>Fixing The Information Flow

>

Faucet

So check this out–H2Glow has an LED faucet light that it temperature sensitive and turns blue for cold water and red for hot.

When I saw this, I thought this would be a great metaphor for managing the information flow from our organizations–where we could quickly and simply see whether the information flowing was sharable and for public consumption (“blue”) or whether something was private and proprietary (“red”).

The Economist, 24 February 2011, in an article called “The Leaky Corporation” writes: “Digital information is easy not only to store, but also to leak. Companies must decide what they really need to keep secret, and how best to do so.”

Like a faucet that gushes water, our organizations are releasing information–some with intent (where we are in control) and much without (due is spillage and pilferage).

In the age of WikiLeaks, computer hackers, criminals, terrorists, and hostile nation states, as well as the insider threat, information is leaking out uncontrollably from our organizations and this puts our vital competitive information, national secrets, and personal privacy information at risk (i.e. health, financial, identity, and so on).

Of course, we want the proverbial blue light to go on and information to be shared appropriately for collaboration and transparency, but at the same time, we need to know that the light will turn red and the information will stop, when information is justifiably private and needs to be kept that way.

Being an open and progressive society, doesn’t mean that that there is only cold water and one color–blue. But rather, that we can discern the difference between cold and hot, blue and red, and turn the faucet on and off, accordingly.

Information is proliferating rapidly, and according to IDC, a market research firm, the “digital universe” is expected to “increase to 35 zettabytes by 2020.”–a zettabyte is 1 trillion gigabytes or the equivalent of 250 billion DVDs.

Therefore, the necessity of filtering all this digitally available information for inside use and outside consumption is going to become more and more critical.

According to The Economist article, we will need to employ the latest techniques and automation tools in:

Enterprise Content Management–to “keep tabs on digital content, classify it, and define who has access to it.”
Data Loss Prevention–using “software that sits at the edge of a firm’s network and inspects the outgoing data traffic.”
Network Forensics–“keep an eye on everything in the a corporate network and thus…detect a leaker.”

Of course, as the Ciso chief security officer says: “technology can’t solve the problem, just lower the probability of accidents.

In the end, we need to make sure people understand the vulnerability and the dangers of sharing the “red” information.

We can focus our employees on protecting the most critical information elements of the organization by a using a risk management approach, so that information with the high probability of a leak and with the greatest possible negative impact to the organization is filtered and protected the most.

The leaky faucet is a broken faucet and in this case we are all the plumbers.

>Information Management Framework

>The Information Management Framework (IMF) provides a holistic view of the categories and components of effective information architecture.

These categories include the following:

Information-sharing–Enable information sharing by ensuring that information is visible, accessible, understandable, and interoperable throughout the enterprise and with external partners.

Efficiency–Improve mission efficiency by ensuring that information is requirements-based, non-duplicative, timely, and trusted.

Quality–Promote information quality, making certain that information provided to users is valid, consistent, and comprehensive.

Compliance–Achieve compliance with legislation and policy providing for privacy, freedom of information, and records management.

Security— Protect information assets and ensure their confidentiality, integrity, and availability.

All areas of the framework must be managed as part of effective information architecture.

>Security Architecture Q&A

>

Recently, I was interviewed on the subject of Security Architecture and was given permission to share the Q&A:

In general, what kinds of information security issues does an organization face?

The overarching information security issue in any organization is one of communication, collaboration and the need for transparency vs. the need to protect information from being compromised. Information security is about more than just “stopping leaks.” It is also about making sure that people don’t intercept, interject or otherwise manipulate agency information for their own ends.

A related issue has to do with protecting the agency’s critical IT infrastructure from physical or cyber attack. It’s the age-old conflict: If you lock it down completely, then you’re protecting it, but you also can’t use it. And if you open yourself up altogether, then obviously it won’t be long before somebody takes aim.

Finally, the largest threat to an organization’s information is clearly from insiders, who have the “keys to the kingdom.” And so one must pay great attention to not only the qualifications, but also the background, of the employees and contractors entrusted with access to IT systems. Additionally we must institute checks and balances so that each person is accountable and is overseen.

How do leaders demonstrate security leadership?

Leadership in the area of security is demonstrated in a variety of ways. Obviously the primary method for demonstrating the importance of this function is to formalize it and establish a chief information security officer with the resources and tools at his or her disposal to get the job done.

But security leadership also means building an awareness of risk (and countermeasures) into everything we do: education, awareness, planning, designing, developing, testing, scanning and monitoring.

When new applications or services are being planned and rolled out, does security have a seat at the table?

I can’t imagine any organization these days that doesn’t consider security in planning and rolling out new applications or services. The real question is, does the organization have a formal process in place to provide certification and accreditation for IT systems? By law, federal agencies are required to do this.

Would you say that information security is generally tightly integrated into organizational culture?

I think that a security mindset and culture predominate in professions where security is paramount, such as law enforcement, defense and intelligence, for obvious reasons.

But the larger question is, how would other organizations make the transition to a culture of greater information security? And this is actually a really important question in today’s age of transparency, social networking, Web 2.0, etc., where so much information is freely flowing in all directions. One approach that I have adopted as a culture-changing mechanism is to treat key initiatives as products to be marketed to a target audience. The IT security professional needs to be a master communicator as well as a technical expert, so that employees not only grudgingly comply with necessary measures, but are actively engaged with, and support, their implementation.

At the end of the day, the organization’s information security is only as strong as its weakest link. So security has to be as deeply ingrained into the culture and day-to-day operations as possible.

Is information security an inhibitor to new initiatives?

Information security is one of many requirements that new initiatives must meet. And of course there will always be people who see compliance as an inhibitor. But the reality is that security compliance is an enabler for initiatives to achieve their goals. So the key for IT security professionals is to keep educating and supporting their stakeholders on what they need to do to achieve success and security at the same time.

>IPv6 and Enterprise Architecture

>

Internet Protocol version 6 (IPv6) is a network layer for packet-switched internetworks. It is designated as the successor of IPv4, the current version of the Internet Protocol, for general use on the Internet. The main change brought by IPv6 is a much larger address space that allows greater flexibility in assigning addresses. The extended address length eliminates the need to use network address translation to avoid address exhaustion, and also simplifies aspects of address assignment and renumbering when changing providers. (Wikipedia)

IPv6 is an important architecture change.

Government Executive Magazine, May 2008, reports that “Ipv6 upgrades are critical as space available for Internet addresses dwindles.”

Why are we running out of IP addresses on version 4?

IPv4 uses 32-bit addresses and can support 4.3 billion devices with individual addresses on the Internet. With the world’s population estimated to be 6.5 billion—and with many people possessing multiple electronic devices such as PCs, cell phones, and iPods—there simply wil not be enough IPv4 addresses to meet the demand, let alone support the anticipated influx of new Internet users from developing countries. Also on the horizon are newfangled IP-enabled devices and appliances that will drive up the number of IP addresses per person.”

How does IPv6 solve this problem?

“IPv6 used 128-bit addresses and can support a virtually limitless number of globally addressable devices (The actual number is 2 to the 128th power).”

How is the conversion going?

The office of Management and Budget (OMB) has mandated that “By June 30, all federal agencies must prove that they have upgraded their networks’ connections, or backbones, to be capable of carrying IPv6 data traffic.”

Note: “All leading routers can support IPv6.”

A senior vice president for Quest said that “Every North American business and government needs to make the conversion.”

What other benefits does IPv6 offer?

Other benefits include:“built in security, network management enhancements such as auto-configuration and improved support for mobile networks. But in the decade since IPv6 was created, many of the extra features have been added to IPv4. So, the real motivator…is that it offers unlimited IP address space.”

The most savings, however, will come from the new applications and services that IPv6 will provide.”

The Department of Defense “needs IPv6 to make its vision of netcentric warfare (the ability to tie together networks and sensors to deliver a stream of integrated real-time data to the battlefield and commanders) a reality…with IPv6, ‘everything can be addressable from a soldier to a sensor to an aircraft to a tank…we could have a sensor network with hundreds of thousands of nodes.”

IPv6 is important, but what other network initiatives underway is it competing with?

  • The Trusted Internet Connections (TIC) initiative—aims to “reduce the number of external connectivity points that workers use to gain access to the internet.”
  • Networx—“a telecommunications contract that agencies are supposed to use to select a new carrier by September.”

On the Federal side, what needs to be architected next for IPv6?

“Federal IT managers should begin reserving IPv6 address space, developing an addressing plan, and creating a migration strategy that includes extensive product testing and evaluation. So far 37 agencies have requested IPv6 adress space from the American Registry for Internet Numbers.”

>Information Management and Enterprise Architecture

>

Information management is the key to any enterprise architecture.

Information is the nexus between the business and technical components of the EA:

  • On one hand, we have the performance requirements and the business processes to achieve those.
  • On the other hand, we have systems and technologies.
  • In between is the information.

Information is required by the business to perform its functions and activities and it is served up by the systems and technologies that capture, process, transmit, store, and retrieve it for use by the business. (The information perspective is sandwiched in between the business and the services/technology perspectives.)

Recently, I synthesized a best practice for information management. This involves key values, goals for these, and underlying objectives. The values and objectives include the following:

  1. Sharing –making information visible, understandable, and accessible.
  2. Quality—information needs to be valid, consistent, and comprehensive.
  3. Efficiency—information should be requirement-based (mission-driven), non-duplicative, timely, and delivered in a financially sound way.
  4. Security—information must be assured in terms of confidentiality, integrity, and availability.
  5. Compliance—information has to comply with requirements for privacy, Freedom of Information Act (FOIA), and records management.

The importance of information management to enterprise architecture was recently addressed in DM Review Magazine, May 2008. The magazine reports that in developing an architecture, you need to focus on the information requirements and managing these first and foremost!

“You need to first understand and agree on the information architecture that your business needs. Then determine the data you need, the condition of that data and what you need to do to cleanse, conform, and transform that data into business transformation.”

Only after you fully understand your information requirements, do you move on to develop technology solutions.

“Next, determine what technologies (not products) are required by the information and data architectures. Finally, almost as an afterthought, evaluate and select products.” [I don’t agree with the distinction between technologies and products, but I do agree that you first need your information requirements.]

Remember, business drives technology—and this is done through information requirements—rather than doing technology for technology’s sake.

“Let me also suggest …Do not chase the latest and greatest if your incumbent products can get the job done.”

In enterprise architecture, the customer/end-user is king and the information requirements are their edicts.

>10 Obstacles to Enterprise Architecture

>

Here is an interesting list of 10 obstacles to the enterprise architecture from a colleague and friend, Andy Wasser, Associate Dean, Carnegie Mellon University School of Information Systems Management:

  1. Lack of Senior Management [Commitment] Support
  2. Inability to obtain necessary resources (funds, personnel, time)
  3. Business partner alienation
  4. Internal IT conflicts and turf issues (no centralized authority)
  5. Lack of credibility of the EA team
  6. Inexperience with enterprise architecture planning or inexperience with the organization
  7. Entrenched IT team [operational focus versus strategic]
  8. Focus on EAP methodologies and tools [rather than on outputs and outcomes]
  9. Uncertain payback and ROI
  10. Disharmony between sharing data vs. protecting data

This is a good list for the chief enterprise architect to work with and develop strategies for addressing these. If I may, here are some thoughts on overcoming them:

1-4,7,9: Obtain Senior management commitment/support, resources, and business/IT partnership by articulating a powerful vision for the EA; identify the benefits (and mandates); preparing an EA program assessment, including lessons learned and what you need to do to make things “right”; developing an EA program plan with milestones that shows you have a clear way ahead. Providing program metrics of how you intend to evaluate and demonstrate progress and value for the business/IT.

5,6,8: Build credibility for EA planning, governance, and organizational awareness by hiring the best and the brightest and train, train, train; getting out of the ivory tower and working hand-in-hand in concert with business partners; building information products and governance services that are useful and usable to the organization (no shelfware!); using a three-tier metamodel (profiles, models, and inventories) to provide information in multiple levels of details that makes it valuable and actionable from everyone from the analyst to the chief executive officer; looking for opportunities (those that value EA and want to participate) and build incrementally (“one success at a time”).

10: Harmonize information sharing and security by developing an information governance board (that includes the chief information security officer) to vet information sharing and security issues; establishing data stewards to manage day-to-day issues including metadata development, information exchange package descriptions, discovery, accessibility, and security; creating a culture that values and promotes information sharing, but also protects information from inappropriate access and modification.

>Hacker Camps and Enterprise Architecture

>

One of the perspectives of the enterprise architecture is Security. It details how we secure the business and technology of the organization. It includes managerial, operational, and technical controls. From an information security view, we seek confidentiality, integrity, availability, and privacy of information.

Who are we protecting the enterprise from in terms of our information security? From hackers of course!

How do we protect ourselves from hackers? By teaching our security professionals the tricks of the trade—teach them how to hack!

The Wall Street Journal, 1 April 2008, reports that “Hacker Camps Train Network Defenders: Sessions Teach IT Pros to Use Tools of the Online Criminal Trade.”

“In such sessions, which cost about $3,800, IT pros typically spend a week playing firsthand with the latest underground computer tools. By the end of the week, participants are trained as ‘ethical hackers’ and can take a certification test backed by the International Council of Electronic Commerce Consultants.”

Overall more than 11,000 people have received the ‘ethical hacker’ certificate since 2003; nearly 500 places world-wide offer the training.”

Why do we need to teach these hacking tools to IT security professionals?

They need to understand what they’re up against so they can more effectively plan how to protect against the adversary. Know thy enemy!

How large is the IT security issue?

The average large U.S. business was attacked 150,000 times in 2007…the average business considered 1,700 of these attacks as sophisticated enough to possibly cause a data breach. In addition, the number of unique computer viruses and other pieces of malicious software that hackers tried to install on computers and IT networks doubled to 500,000 last year from 2006…[and it’s expected] to double again in 2008.”

It’s great that we are advancing the training of our information security champions and defenders, but what about those who take the course, but are really there to learn hacking for the sake of hacking? How many of the 11,000 ‘ethical hackers’ that have been trained are really ethical and how many are using their newfound knowledge for more nefarious ends?

From an enterprise architecture standpoint, we need to ensure that we are not giving away the keys of the kingdom to anyone, including our own IT security staff—through hacker training. Also, we need to be careful not to rely on any one individual to maintain the security order of things. We need to plan our security using a system of checks and balances, just like the constitution lays out for the governance of the nation, so that even the chief information security officer (CISO) is accountable and has close oversight. Finally, we need to institute multiple layers of defense to work best we can to thwart even the determined hackers out there.

>Information Integrity and Enterprise Architecture

>

We are in an information economy and now more than ever business needs information to conduct their functions, processes, activities, and tasks.

To effectively conduct our business, the information needs to be relevant and reliable. The information should be current, accurate, complete, understandable, and available.

Information integrity is essential for enabling better decision-making, improving effectiveness, and reducing risk and uncertainty.

However, according to DMReview, 8 February 2008, “information within the [corporate] data warehouse continues to be inaccurate, incomplete, and often inconsistent with its sources. As a result, data warehouses experience low confidence and acceptance by users and consumers of downstream reports.”

“The Data Warehousing Institute estimates that companies lose more than $600 million every year due to bad information.”

What are some of the challenges to information integrity?

  1. Complex environments, [in which organizations] constantly generate, use, store, and exchange information and materials with customers, partners, and suppliers.”
  2. Accelerating change in the business environment [and] changing needs of business users”
  3. “Increasing complexity of source systems and technology
  4. Expanding array of regulations and compliance requirements

“Change and complexity introduce information integrity risk. Accelerating change accelerates information integrity risk. Compliance makes information integrity an imperative rather than an option.”

What are the particular challenges with data warehouses?

  1. Questionable input information—“Several source systems feed a data warehouse. Data may come from internal and external systems, in multiple formats, from multiple platforms.”
  2. Lack of downstream reconciliation—“As information traverses through the source systems to a data warehouse, various intermediate processes such as transformations may degrade the integrity of the data. The problem becomes more acute when the data warehouse feeds other downstream applications.”
  3. Inadequate internal controls—these include controls over data input, processing, and output, as well as policies and procedures for change management, separation of duties, security, and continuity of operations planning.

From an enterprise architecture perspective, information integrity is the linchpin between the businesses information requirements and the technology solutions that serves up the information to the business. If the information is no good, then what good are the technology solutions that provide the information to the business? In other words, garbage in, garbage out (GIGO)!

As enterprise architects, we need to work with the business and IT staffs to ensure that data captured is current, accurate, and complete, that it is entered into the system correctly, processed accurately, and that outputs are distributed on a need to know basis or as required for information sharing purposes, and is protected from unauthorized changes.

Using business, data, and systems models to decompose the processes, the information required for those, and the systems that serve them up helps to identity possible information integrity issues and aids in designing processes that enable quality information throughput.

Additionally, security needs to be architected into the systems from the beginning of their lifecycle and not as an afterthought. Information confidentiality, integrity, availability, and privacy are essential for an information secure enterprise and for information quality for mission/business performance.

>Fire Sale Attack and Enterprise Architecture

>

Fire Sale─“Matt Farrell (Justin Long), a character in the movie Live Free or Die Hard, used this term to describe the plot by Thomas Gabriel (Timothy Olyphant) to systematically shut down the United States computer infrastructure. The plan crashes the stock market, communications and utilities infrastructure, crippling America’s economy and causing nation-wide chaos. The term was coined because of the phrase “everything must go” meaning all of the world’s technology based off of a computer system, virtually everything.” (Wikipedia)

The New York Times, 4 June 2007, in an article titled, “When Computers Attacks,” states how governments are preparing for the worst in terms of cyber attacks.

Anyone who follows technology or military affairs has heard the predictions for more than a decade. Cyberwar is coming. Although the long-announced, long-awaited computer-based conflict has yet to occur, the forecast grows more ominous with every telling: an onslaught is brought by a warring nation, backed by its brains and computing resources; banks and other businesses in the enemy states are destroyed; governments grind to a halt; telephones disconnect.”

What systems are at risk?

All computers are at risk that connect “to the Internet through the industrial remote-control technologies known as Scada systems, for Supervisory Control and Data Acquisition. The technology allows remote monitoring and control of operations like manufacturing production lines and civil works projects like dams. So security experts envision terrorists at a keyboard remotely shutting down factory floors or opening a dam’s floodgates to devastate cities downstream.

But how bad would a cyberwar really be — especially when compared with the blood-and-guts genuine article? And is there really a chance it would happen at all? Whatever the answer, governments are readying themselves for the Big One.

For example, “China, security experts believe, has long probed United States networks.Congress, China’s military has invested heavily in electronic countermeasures and defenses against attack, and concepts like “computer network attack, computer network defense and computer network exploitation.” According to a 2007 Defense Department annual report to

What are we doing?

The United States is arming up, as well. Robert Elder, commander of the Air Force Cyberspace Command, told reporters in Washington at a recent breakfast that his newly formed command, which defends military data, communications and control networks, is learning how to disable an opponent’s computer networks and crash its databases.

How serious is the threat of cyber attack?

An all-out cyberconflict could ‘could have huge impacts,’ said Danny McPherson, an expert with Arbor Networks. Hacking into industrial control systems, he said, could be ‘a very real threat.’”

Is our nation’s architecture prepared to secure our enterprises and this country from a fire sale-type or other cyber terrorism attacks? Here are some actions that have been taken based on a CRS Report for Congress on “Computer Attacks and Cyber Terrorism” (17 October 2003)

  • In 2002, The Federal Information Management Security Act (FISMA) was enacted giving the office of OMB responsibility for coordinating information security and standards developed by civilian federal agencies.
  • In 2003, The National Strategy to Secure Cyberspace was published by the administration to encourage the private sector to improve computer security for critical infrastructure.
  • DHS has established the National Cyber Security Division (NSCD) to oversee the Cyber Security National Tracking and Response Center to conduct analysis of threats and vulnerabilities, issue alerts and warnings, improve information sharing, and respond to major cyber security incidents.
  • The Cyber Warning and Information Network (CWIN) is an early warning system for cyber attacks.
  • In 2003, there was established a new Terrorist Threat Integration Center (TTIC) to monitor and analyze threat information (composed of CIA, FBI, DOD, DHS, and Department of State officials)

Additionally, “The United States Computer Emergency Readiness Team (US-CERT) is a partnership between the Department of Homeland Security and the public and private sectors. Established in 2003 to protect the nation’s Internet infrastructure, US-CERThttp://www.us-cert.gov/) coordinates defense against and responses to cyber attacks across the nation.

According to the CRS Report For Congress, in July 2002, The U.S. Naval War College hosted a three day seminar style war game called ‘Digital Pearl Harbor;” 79% of participants believed that a strategic cyber attack was likely within 2 years.

While the dreaded cyber attack did not occur as feared by the war game participants, the scenario of a devastating cyber attack remain a real possibility that we must be prepared to confront and defeat.

As in the movie Live Free or Die Hard, a major cyber attack on this country could quickly bring us to our knees, if successful. We have become a nation born and bred on computers and automation. I challenge you to think of many things that you do that does not in some way involve these. We have formed a day-to-day dependency on all things computers, as individuals and as a nation.

In our enterprise architecture, we must continue to focus on comprehensive security frameworks for our organizations that address technical, managerial, and operational security areas. While the Federal Enterprise Architecture treats Security as a cross-cutting area, I believe that Security should be its own perspective (even though it crosses all domains), so that it can be given focus as an area that each and every agency and organization addresses. We must do more than create alerts, warning, and reporting capabilities. We need both “computer vaccines” that can quickly cure and rid us from the encroachment of a cyber attack, as well as hunter-killer offensive capabilities that can paralyze any warring nation or terrorist organization that would dare to attack us.

I remember hearing a saying that once something is created, it is bound to eventually be used. So it was with the atomic bomb. So it will be with cyber warfare, and we must be prepared to defend this nation.