• Home
• GOVERNMENT CXO
• E-GOVERNMENT
• CITIZEN ENGAGEMENT
• TAX AND REVENUE MANAGEMENT
• GOVERNMENT PROCUREMENT
• GREEN GOVERNMENT
• GOVERNMENT DATA MANAGEMENT
• GOVERNMENT SECURITY
• GOVERNMENT CLOUD
• GOVERNMENT ANALYTICS
• GOVERNMENT GIS
• CONNECTED GOVERNMENT
• DIGITAL INCLUSION
• EDUCATION IT
• HEALTHCARE IT

Government Security

THE NEED FOR ‘KNOWN SOURCE’ IN IT

14 November 2011

By Michael Wilks, Microsoft (Asia-Pacific) Regional Director of Public Safety and National Security.

In recent times, there have been numerous and successful cyber-attacks on established organisations and governments which have resulted in loss of data and reputation. These activities represent a concerted effort by motivated individuals to obtain or disrupt sensitive financial and geo-political information. Commercial enterprises have often been the focus for financial attacks. According to a recent OECD (Organisation for Economic Co-operation and Development) report on Cyber-warfare, large sections of national infrastructure of most OECD countries are no longer under direct government control but are now in private ownership. Hence, the commercial landscape is presently seen as a fundamental risk to confidential data, intellectual property and even state secrets.

POLARISING TRENDS The focus of these new attack points may have far-reaching ramifications. There is an obvious and natural tension between access and security. Providing more access to a system inherently makes that system less secure. Consequently, accompanying global trends such as the consumerisation of ICT, outsourcing, international supply chain integration and Gov 2.0, the urgent need to embrace higher levels of security and to educate users is becoming ever greater. Whilst improvements have been made to drive awareness and deliver upon secure ICT infrastructure, much remains to be done. There is no doubt that the proliferation of cyber-attacks has forced governments and industry to pause in the headlong race towards some of these global trends.

Given the interconnected online and social elements of the modern cyber society, a new and more radical approach is needed to combat the threat of infection and insurgency from potential terrorists, activists and hacker criminals. Ultimately the decision to implement any form of security should be based on a fully developed and agreed threat and risk analysis. In the case of cyber-security, this process is not easy, as the attackers often have the advantage of secrecy and surprise.

The country of Georgia knows all about this. Back in 2008, the prelude to ‘war’ included a DDoS attack, which was devised to pave the way for ground forces. It systematically crippled the country from the top. “It was devised to isolate Georgia from the rest of the world,” Georgia’s Vice Prime Minister Giorgi Baramidze told FutureGov last at a Defence Summit held in Singapore last year. Our country was almost shut down: the banking sector, government agencies, the ministry of defense, the ministry of interior, the president’s office, the ministry of justice, the judiciary and the transport system.”

Today, attackers and disrupters also enjoy the advantage of operating outside legal jurisdictions, flouting and ignoring data protection laws for political, criminal or socially disruptive ends. Defenders, however, are often restrained by legal constraints and social norms which can inhibit their ability to act. The challenge is to maintain the open and unfettered nature and democratic principles of the Internet and Open Government initiatives, whilst at the same time developing more robust and defendable networks and systems.

KNOWN SOURCE Attack vectors to cyber-assaults can take many forms, therefore in the wake of these threats, the importance of procuring Known Source has become of upmost concern as Chief Information Officers and Chief Security Officers evaluate and decide upon solutions that best meet their requirements. The Known Source concept is an extremely simple one which has resonance in a variety of circumstances. It basically prescribes to the necessity of obtaining the most Trusted, Secure and Manageable software.

Trusted Software With so many different suppliers to choose from, it is critical to evaluate the origins of the code. For anyone contemplating the introduction of software application or similar innovation the key question which must be asked is, “Do I know the source of this new introduction to my device, network or IT infrastructure?” If you do not, how can you be sure that nothing harmful or malicious has been introduced to compromise the integrity of the application, or worse, introduce a hidden functionality which could have serious consequences.

A recent and high-profile example, involves some vendors collecting and monitoring data on users of their products for commercial purposes, which has caused users to question the trust they have in those vendors’ software and services.

Similarly, Open Source licensing offers a great opportunity for software to be developed in a collaborative manner. Some Open Source projects have a good level of focus upon enterprise requirements, whilst others have components produced by communities or hobbyist developers. This often means that the code was not subject to the same levels of quality control as commercially developed products. There have been instances in the past where malware such as Trojan Horses and Root Kits have been inadvertently, or deliberately, inserted into Open Source projects. This is not to suggest all Open Source software is bad, per se, but with the escalation of cyber-warfare and cyber-attacks, being mindful of this risk has become an increasing concern.

Through Microsoft’s customer centric approach, adherence to standards of business conduct and privacy policies, Microsoft has consistently been distinguished by many third parties one of the most trusted and ethical brands across all industries.

Secure Software If the software is from a trusted source, then the degree of security becomes the next consideration. As outlined by recognised security frameworks ISO/IEC 27001:2005 and ISO/IEC 27002:2005 criteria[i], to address security threats, comprehensive defense measures need to be applied to all layers of an IT infrastructure, including physical, hardware, network, operating system, application and data. From the customer’s point of view, responsibility involves creating and adhering to an updated and effective security plan which outlines practices, processes and polices related to securing the IT environment. On the vendor side, there is an expectation by customers that IT vendors’ products are consistently engineered to conform to rigorous security standards, and when vulnerabilities are discovered, patches are issued rapidly, and there is an easy and seamless method of patch distribution to customers.

While security is an industry-wide concern in which all software vendors continue to strive to provide better protection from malicious threats, Microsoft is now recognised as a leader in meeting the on-going challenges. Since embarking upon the Trustworthy Computing (TWC) initiative back in 2002, Microsoft fundamentally changed the way in which it designed and developed products to ensure that delivery of software to customers will withstand malicious attacks. Data from independent third party security associations (e.g. National Vulnerabilities Database[ii]) illustrate this point. When comparing the security of Microsoft’s products in terms of the number and severity of vulnerabilities, together with the time it takes for a patch to be made available, as a general rule, Microsoft is now shown to have taken an industry-leading position in providing secure solutions across its range of products.

Manageable Software Software could be from a trusted source and be secure, but if it is not easy to manage, then it may leave the organisation or user open to cyber-attacks. Defective deployment configurations, lack of on-going maintenance and audits, poor patch management and other management considerations can significantly increase the number of attack vectors.

For a long time now, Microsoft has been recognised as offering a common framework of management, identity and development tools to ensure secure and seamless integration between its products. In recent years, Microsoft has also been working with a broad range of vendors in the industry – including competitors – ensuring open connections, promoting data portability and providing tools to manage data easily and efficiently in a secure manner. Microsoft has also increased its investments and involvement in standards-setting organisations and working-groups to enhance secure integration between industry software, including active participation in creation of federated security standards like OpenID and WS-Trust. Microsoft’s platforms and products are engineered to be familiar and easy to use, support a broad choice of applications, with an emphasis on security, reliability and seamless integration – all at a low total cost of ownership.

Cloud Services is increasingly becoming part of the platform discussions as a counter to cyber-attacks. On one hand, cloud infrastructures tend to concentrate data and resources which can present an attractive target to attackers. However, through replication of systems and more robust and scalable operational security, cloud services can potentially achieve a greater level of safety measures that would ordinarily be beyond most smaller-scale enterprises’ ability to provide for themselves. Recent research from the US Secret Service has shown a dramatic increase, from 27 percent in 2009 to 63 percent in 2010, in the number of cyber-attacks on companies with 100 employees or less. These small companies often do not have the necessary technical skills to protect themselves. Microsoft provides Platform as a Service (PaaS) and Software as a Service (SaaS) cloud solutions that offer smaller companies the equivalent of best-in-class, constantly up-to-date secure infrastructure as a means to addressing the security threats.

THE JOURNEY CONTINUES It is important to ground ourselves in the recognition that security is an industry-wide concern and on-going efforts are required by all stakeholders. The need to understand and be able to ensure security at all levels has never been greater, and the responsibility now extends beyond the traditional IT Security function which was previously so well-defined.

Known Source has been an important component to the recent discussions. To this end, Microsoft is committed to remain a trusted brand for delivering secure on-premise and cloud software to meet the diverse and evolving needs of moderns businesses, by providing a greater potential for secure environments through consistency of configuration, deployment and management. And back to the Georgian example mentioned earlier, Georgia’s Vice Prime Minister also expressed that, only through its partnership with Microsoft did his country manage to get its IT systems up and running again. Such is the power of Known Source software which is backed by significant investments in product security, interoperability and standards.

---