An annual survey of federal CISOs has found many delaying cloud computing initiatives, uncertain that they can provide the same level of security and prevent data leakage as they do in physical environments.
(ISC)2, the certification body best known for managing the CISSP certification, posed questions to 36 agency and bureau-level CISOs as part of its annual anonymous federal CISO survey. Of those surveyed, 72% said they do not yet use cloud computing because of uncertainties over being able to effectively secure cloud computing and apply current IT security policies or data leakage prevention.
"It's clear that the administration is trying to shrink the cost of IT and sees cloud as one way of accomplishing that objective, but as a group, federal CISOs are reluctant," said Lynn McNulty, a consultant at (ISC)2, who held senior security roles at the National Institute of Standards and Technology, the State Department and the Federal Aviation Administration. "They favor the use of cloud computing for very non sensitive applications or data that doesn't have any sensitivity to it if it were lost."
CISOs that use cloud computing services are applying role-based access controls and implementing architecture improvements to help mitigate some risks. The early adopters could provide a blue print for those reluctant to deploy cloud-based services, McNulty said.
Michael Markulec, chief operating officer at network security vendor Lumeta Inc., which has been involved in several federal projects, said the government has started by building out a private cloud. The Defense Information Systems Agency (DISA) uses a cloud-based architecture called rapid access computing environment (RACE), which provides services at a number of different agencies.
"These Infrastructure services are really analogous to the old frame relay networks where you have multiple users on the same network and it poses many of the same challenges," Markulec said in a recent interview. "It's about understanding what you have and making sure your access control lists and firewalls are doing what they're supposed to be doing."
The federal CISOs are embracing social media, with 62% indicating social media tools, including peer-to-peer, blogs and forums are used to support the agency's mission. Among the top threats that concern federal CISOs are exploitable software vulnerabilities (27%), followed by insiders (24%) and threats from foreign nation states (21%), McNulty said
"CISOs have had a year to put the threat issue into perspecrtive and come back with a balanced view of what they're confronting," McNulty said, adding that the 2009 survey found federal CISOs concerned about external threats. "It's authorized insiders and other factors that have to be considered a threat."
McNulty said website vulnerabilities and spearphishing attacks constantly worry federal security professionals. Software security has become a recurring theme at the federal level. The Department of Homeland Security has implemented a software assurance program to emphasize the need for people procuring software to pay attention to software coding errors.
Federal CISOs report Einstein progress, voice need for support
The survey found a greater level of satisfaction over the governments network security initiatives. However, those surveyed indicated a need to streamline the hiring process, eliminating the bureaucratic red tape that hinders the hiring of skilled security professionals
"After the hiring process is started, it can take up to year to bring a person onboard and by that time technologies and processes can change," McNulty said. "I think the government's got to be competitive and is going to have to shrink some of these timelines and do a better job competing with the private sector."
Only 10% of those surveyed were satisfied with HR and procurement operations, a longstanding problem that experts said results in many open positions.
McNulty said many government agencies are reviewing contractor positions and making some of them government jobs as opposed to federal contractor potions. The survey found that contractor conversions and new private sector hires will each make up about 30% of their hires. The remainder will come from the Scholarship for Service program that brings university graduates into federal security jobs.
"It's kind of natural to convert them to government employees, especially if the onsite contractors have become part of agency and department teams," McNulty said. "Given the economic uncertainties these days, particularly in the contractor force, the retirement benefits, health insurance and other factors make government employment a descent choice."
The Einstein program, which involves the deployment of intrusion defense and prevention systems across agencies, was seen as frustrating and too externally focused in the 2009 survey. But the 2010 survey found a turnaround, with nearly 75% of those surveyed indicating they were either somewhat satisfied or very satisfied with the program. A Government Accountability Office review of Einstein found implementation to be slow. The third phase of Einstein is being tested in a pilot program.
"I think initially they didn't feel like it fit their own specific agency's needs," McNulty said. "Part of the satisfaction this year is a much more transparent environment around cybersecurity initiatives from the Obama administration."
At RSA Conference 2010, White House cybersecurity coordinator Howard Schmidt, announced the declassification of the Comprehensive National Cybersecurity Initiative (CNCI), giving the public access to a summary of the $40 billion classified cybersecurity plan. The increased transparency combined with cross agency communication has helped reduce some frustration, McNulty said.