The Department of Energy’s CIO office built an EA toolset to ensure aging servers and software assets don’t become enterprise vulnerabilities.
Dismissed as little more than “shelfware” over the years, enterprise architecture is now getting a fresh look as an approach for addressing specific IT problems, including enhancing agency cybersecurity defenses.
Enterprise architecture, or EA, emerged in the government sector in the 1990s after the Clinger-Cohen Act tasked agency chief information officers with establishing IT architectures in order to improve the alignment between an agency’s IT plans and business practices.
Since then, EA has to compete for management attention with other trends for instituting enterprise efficiency, most recently DevOps and agile development practices that stress collaboration between software and IT development. EA has also had to accommodate an increasingly dynamic IT environment in which cloud-based computing resources can be summoned on the fly.
Against this backdrop, however, some agencies are taking EA in novel directions.
The Department of Energy’s CIO office, for example, has built a tool that enlists EA in the agency’s cybersecurity cause. The Enterprise Architecture Roadmap Solution (EARS) aims to help identify IT assets nearing end-of-life so aging servers and unsupported software don’t become vulnerabilities. An IT security incident in 2013 helped solidify that particular use case.
“We had a cybersecurity breach last year and one of the weak points was ... out-of-date software,” noted Rick Lauderdale, chief enterprise architect of the Department of Energy.
An old copy of ColdFusion had become the point-of-entry for an attack, a discovery that inspired Energy to develop a better record of information it was collecting on its IT assets, he added.
Tools like EARS represent a shift in thinking among agencies, according to government IT watchers.
Brian Fogg, chief technology officer at NCI Inc., an IT services provider, said agencies are cleansing and enriching asset data so they can make better enterprise IT decisions, part of an effort to frame EA within a broader agency asset data discussion.
“Our clients in DOD tend to use it that way and are driving decisions around security and vulnerability management and threat identification,” Fogg said.
EARS in the making
To create the EARS tool, Energy integrated software it already had in place with additional off-the-shelf technology. The department had been using BigFix, which scours Energy’s network to collect data on hardware and software assets, as an asset discovery tool. Energy was also using Troux Technologies’ EA management tool.
The agency began using the applications to explore data on its IT assets. Lauderdale said 30 percent of that data was analyzed to get an estimate of how much of Energy’s hardware and software inventory was hitting end-of-life status.
In doing so, the department discovered problems with its inventory information. For example, merger and acquisition activity among IT companies meant that the same hardware and software products would sometimes appear under different names.
To enhance its asset identification, Energy added products from BDNA to the mix, including BDNA’s Technopedia and Normalize products. Technopedia offers a categorized repository of hardware and software, which gave Energy an enterprisewide standard for IT asset terminology. BDNA Normalize then takes the data from BigFix and normalizes it against the Technopedia standards.
BDNA works with IT vendors to prevent data describing EA from becoming stale. That approach improves the reliability of information on end-of-life assets. “They keep up with the life cycle information … every day, and they update the data structure,” Lauderdale said.
In the next step, the Troux Platform pulls the fully normalized asset information from BDNA, combines it with other contextual business/IT information and provides analytics and visualizations that help identify areas of excessive risk and cost, according to Ted Reynolds, Troux’s vice president of public sector.
Troux generates reports that highlight IT assets with a color-coded lifecycle status – red for assets that are in trouble and ripe for removal, and yellow for assets that are heading for end-of-life, he said.
Agencies looking to apply EA to problems such as IT security need to focus first on preventing their IT asset data from becoming stale. “It begins there,” Fogg said, noting the necessity for a strong commitment to keep the data around the EA up to date.
“The less it is current, the less it is applicable to the enterprise,” he said.
Agencies also need tools to make EA more responsive to IT management challenges. Lauderdale said BDNA and Troux provide a foundation for an EA solution, noting that an agency could include BigFix or another IT asset information products as part of the overall package.
Government agencies hoping to follow Energy’s path will also need some glue code to make the various tools work together. To that end, Energy’s integration code is available free of charge to agencies. “They don’t have to reinvent the wheel,” Lauderdale said.