just installing technology at the edge of a network to ward off suspect traffic is obsolete.
"Cybersecurity is something you do, not something you buy," said Dale Meyerrose, a retired Air Force major general, who was also the first appointed CISO for the intelligence community.
"We lie about what we can do" with cybersecurity capabilities, he said. The federal government in general does not compare favorably to industry in detecting cyber intrusions on networks, and cybersecurity programs, with their response teams and other reactive elements, are too passive. "We need a hunt and destroy attitude," Meyerrose said, and an emphasis on integrating cybersecurity into agency missions rather than thinking of it as a separate effort.
At NIST, Ross is pushing an integrated approach. The standards agency's NIST's 800-160 security engineering guidebook that was issued last November urges organizations -- including federal agencies and commercial equipment and service providers -- to address security throughout their systems engineering processes rather than "bolting on" firewalls, encryption and monitoring systems to operating systems and applications after they are purchased.
New approaches must also be developed to get people to live and breathe cybersecurity as part of their agencies mission, the speakers said.
"I don't want my whole office to be made up of cybersecurity PhDs," said Commerce Department acting CIO Rod Turk, but "I can't present to the CFO on why I need a cyber program" if no one on the staff can explain in a business case how the program will translate into its impact on budget an overall agency mission.
Turk added that more innovative approaches to encouraging cybersecurity best practices are better done without embarrassing employees.
"I'd rather an anti-phishing campaign be 'here's what you look for'" in phishing emails, he said. "It's not a 'gotcha' thing. I want them to be thinking about it. Information is far more important than embarrassing them."
Turk also briefs agency employees weeks ahead of international trips to countries who are notorious for phishing, explaining how and when they could expect to be phished. "That happens like clockwork 30 days ahead of a trip," he said.
NEXT STORY: 7 reasons why cloud-based security makes sense