[ISN] Homeland Security Department tackles enterprise architecture

From: InfoSec News (isnat_private)
Date: Thu Apr 03 2003 - 02:15:52 PST

  • Next message: InfoSec News: "[ISN] Network Associates to buy IntruVert for $100 million"

    http://www.computerworld.com/securitytopics/security/story/0,10801,79963,00.html
    
    By DAN VERTON 
    APRIL 02, 2003
    Computerworld 
    
    WASHINGTON -- The U.S. Department of Homeland Security (DHS) plans to
    complete an initial inventory of its entire IT infrastructure by June
    -- a critical step toward the ultimate creation of a nationwide
    architecture for homeland security, said Steve Cooper, the
    department's CIO.
    
    The new department has already identified more than 2,500
    "mission-critical applications or automated solution sets" and more
    than 50,000 "items" that make up its IT infrastructure, said Cooper,
    speaking yesterday at the Secure E-Business Executive Summit in
    Arlington, Va. However, the process of taking an initial inventory is
    only 40% to 50% complete, he said.
    
    The DHS includes 22 formerly independent federal agencies, and the
    Office of Management and Budget began working on the Federal
    Enterprise Architecture Framework in February 2002. The goal is to
    leverage IT to simplify processes and unify work across agencies and
    throughout federal business processes.
    
    The challenge for homeland security, however, is to devise an
    architecture that is secure and aids rapid information-sharing and
    collaboration at all levels of government and the private sector.
    
    "The national enterprise architecture is not just federal," said
    Cooper. "We've reached out to state and local environments, and we are
    reaching out [to the private sector]. But we haven't figured out the
    optimal way to reach out to the private sector."
    
    The department has started an aggressive outreach effort that's being
    led by a series of independent task forces hoping to identify business
    processes common to the department's five directorates. Meanwhile, two
    separate task forces have been studying infrastructure and application
    security. And a third task force is studying security from a physical
    and business-process standpoint, he said.
    
    The challenge of creating a robust enterprise architecture that is
    both open and secure has been one of the key topics during the many
    town hall meetings held during the past year by the President's
    Critical Infrastructure Protection Board. The two goals "seem to be in
    conflict with each other, but I would submit that they are not," said
    Howard Schmidt, chairman-elect of the board.
    
    "We have to rethink the way we [create architectures]," said Schmidt.  
    "We used to look at what we can do with it, as opposed to what [an
    adversary] can do against it." In addition, he said, the introduction
    of new technologies is forcing officials to "redefine what it means to
    have a secure architecture.
    
    "Now, the end point, the handheld, the wireless phone are part of your
    architecture," said Schmidt. "And that architecture and the thought
    process has to change. When we start adopting IPv6 [Internet Protocol
    Version 6], and everything is connected and everything has an IP
    address, that's going to be a different architecture."
    
    "We'll never get away from needing multiple layers of defense," said
    Dan Mehan, CIO at the Federal Aviation Administration. The FAA has
    taken a first step toward making security a core component of its
    enterprise architecture by integrating its information systems
    security with the overall National Airspace System (NAS) architecture,
    said Mehan.
    
    "We're now looking at the administrative and mission-support areas and
    harmonizing those," said Mehan. The FAA has discovered, somewhat to
    its surprise, that by putting its IS security architecture on top of
    the NAS architecture -- and integrating the two -- it added
    constraints on the IS security architecture that would not have been
    there if the IS security architecture had been developed separately.
    
    "We're using the enterprise architecture work we're doing now to step
    back a little bit and see if perhaps we constrained the information
    systems security architecture inadvertently," he said.
    
    Van Hitch, CIO at the U.S. Department of Justice, questioned the
    appropriateness of "lumping" all business processes under one
    enterprise architecture umbrella. "What we're really dealing with is a
    whole classified element of critical infrastructure that has one set
    of risks" and various other open and public processes, he said.
    
    For now, however, the challenge for the DHS is to set up something
    that can help officials make critical decisions at a time of war, said
    Cooper. As a result, people should be prepared for the architecture to
    change over time.
    
    "At the same time that we have true operational capability that we
    have to sustain, we have to make sure that it works right now," he
    said. "We're fighting a war in Iraq and a war on terrorism, and there
    are absolutely real things that we have to do right now that we
    honestly don't have the luxury of fully architecting before we put
    solutions in place. We fully recognize that some of that will have to
    be reshaped or replaced somewhat down the road. We accept that."
    
    Cooper warned that the department wouldn't get it perfect the first
    time. "There's a huge difference between perfection and good enough,"  
    he said. "We have to be good enough to make decisions and move
    forward."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Apr 03 2003 - 05:34:13 PST