by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : April 2013
CYBEREYE BY WILLIAM JACKSON MANAGING RISK in a net- work requires knowing your assets and prioritizing defenses, says the National Institute of Standards and Technology s Ron Ross. Complexity is the en- emy, and moving to the cloud can help simplify. "You can reduce the com- plexity of your infrastructure by 5 to 40 percent by mov- ing to the public cloud," said Ross. "Without reducing that complexity, we re going to be doing what technicians call thrashing --- a lot of activity with few results." Ross, who is NIST s Federal Information Security Man- agement Act implementation lead, made his comments in a discussion on risk manage- ment at last month s RSA Conference in San Francisco. The potential security benefits of the cloud included not only o -loading assets and processes, but also the oppor- tunity to automate the task of monitoring IT systems. Meeting requirements for continuous monitoring of government systems cannot be done manually, said John Streufert, director of network resilience at the Homeland Security Department. "Use computers for what can be automated," freeing up humans for those things that can t, Streufert said. With that in mind, DHS is planning to o er continuous monitoring for agencies as a vendor service. The o ering is intended to improve automa- tion, ensure consistency and take advantage of the econo- mies of scale in a government- wide service hosted by a service provider. DHS issued a request for quotes in December under its Continuous Diagnostics and Mitigation program, also known as Continuous Monitor- ing as a Service. It is seeking a blanket purchase agreement from a contractor under the General Services Administra- tion s Schedule 70, which includes a wide variety of IT products and services, includ- ing cloud services and security services. The BPA would have a base period of one year with four one-year options, with an expected value of $6 billion over all five years. It would include sensors for monitoring and a central dashboard for authorizing changes and fixes, as well as consulting services. The agreement would include hardware and software asset management capabilities, configuration and vulnerability management, management of access controls and identity management, monitoring of user activity, as well as inci- dent planning and response. Although it is intended for use primarily for civilian .gov net- works, DHS expects it also will be used by Defense Department networks in the .mil domain. The cloud is not a panacea, the speakers warned. "Not all cloud providers are the same," said Justin Somaini, former CISO at Yahoo and Symantec. The best provide good secu- rity, but it is up to the user to review security. This task is eased somewhat by FedRAMP, the Federal Risk and Authorization Manage- ment Program, which provides governmentwide provisional authority for agencies to oper- ate on cloud systems. FedRAMP ensures service providers have met baseline security controls for low, moderate and high impact systems, establishing a basic level of trust. But it still is up to the agency to ensure that the controls meet its needs and sign-o on operations. E ective risk management means that agencies must decide what operations and functions can be safely moved to the cloud. This is a matter of comfort as well as technol- ogy, and Ross advised that agencies begin by moving low- impact activities that require the minimum level of security and consider other activities as they get more information about the process.• THE PUBLIC CLOUD CAN IMPROVE SECURITY BY MAKING IT SIMPLER TO MANAGE RISK WHAT TRENDS HAVE THE GREATEST IMPACT ON YOUR AGENCY'S ABILITY TO ACHIEVE SECURITY? A show-floor survey of 150 security officials conducted by the security company F5 at the RSA Conference held last month in San Francisco highlighted the evolution of the threat landscape in their top concerns. The increasingly distributed, virtualized and politicized IT environment presents challenges many are not yet equipped to deal with. --- William Jackson 18 GCN APRIL 2013 • GCN.COM Virtualization Increasingly complex threats BYOD Changing motives, from hacking to espionage The shift from data centers to cloud-based infrastructures The shift from client-server to Web-based applications 73% 72% 66% 62% 61% 60%