konklone
commented
6 years ago [Inlining a best-effort version of the attached comment below. If there were links in the original, they are not maintained in the below version. Download the original attachment in the issue above to see the original comment.]
TO: Members of The American Technology Council
FROM: CA Technologies
RE: Comments on the Report to the President on Federal IT Modernization
DATE: September 20, 2017
Until recently, the primary application of digital technology has been to support business rather than to actively drive business or organizational strategy. But the convergence of the Internet, mobile devices, and pervasive connectivity has fundamentally changed how organizations look at digital technology. Any organization can now engage directly with their customers/citizens anytime and anywhere through Internet-connected applications and social media — and vice versa. Enterprises both large and small are exploring how new digital technologies can help them transform existing business models, drive new growth, garner trust and loyalty through improved services, and stay ahead of current and emerging trends that can help run their organizations more efficiently and effectively.
At CA Technologies, we call this development “the Application Economy,” which requires organizations to rethink the role of software in their strategy and consider their business a software business in order to realize its full potential. Applications are enabling organizations and governments to provide services in new ways that reduce costs, enhance efficiencies, and improve outcomes, and software has become the principal means through which they these new services. Whatever your business model, your organization must know how to efficiently design, develop, and operationalize the software that is critical to your digital offering.
As a global leader in software solutions that enable our customers to plan, develop, manage and secure applications and enterprise environments across distributed, cloud, mobile and mainframe platforms, CA Technologies helps organizations to focus on delivering innovation to their customers and citizens through effective and secure use of data.
CA Technologies stands ready to partner with the American Technology Council (ATC) to leverage the best practices that our global customer base has embraced to utilize technology as a true driver of innovation rather than a mere support instrument for organizational objectives. In addition to these comments, please note we will be sending along a more comprehensive paper containing further recommendations related to government transformation in the coming weeks, both of which we look forward to discussing further with the ATC.
The ATC’s engagement and collaboration with industry, combined with forward-leaning policies supporting modernization like the MGT Act that was included in the Senate’s National Defense Authorization Act this week, is a vitally important effort in properly utilizing the federal IT to best serve the American citizenry.
What major attributes, if any, are missing from the targeted vision?
We applaud the ATC for its deference to the use of agile methodology and development practices to aid the federal government in more rapidly leveraging American innovation. Going forward, agencies should be utilizing agile principles at all levels of the organization, including procurement, recruiting, reporting, and in systems development and modernization. Agile development methods can help prevent waste from occurring in federal IT, such as building duplicative or unnecessary software modules. Currently, federal agencies have difficulty gaining central visibility into projects as they use disparate systems and inefficient processes to track and report on progress. Management decisions are often misaligned with agency missions and projects are often delayed. Leading private sector entities have adopted agile practices, which allow for iterative development and feedback loops, resulting in in stronger outcomes for stakeholders and taxpayers. In short, Agile is not simply a software development methodology but rather, an overarching business model.
In the draft report, we were also pleased to see importance placed upon implementing contemporary application development methodologies like DevOps (combining development and operations practices), which are increasing the speed and precision with which software is produced and deployed. By redefining culture and leveraging advanced automation to facilitate DevOps, today’s practitioners are rapidly translating ideas into breakthrough applications.
It should be noted that improving the availability of essential data that lies at the center of DevOps and digital transformation must leverage Application Programming Interfaces (APIs), which manage the connections between applications, data and devices, enabling organizations to open their backend data and functionality for reuse in new application services. Organizations and governments that leverage open APIs can realize significant data-driven value creation.
It is imperative, however, that powerful technology solutions like API’s be built on user trust to deliver on their potential, thereby making security, including protecting personal information, a critical component. If businesses, governments, and consumers do not trust that their information is secure, then this will negatively affect the growth of the application economy and the trust they have in government systems and network. The best way to foster this trust is through the adoption of efficient and globally harmonized standards that respect the free flow of information and encourage economic growth. The key is for organizations to build well-documented, consumer- friendly, comprehensive APIs with interactive built-in access control and security. This will enable a broader developer ecosystem to flourish and add value to data sets.
What could be further addressed in the report is how agencies can enable secure DevOps by seamlessly integrating into development processes to ensure secure code is synonymous with quality code. As the public and private sectors look to create efficiencies through automation and modernization, they must build security into their systems on the front end of the development phase, and abandon the model of bolting security on afterwards. Implementing security by design will significantly reduce opportunities for attackers to exploit.
CA Technologies utilizes a secure software development lifecycle process to minimize vulnerabilities in its software. Secure software development processes utilize a combination of tools, practices and procedures, including education, threat modeling, architectural risk assessment, and code scanning and analysis, to develop more secure and resilient software.
The ATC should also consider implementing real-time code scanning technologies that can help developers better secure web, mobile, and third-party applications across the software development lifecycle. Code scanning solutions seamlessly integrate application security into software development, thus helping to eliminate vulnerabilities during the lowest-cost point in the development/deployment chain. Ultimately, the data economy is dependent on trust in the technology products and services, which enable its growth. Building security into the development of data economy products and services provides a strong foundation for this trust.
The report also mentions multi-factor authentication in terms of strengthening security, but we’d also encourage the ATC to place equal importance on risk-based authentication. CA Technologies recommends that any government or policy guidance focused on prevention and mitigation of automated and distributed attacks recognize the wider information security ecosystem, including identity, application and transaction security. Along these lines, the guidance should more specifically incorporate authentication and access management best practices, including authentication of devices and access management for privileged users.
Risk-based authentication has the benefit of not only facilitating the authentication of the identity but, because of the context that is provided under risk-based models, can also facilitate the recognition of the identity. This means that when there is a better understanding of the context around the identity, such as through geo-location data or purchasing behavior, the system may recognize the identity, determine that traditional authentication is unnecessary, and allow access. Conversely, if the system detects anomalies, such as logging in from a foreign country in the middle of the night after having a few failed passwords, then this is a very high-risk operation and access will be denied absent additional authentication steps.
Lastly, CA Technologies would also recommend that the ATC address the steps agencies should take when a bad actor does get beyond the network security perimeter. How can they identify exactly what was compromised and who is responsible?
Identity and Access Management (IAM) has always been about establishing, managing, and understanding the relationships between resources and those that need to access and interact with those resources. This serves as the basis for logical security, independent of the physical location of where the resource resides or where the subject that is interacting with these resources resides. IAM determines the policies by which appropriate access is defined, which requires an understanding of both the subject and the resource as well as the context through which they can and should interact. IAM also provides the opportunity for greater understanding of the subject, enabling organizations and governments to provide better quality and more tailored services.
The overall user experience has become more important in the application economy because customers won’t tolerate a poor experience for long; “Frictionless Security” becomes the business imperative for most organizations. However, the value of a quality user experience is not based solely on increased user satisfaction. Security interfaces that are inconvenient and cumbersome often force users into work-arounds, many of which end up violating security policy, even unwittingly. In short, users need a convenient, intuitive experience that will enable them to easily conform to established security policy, rather than forcing them into violating them in order to get their jobs done.
Furthermore, API management software authenticates devices and data and is fundamental to securing the Internet of Things (IoT), a key application of the data economy. API management software also secures and protects the APIs themselves from threats, and ensures authorized access to the APIs by the approved apps and individuals.
API management technologies integrate standards-based security for Mobile and IoT using SCIM, OAuth, OpenID Connect and PKI to orchestrate a secure context between clients and server side. Automated client registration and secure channel creation requires no specific implementation of security protocols by the app developer, but results in an end-to-end protocol and data-level security posture. These solutions can be configured to provide end-to-end security between the client and secure data (including dynamic secure data storage on mobile clients), as well as protecting against many web-based threats and OWASP vulnerabilities.
Are there any missing or extraneous tasks in the plan for implementing network modernization and consolidation?
One of the biggest challenges that businesses face is how to manage a framework that consists of legacy solutions and open solutions—across data centers and the cloud. Further, any new solution must integrate with corporate reporting/analytics/BI tools inside the enterprise.
We would therefore request that the ATC clarify its recommendations regarding existing legacy systems in the federal government. A comprehensive overhaul of legacy systems would not only be expensive, but would likely cause major disruption to security. A safer, more cost-effective, and all around feasible solution would be to secure existing legacy systems via APIs, which provide protocol bridging across legacy and new systems and translate between legacy and new apps and data.
Are there are any missing or extraneous tasks in the plan for implementing shared services to enable future network architectures?
If decision-making power is taken away from actual business users, organizations risk stifling innovation and security capabilities more generally. Oftentimes migration to a shared services model can also create issues around security during the implementation process.
An example of this is the CDM program. While CDM is a good program, the low speed of overall deployment has exposed a number of agencies while they ‘wait’ for a particular phase to be awarded and then deployed. This means that those agencies have potential security vulnerabilities while they wait for this shared service to come their way. Another aspect is the fact that security is moving from just being an overlay, to something that needs to be part of the overall development process. As we mentioned above, business owners are defining requirements, and they need to be able to integrate security at the earliest stages of development, not after the fact.
CA Technologies appreciates that the ATC has solicited public comments on this first draft of its federal IT reform strategy. We look forward to continuing to work with you as you move reforms forward.
Please accept the attached comments from CA Technologies in response to the American Technology Council’s draft report to the President on Federal IT Modernization.
We very much appreciate the opportunity to weigh in on the ATC’s ongoing efforts in this space and look forward to continuing to work together on next steps. Please do not hesitate to reach out to myself or Brendan Peter, CA’s head of Global Government Relations (cc’d), whenever we might assist.
Many thanks again— Rebecca
Rebecca Oliver Director, Global Government Relations CA Technologies ATC RFC 092017.pdf