Federal IT Initiatives - BDPA Conference Executive Panel

1,260 views
1,219 views

Published on

Executive panel discussion at the 2010 BDPA Technology Conference on "Federal IT Initiatives".

Panel members: John James (US Navy), Bob Whitkp (US Navy), Tony McMahon (IRS) and Dr. Anthony Junior (US Navy)

Published in: Education
1 Comment
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total views
1,260
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
6
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide
  • Deliver web services – reduce deployment time for new web services by at least 25% Reduce O&M costs/ increase capacity – 15% increase in capacity Transform IT procurement – lower active category managed spend by at least 10% Effectively address risk management – ensure IT is not a barrier to business continuity Complete industry standard web platform – reduce platform cost by at least 30% in first year Simplify governance – increase capacity of internal processes by at least 30% Pilot and launch new end user technologies – at least one meaningful pilot per year Improve end user support – improve resolution time by 10% Complete CADE2 - improve the use of data to drive decision making across the agency Radically rationalize Application portfolio – reduce on-going application maintenance costs by at least 25% Provide standardized services 25% lower TCO for deployed solutions (e.g., storage) Build internal capability – networks, operations, architecture, cybersecurity, planning Utilize cost and performance data transparency throughout IT – have linked, cascading metrics from CTO to first line managers Partner with the business to more effectively plan demand – drive top down coordination across projects and investments to align and team against all initiatives
  • Build internal capability – networks, operations, architecture, cybersecurity, planning Utilize cost and performance data transparency throughout IT – have linked, cascading metrics from CTO to first line managers Partner with the business to more effectively plan demand – drive top down coordination across projects and investments to align and team against all initiatives
  • *Dark cloud: Study finds security risks in virtualization By Kathleen Hickey Mar 18, 2010 http://fcw.com/articles/2010/03/18/dark-cloud-security.aspx Government IT upgrade projects may soon have a new wrench thrown into the works. According to recent research from Gartner, 60 percent of virtual servers are less secure than the ones they replace. The situation is slated to continue through the end of 2015, when the number of insecure virtual servers is expected to drop to 30 percent. "Virtualization is not inherently insecure," said Neil MacDonald, Gartner fellow and vice president. "However, most virtualized workloads are being deployed insecurely. The latter is a result of the immaturity of tools and processes and the limited training of staff, resellers and consultants." Numerous state, local and federal agencies have moved or are moving to virtual servers, including the state of California and the Energy Department. While Gartner estimated that only 18 percent of enterprise data center workloads had been virtualized at the end of 2009, that number is expected to grow to more than 50 percent by the close of 2012. One of the major causes of this issue is a lack of involvement of the IT security team in the architecture and planning stages of development, Gartner said. About 40 percent of the surveyed organizations had not brought security professionals into the projects. Related coverage: IBM launches public cloud service Agencies help test cloud-based file storage system Another risk is that the virtualization layer could compromise all hosted workloads, with hackers already targeting this layer, Gartner said. Gartner recommends keeping the layer as “thin as possible, while hardening the configuration to unauthorized changes." Organizations should not rely on host-based security controls, the report states. Other risks include a lack of visibility and controls on internal virtual networks, which are not visible to network-based security protection devices, such as network-based intrusion prevention systems, and consolidations of workloads of different trust levels on the same physical server without adequate separation. There is also the potential for inadequate administrative access controls and administrative tools for the hypervisor/virtual machine manager layer. Finally, a potential loss of separation duties for network and security controls could lead to inadvertently allowing users to gain access to data that exceeds their normal privilege levels. To address these risks, Gartner recommended treating the virtual network as similar to a physical one, with the same kind of monitoring and separation of workloads and the same team handling both. Additionally, organizations should isolate virtual desktop workloads from the rest of the physical data center and restrict access to the virtualization layer.
  • **Social media opens new door to cyberattacks, panel says Malware is now No. 1 cybersecurity threat, according to survey By David Hubler Mar 24, 2010 http://washingtontechnology.com/articles/2010/03/24/social-media-cyber-attacks.aspx E-mail attachments are no longer the attack of choice of computer hackers and other individuals intent on gaining access to government and industry systems, security experts said today. As increasing numbers of people adopt social media, those sites are becoming the new attack portal of choice and malware is now the No. 1 threat, panelists said at the FOSE 2010 trade show in Washington, D.C. Two or three years ago, the No. 1 vector for viruses was through e-mail, primarily attachments. But today those attacks account for “the low end of single digits,” said Bob Hansmann, senior product marketing manager at Blue Coat Systems. “ The vast majority of attacks actually come through the Web, and yet it is amazing how few people actually scan their http or https, their secure connections to Web mail,” he said. A recent survey found that the number of people who have accounts at social networking sites, such as Facebook and MySpace, is 10 percent greater than the number of people who have e-mail accounts, Hansmann added. “ That’s where all this malware is coming from,” he said. “People have to start looking beyond e-mail and do something at the gateway. You can’t trust the desktop.” The top three IT security issues today are malware, inappropriate employee activity or network use, and issues related to remote Web access, said Andy Lausch, vice president of CDW Government, citing a recent CDW-G survey. “ The potential for incidents grew dramatically over the past year,” Hansmann said. “We saw the number of malware [incidents] double. Phishing attacks went up 600 percent in 2009.” “ We’re just seeing more attacks so we are seeing more incidents,” he said, adding that although Web 2.0 is not a new technology, it has changed the way people use the Internet. “ A lot of users don’t know how to protect themselves,” he said. He called for more education and increased spending for the new kinds of defenses that are needed, such as better URL filtering There’s a cybersecurity tools gap, said Stan Oien, manager of security practices at CDW-G. Government agencies “fully need to figure out where their gaps are,” he said. “Start with an assessment. Try to get an assessment of the environment. That will give you a baseline, and in that way, you can kind of build your plan moving forward.” “ All too often I see a lot of customers and a lot of agencies that actually don’t even know where their gaps are,” Oien added. “Threats are going to be changing. They’re ever-evolving and becoming much more complex.” The panelists suggested that agencies and contractors consider cloud computing as one way to reduce the number of cyberattacks.
  • Federal IT Initiatives - BDPA Conference Executive Panel

    1. 1. EXECUTIVE PANEL SERIES<br />“From the Classroom to the Boardroom”<br />
    2. 2. FEDERAL IT INITIATIVES<br />Panelists:<br />John James<br />Director, Naval Security Personnel System Transition Office, OSD<br />Tony McMahon<br />Director, Enterprise Computing Center, IRS<br />Robert Whitkop<br />Executive Director, Navy’s Next Generational Enterprise Network<br />Special Programs Office<br />Dr. Anthony Junior<br />Director, Navy’s Historically Black Colleges and Universities/Minority Institutions (HBCU/MI), Office of Naval Research<br />Moderator:<br />Wayne Hicks <br /> – Executive Director, BDPA Education and Technology Foundation<br />
    3. 3. John James <br />FEDERAL IT INITIATIVES<br />Director, National Security Personnel System<br />Transition Office, Office of Secretary of Defense<br />
    4. 4. Tony McMahon<br />Director, Enterprise Computing Center<br />Internal Revenue Service<br />FEDERAL IT INITIATIVES<br />
    5. 5. BDPA 2010 National ConferenceExecutive Panel Discussions<br />Federal IT Initiatives: What's Next? Are you ready? <br />Tony McMahon<br />7/19/2010<br />
    6. 6. The IRS Importance - <br />THE IRS collected $2,345,337,177 of revenue for the Federal Government for the year 2009. This amount constitutes roughly 96% of the total Federal Revenue.<br />The approximate percentage breakdown of Federal Revenue is as follows:<br />Taxes Collected via the IRS:<br /><ul><li>Individual – 45%
    7. 7. Payroll – 36%
    8. 8. Corporate – 12%
    9. 9. Excise – 3%</li></ul>The remaining 4% of Federal Revenue is derived from Federal Reserve, Customs, and Miscellaneous fees and fines.<br />6<br />
    10. 10. 7<br />Real Estate & Infrastructure Footprint:<br /><ul><li>Enterprise Computing Centers –
    11. 11. Martinsburg – 134,789 square ft of ADP space
    12. 12. Memphis – 96,012 square ft of ADP space
    13. 13. Detroit – 49,168 square ft of ADP space
    14. 14. Remote Locations
    15. 15. CONUS - Servers : All except Wyoming, Delaware, and Hawaii
    16. 16. OCONUS - Beijing, London, Frankfurt, Paris</li></ul>Infrastructure – Current Snapshot<br />Tier I –<br /><ul><li>Unisys: 2 Physical Dorado 280’s –
    17. 17. MTB Partitioned into Prod (ITIF), MADS, TEST, DR
    18. 18. MEM Partitioned into PROD (BTIF, ZTIF), SAT, FIT, DR
    19. 19. IBM:
    20. 20. MTB z9’s – 4, z10’s – 1 permanent, 1 loaner (CADE2)
    21. 21. MEM z9’s – 1 </li></ul>Tier II – <br /><ul><li>6000+ Wintel
    22. 22. 1000+ Unix
    23. 23. 100+ Linux</li></li></ul><li>8<br />The IRS Journey to World Class<br />Aggressive 3 year program geared toward the completion of:<br />Wave - 1 0-18 Months<br /><ul><li>Delivery of Improved Web Services
    24. 24. Reduce O&M costs/ increase capacity
    25. 25. Transformation of IT procurement processes
    26. 26. Disaster Recovery/Risk Management review </li></ul>Wave - 2 12-36 Months<br /><ul><li>Complete industry standard web platform (irs.gov, RUP/EUP)
    27. 27. CMMI/ITIL
    28. 28. Migration to Data Centric environment (CADE2)
    29. 29. Simplify governance and re-balance the organization towards IT “doers” vs. “managers”
    30. 30. Pilot and launch new end user technologies to improve productivity
    31. 31. Improve end user support effectiveness</li></ul>Wave 3 - 24-54 Months<br /><ul><li>CADE2 finalization / Begin retirement of Legacy Apps
    32. 32. Radically rationalize Applications Development and Maintenance
    33. 33. Standardized services </li></li></ul><li>9<br />Treasury & IRS Involvement to Congressional and Presidential Driven Initiatives<br /><ul><li>Consolidation of Federal Data Center’s
    34. 34. Hiring Incentives to Restore Employment</li></ul> (HIRE) Act <br /><ul><li>Health Care Reform</li></li></ul><li>10<br />Sources<br />Sources:<br />IRS Statistics of Income: http://www.irs.gov/taxstats/index.html<br />Congressional Budget Office http://www.cbo.gov/<br />Office of Management & Budget http://www.whitehouse.gov/omb/<br />HIRE ACT: http://www.irs.gov/newsroom/article/0,,id=220326,00.html<br />
    35. 35. Robert “Bob” Whitkop<br />FEDERAL IT INITIATIVES<br />Executive Director <br />Naval Next General Enterprise Network (NGEN) <br />Special Programs Office<br />
    36. 36. Technology in Motion:<br />The changing shapes of the Cloud<br />BDPA Symposium, Philadelphia<br />Network Centricity 2020<br />Bob Whitkop<br />Exec Director, NGEN SPO<br />(202)213-7858<br />
    37. 37. We have the Network! <br />Transparent transport<br />Secure Network<br />Wired<br />Wireless (3G / 4G)<br />WiFi<br />Bandwidth, bandwidth, bandwidth…<br />Policies, Standards, Spectrum<br />IPV4 / IPV6<br />Access<br />Where controlled?<br />PII<br />It changes and grows<br />Etc…<br />
    38. 38. It’s the Data ‘Stupid’…<br />Where does the Data come from?<br />Cloud – My Cloud / Your Cloud<br />Internet – Everybody’s Cloud<br />Private Data Stores<br />RF over IP / SCADA<br />VoIP<br />Social Networking<br />Safe?<br />Virtualized!<br />COOP<br />
    39. 39. How does the Data get there?<br />VLAN / VPN from Private networks<br />Open Source Internet data<br />Other Data owners’ databases<br />Streaming Video<br />Compressed?<br />
    40. 40. Secure at the Door<br />Now that you have found the data…<br />Do you let it in?<br />Do you secure it in transit?<br />Data at Rest<br />Can you use it?<br />Certificates?<br />Ports and Protocols<br />VM<br />How does IPV6 play? / When?<br />
    41. 41. Applications<br />Are they optimized?<br />Are they Web-based?<br />NIST approved? Common Criteria? FIPS 140-2?<br />Will they run in your environment?<br />Standard format<br />Standard displays<br />CM Issues<br />SaaS<br />App development and certification<br />CMMI – if not, what?<br />Transition of software<br />Data Centers – How many and where and why?<br />Latency<br />Access<br />Capacity<br />Ownership<br />
    42. 42. Greening IT<br />Power<br />Electricity<br />Consumption<br />Display<br />Monitors<br />Virtual<br />Circuitry<br />Lead<br />Boards and wires and frames<br />Boxes<br />Plastics for a million years<br />
    43. 43. Managing as an Enterprise<br />What is an Enterprise? How are decisions made?<br />Where does Enterprise stop and uniqueness begin?<br />How do you cost out services on the network? LCM…<br />Enterprise – Integrated – Federated – Associated<br />How do you certify the seams?<br />Datacenters…<br />IV&V ?<br />
    44. 44. Team Vision<br />Understand the Requirements<br />Understand the ‘Missions’<br />Technology insertion strategy<br />Speed to Capability<br />Build Security in the Design<br />Thinking to the Future<br />Questions?<br />Bob Whitkop<br />robert.whitkop@navy.mil<br />(202)213-7858<br />
    45. 45. Enterprise ITSM<br />Required to ensure consistent and affordable solutions supporting the Warfighter/Business<br />Challenges<br />Paradigm shift from Infrastructure/ Application to Services Management (Things  Outcomes)<br />RACI Designation – Single bellybutton to reach across organizations<br />Merging ITSM processes into daily procedures<br />Controlling processes versus controlling Services<br />Recommendations<br />Leadership Engagement and Understanding<br />Enterprise Training for all personnel<br />Focus process development on “Pain Points”<br />Adopt single framework BUT adapt to your organization<br />
    46. 46. Data Centers morph into the Network!<br />Data Center Virtualization <br />Growing from 18% of Data Center Workloads in 2009 to over 50% in 2012 per Gartner <br />Effective Security Practices must be baked in from inception of a well strategized Virtual Data Center (VDC) deployment!<br />Per Gartner: 60 % of virtual servers employed in this new rapid growth are more vulnerable than the original server deployment<br />“One of the major causes of this issue is a lack of involvement of the IT security team in the architecture and planning stages of development,” Gartner said. <br />About 40 % of the surveyed organizations had not brought security professionals into the projects. Dark cloud: Study finds security risks in virtualization*<br />Risk factors to consider:<br />A vulnerable virtualization layer will compromise the hosted applications … focus proven security controls in the VDC configuration process and procedures upfront<br />Network management visibility and processes that fail to make internal virtual networks transparent to proven security protection tools and protocols … what can I see and when<br />Fusing of trust levels on the same physical server without adequate separation … remain vigilant about data mining and Semantic Web 2.0 techniques that allow sensitive network intelligence to be ”manufactured” that could spill into unprotected channels<br />
    47. 47. Web 2.0: Window to Virtual Data Centers<br />The email with attachment is no longer the attack vector on networked Data Centers: <br />“The vast majority of attacks actually come through the Web, and yet it is amazing how few people actually scan their http or https, their secure connections to Web mail,” said Bob Hansmann, Blue Coat Systems Social media opens new door to cyberattacks, panel says**<br />Facebook and MySpace Accounts exceed email user accounts by 10% and growing<br />The Web 2.0 Culture of exponential information sharing trends among uninformed users is inviting malicious attacks into the VDC due to this lax security awareness:<br />“The top three IT security issues today are malware, inappropriate employee activity or network use, and issues related to remote Web access, said Andy Lausch, vice president of CDW Government, citing a recent CDW-G survey. “**<br />The new Web 2.0 behaviors are evolving faster than VDC gaps can be analyzed: <br />“All too often I see a lot of customers and a lot of agencies that actually don’t even know where their gaps are…Threats are going to be changing. They’re ever-evolving and becoming much more complex.” said Stan Oien, a security manager at CDW-G<br />Modeling and simulation of Semantic Web 2.0 behavior patterns will allow more aggressive analysis and mitigation of VDC vulnerability gaps<br />
    48. 48. Dr Anthony Junior <br />FEDERAL IT INITIATIVES<br />Director, Navy Historically Black Colleges and Universities/Minority Institutions (HBCU/MI) Program Office <br />
    49. 49. FEDERAL IT INITIATIVES<br />Panelists:<br />Tony McMahon<br />Director, Enterprise Computing Center, IRS<br />Robert Whitkop<br />Executive Director, Navy’s Next Generational Enterprise Network<br />Special Programs Office<br />John James<br />Director, Naval Security Personnel System Transition Office, OSD<br />Dr. Anthony Junior<br />Director, Navy’s Historically Black Colleges and Universities/Minority Institutions (HBCU/MI), Office of Naval Research<br />Moderator:<br />Wayne Hicks <br /> – Executive Director, BDPA Education and Technology Foundation<br />
    50. 50. EXECUTIVE PANEL SERIES<br />“From the Classroom to the Boardroom”<br />

    ×