Web extra: Hot or not: Endpoint security gets a boost

IT execs tackle security and tech support in 2007, storage not so much

Agencies made significant progress or completed projects in 2007 to protect sensitive information stored on network endpoints, including mobile devices, said Karen Evans, the Office of Management and Budget's administrator for e-government and information technology.
What's hot: Endpoint security

In the wake of highly publicized data breaches at the Veterans Affairs Department involving mobile devices, OMB issued directives and agencies responded by encrypting laptop PCs, flash drives, and BlackBerrys and other personal digital assistants to make sure that data cannot be accessed if the devices are lost or stolen. VA was one of the first agencies to comply by applying full-disk encryption to tens of thousands of laptop PCs and later to other mobile devices. VA has also started implementing an enterprisewide security program that includes port monitoring of its network access points.


The Federal Trade Commission encrypted the hundreds of laptop PCs it owns. Like other agencies, it has fulfilled requirements for two-factor authentication for remote access, such as passwords and tokens, and a time-out function for mobile devices, said Marc Groman, FTC's chief privacy officer.


To accelerate the process to encrypt devices, OMB, the Defense Department and the General Services Administration awarded blanket purchase agreements in June under the SmartBuy governmentwide contracting vehicle. The goal is to make it easier, faster and less expensive for agencies to secure their devices. 


-- Mary Mosquera


What's not: Tracking data extracts
Unlike their fast response to endpoint security, agencies have not responded nearly as quickly to the OMB requirement to log and verify all sensitive, computer-readable data extracted from their systems. Under OMB's guidelines, agency officials must know where all their sensitive data resides, change their processes to manage it, and integrate technologies to collect and track it. 


"Depending on an agency's culture or knowledge of the sensitive data in their databases, the log-and-verify security requirement could represent a fundamental but necessary change to an agency's approach to collecting, disseminating and securing data," Evans said.


Agencies are unclear on what OMB means by data extracts and sensitive information, Groman said. Furthermore, the technology is expensive and brings implementation challenges.


"It's one thing to do this with data that is structured in a database where you can monitor queries," he said, "but what about other data outside of databases?" For example, it's impractical to follow up with every local and state law enforcement agency that received data to verify if it is still needed after 90 days, he added.


Agencies must also consider the information priorities and capabilities of those who own the data. "We find it helpful when it is a top-down approach, when the [chief information officer's] office gets involved," said Rick Wescott, public-sector vice president at ArcSight, which collects, manages, stores and analyzes enterprisewide data logs and correlates them to determine the security status.


-- Mary Mosquera


What's hot: IT Infrastructure Library
Like a fine wine bottled in Europe some 20 years ago and only now being appreciated, the IT Infrastructure Library (ITIL) has been earning rave reviews from many agency IT executives this year.


The British government developed ITIL's best practices framework for IT service management in the 1980s, but new guidance released this year with advice for public-sector organizations has resonated with agency executives struggling to manage increasingly complex IT systems while keeping operational expenses in check.


ITIL-inspired management-improvement schemes have cropped up across the public sector, from small-town and state governments to large federal agencies, including the Defense, Interior, Labor and Treasury departments. Government interest in ITIL has been growing steadily for the past few years, said Kirk Holmes, president of the National Capital Area Local Interest Group of the IT Service Management Forum, a professional association for ITIL practitioners.


New government audit requirements helped spark the recent interest, Holmes said. "The oversight aspect, like security audits, requires agencies to have controls over activities like configuration and change management," he said. "ITIL gives them a solution to these audit problems."


The release of ITIL Version 3 in 2007 also gave the technology a boost in government circles. Among the additions:



  • Return-on-investment calculations that focus on public-sector motivators, such as service quality, deliverables to constituents and charge-back models for IT services.

  • Guidelines that help small agencies adopt a more flexible approach to ITIL by allowing them to combine separate roles and responsibilities.


-- John Zyskowski


What's not: Smart storage management
It's the 800-pound gorilla in the closet that few but the bravest IT executives care to acknowledge: the explosive growth of e-mail messages, office documents, presentations, videos and all manner of so-called unstructured data.


Medium to large organizations expect their data holdings to swell by 57 percent on average in the coming year, and the lion's share of it will be unstructured data, according to a recent Gartner survey. So budgets to buy new storage capacity will increase by a similar factor to keep pace, right?


"Oh, God, no," said Steve Duplessie, founder and senior analyst at the Enterprise Strategy Group. New spending doesn't have to match data growth, and as everyone knows, the price for a gigabyte of storage is always falling. However, data is growing at a faster rate than prices are dropping, which means that most organizations are still losing ground, Duplessie said.


Pushan Rinnen, a research director at Gartner, said the solution lies in data- and storage-management tools that allow organizations to get more mileage out of the storage they already own -- for example, data deduplication, which opens up storage space by eliminating redundant data


Unfortunately, many executives have opted for the quick fix of feeding the beast with new storage capacity, Duplessie said. The final bill for that approach has yet to be paid.


"'Just buy more' is completely the worst strategy, although the most popular one for the last 15 years," Duplessie said. "Having all this stuff creates an organizational nightmare. It has downstream effects on all your operational areas, such as backup, disaster recovery, sharing that content or finding new value from that data."


He expects the situation to change soon because of rising concerns about storage systems' energy consumption and increasingly difficult data-management and accessibility issues.


-- John Zyskowski