Cyber crime is the greatest threat to every company in the world.
~ Virginia Marie “Ginni” Rometty, Chairwoman, President, and CEO, IBM
All companies go through crises, but this kind of crisis is unique in the number of unknowns.
~ Brian Brink, Esq., Senior Litigation Counsel, Schnuck Markets,
St. Louis, MO
Apidays New York 2024 - The value of a flexible API Management solution for O...
Oracle America, Inc. - GAO Protest - DOD JEDI - Network Segmentation - Cybersecurity Keystone - Part III The Cloud War
1. THE CLOUD WAR
PART III12
Oracle Corp. has fled a formal protest against the Pentagon's $10 billion JEDI
cloud contract in a bid to change the structure of the controversial project.
The complaint, reports of which emerged late Tuesday, focuses on the
government's plans to award the deal to a single company. Oracle is pushing
for JEDI to be revised so that the project will be split up among providers.
Other cloud players including Microsoft Corp. have also come out against the
winner-take-all format.
Notably absent from the list of the detractors is Amazon Web Services Inc.,
which is widely perceived as the front-runner for JEDI. This is what stands
at the center Oracle’s push to change the deal.
The company has already scored one victory its eforts to prevent AWS from
nabbing the entire JEDI contract. A complaint fled by Oracle earlier this year
led the Pentagon to cancel a $950 million cloud migration deal that had been
awarded to AWS partner Rean Cloud LLC. Rean, which last month got acquired
by Hitachi Ltd., was seen as too close to the cloud giant.
The DoD, meanwhile, continues to stand by JEDI's single-provider structure. It
argues that bringing multiple providers into the fold would prolong bidding and
increase management complexity, raising costs in the process.
1 Part I – Oracle America, Inc. - GAO Protest - DOD JEDI - Network Segmentation
Cybersecurity Keystone August 8, 2018 may be viewed on LinkedIn SlideShare
https://www.slideshare.net/cliftonmhasegawa/oracle-americaiinc-gao-protest-dod-jedi-
network-segmentation-cybersecurity-keystone
2 Part II – Oracle America, Inc. - GAO Protest - DOD JEDI - Network Segmentation
Cybersecurity Keystone August 9, 2018 may be viewed on LinkedIn SlideShare
https://www.slideshare.net/cliftonmhasegawa/oracle-america-inc-gao-protest-dod-jedi-
network-segmentation-cybersecurity-keystone-part-ii
2. But the Pentagon has also acknowledged the benefts of a multicloud
approach, saying that it plans to use several diferent platforms as part of its
broader technology roadmap.
[Emphasis Supplied, Citations Omitted]
ORACLE FORMALLY CHALLENGES THE PENTAGON’S CONTROVERSIAL $10B CLOUD CONTRACT
By Maria Deutscher. SiliconANGLE. August 8, 2018, accessed August 13, 2018
https://siliconangle.com/2018/08/08/oracle-formally-challenges-pentagons-controversial-10b-cloud-contract/
______________________
THE CLOUD WAR
When Amazon, Microsoft, and Google all released their quarterly earnings on
Thursday [October 26, 2017], they did more than give onlookers an update on
their particular businesses.
As the three major players in the cloud computing market, the companies
provided a glimpse of the state of afairs in that ongoing battle.
The primary battleground in the cloud war is the cloud computing market,
which was all but invented by AWS [Amazon Web Services]. Such services ofer
developers basically unlimited supercomputing power on a pay-as-you-go basis.
The bottom line is it's impossible to get a defnitive assessment of the state of
the cloud war, given the diferences in how each of the three major players
discloses and classifes its cloud revenue. Still, its pretty clear AWS is
dominating the biggest front in the war — cloud computing — and, at least in
that area, its rivals are struggling to gain ground.
AMAZON'S $18 BILLION CLOUD BUSINESS CONTINUES TO CRUSH MICROSOFT AND GOOGLE
— HERE'S THE LATEST SCORECARD FOR THE CLOUD WAR
Matt Weinberger. BUSINESS INSIDER UK
October 27, 2017, accessed August 13, 2018
http://uk.businessinsider.com/amazon-web-services-is-battling-microsoft-azure-and-google-cloud-2017-10?r=US&IR=T
3. In the End, we will remember not the words of our enemies,
but the silence of our friends.
Martin Luther King, Jr.
________________________________________________________
AMAZON WEB SERVICES (AWS)
WIKIPEDIA
Accessed August 13, 2018
https://en.m.wikipedia.org/wiki/Amazon_Web_Services
Amazon Web Services (AWS) is a subsidiary of Amazon.com that provides on-
demand cloud computing platforms to individuals, companies and
governments, on a paid subscription basis. The technology allows subscribers
to have at their disposal a virtual cluster of computers, available all the time,
through the Internet. AWS's version of virtual computers emulate most of the
attributes of a real computer including hardware (CPU(s) & GPU(s) for
processing, local/RAM memory, hard-disk/SSD storage); a choice of operating
systems; networking; and pre-loaded application software such as web servers,
databases, CRM, etc. Each AWS system also virtualizes its console I/O
(keyboard, display, and mouse), allowing AWS subscribers to connect to their
AWS system using a modern browser. The browser acts as a window into the
virtual computer, letting subscribers log-in, confgure and use their virtual
systems just as they would a real physical computer. They can choose to
deploy their AWS systems to provide internet-based services for themselves and
their customers.
The AWS technology is implemented at server farms throughout the world, and
maintained by the Amazon subsidiary. Fees are based on a combination of
usage, the hardware/OS/software/networking features chosen by the subscriber,
required availability, redundancy, security, and service options. Subscribers
can pay for a single virtual AWS computer, a dedicated physical computer, or
clusters of either. As part of the subscription agreement, Amazon provides
security for subscribers' system. AWS operates from many global geographical
regions including 6 in North America.
4. In 2017, AWS comprised more than 90 services spanning a wide range
including computing, storage, networking, database, analytics, application
services, deployment, management, mobile, developer tools, and tools for the
Internet of Things. The most popular include Amazon Elastic Compute Cloud
(EC2) and Amazon Simple Storage Service (S3). Most services are not exposed
directly to end users, but instead ofer functionality through APIs for developers
to use in their applications. Amazon Web Services' oferings are accessed over
HTTP, using the REST architectural style and SOAP protocol.
Amazon markets AWS to subscribers as a way of obtaining large-scale
computing capacity more quickly and cheaply than building an actual
physical server farm. All services are billed based on usage, but each service
measures usage in varying ways. As of 2017, AWS owns a dominant 34% of all
cloud (IaaS, PaaS) while the next three competitors Microsoft, Google, and IBM
have 11%, 8%, 6% respectively according to Synergy Group.
CUSTOMER BASE
➢ On March 14, 2006, Amazon said in a press release: “More than 150,000
developers have signed up to use Amazon Web Services since its inception.”
➢ In November 2012, AWS hosted its frst customer event in Las Vegas.
➢ On May 13, 2013, AWS was awarded an Agency Authority to Operate (ATO)
from the U.S. Department of Health and Human Services under the Federal
Risk and Authorization Management Program.
➢ In October 2013, it was revealed that AWS was awarded a $600M contract
with the CIA.
➢ During August 2014, AWS received Department of Defense-Wide
provisional authorization for all U.S. Regions.
➢ During the 2015 re: Invent keynote, AWS disclosed that they have more
than a million active customers every month in 190 countries, including nearly
2,000 government agencies, 5,000 education institutions and more than
17,500 nonprofts.
5. ➢ On April 5, 2017, AWS and DXC Technology (formed from a merger of CSC
and HPE) announced an expanded alliance to increase access of AWS features
for enterprise clients in existing data centers.
➢ Notable customers include NASA, the Obama presidential campaign of 2012,
Kempinski Hotels, and Netfix.
[Emphasis Supplied, Citations Omitted]
________________________________________________________
FEDS CAN ACHIEVE BETTER SECURITY
THROUGH NETWORK SEGMENTATION
MeriTalk
July 9, 2018, accessed August 13, 2018
https://www.meritalk.com/articles/feds-can-achieve-better-security-through-network-segmentation/
Keeping pace with growing cyber threats is an uphill battle for Federal agencies
as network complexity increases and the boundaries of networks extend to
systems and devices not always under the control of their IT organizations.
Most of today's government networks are built to allow devices to access
resources on the network, including devices from branch ofces and workers
on remote PCs or laptop computers. If not appropriately confgured and
secured, these devices could open the door for adversaries to compromise
other devices on the network.
“Most people would agree that the weakest point in any network environment
are the endpoints, particularly, where a human user sits at a keyboard. Humans
are the failure-prone component we can’t fx,” said Tom Gilbert, chief
technology ofcer with Blue Ridge Networks, a cybersecurity company that
provides autonomous security for interconnected systems.
Organizations often do not have any assurance about the state of remote
devices accessing the network, whether they are riddled with malware or have
adequate protection.
6. So, even if an employee is logging on with strong authentication, an
unmanaged endpoint can be the single weakest link in the entire system,
Gilbert noted.
As cybersecurity attacks proliferate across corporate and government networks,
network segmentation and access control are becoming standard approaches
for addressing the vulnerabilities inherent in today's connected enterprise. It
can be especially helpful for agencies with classifed or sensitive data sitting on
internal resources, but with connections through the network to uncontrolled
endpoints.
Network segmentation is an approach advocated by the National Institute of
Standards and Technology’s Cybersecurity Framework (CSF). It involves
segmenting the network into smaller network systems and separating groups of
systems and networks from each other. Isolating or fltering to limit access
between network segments improves security and provides better access
control. This method of hardening the wide area network WAN) and local area
network (LAN) is used by the Department of Defense and many government
and commercial entities, according to Blue Ridge Networks.
However, network segmentation has had its downsides–it can be complex,
costly, and difcult to manage at scale. In fact, network segmentation has
traditionally been a complicated and disruptive architecture that has dissuaded
many enterprises from adoption, Gilbert said.
To address these issues, Blue Ridge Networks has pioneered an approach and
technology the company describes as Autonomous Network Segmentation
(ANS). “ANS is a cryptographic approach to segmentation. Rather than
monitoring packets based on known threats and pre-determined rules, as
traditional security tools do, ANS stresses autonomous cryptographic proof over
content dependence, using mandatory public key cryptography to automatically
authenticate the identity of each networked system before any data is
transferred,” according to the company.
7. What this means is that before a network packet is decrypted and forwarded to
a user, it must provide cryptographic evidence that it originates from a trusted
ANS appliance and known closed user group. Then, once it is verifed and
deployed, connected networks and products will not trust anything else,
establishing cryptographically isolated network segments within an
organization’s networking environment.
“The network segmentation addresses the need to minimize the potential for
lateral attacks within a network. The whole point is our system allows that
segmentation to occur all the way down to an endpoint,” Gilbert said. The ANS
ecosystem is based on the Zero Trust methodology, which is a security concept
centered on the belief that organizations should not automatically trust
anything inside or outside its perimeters and instead must verify anything and
everything trying to connect to its systems before granting access.
Blue Ridge Networks is working with the U.S. National Guard to allow service
members to use their home PCs for computer-based training, reducing the time
and expense it would take to travel long distances to a National Guard facility
for the training. “We have a way of isolating access to the system using ANS
that [helps] eliminate vulnerabilities and save people tremendous amount of
time and efort and unnecessary expense to keep up with their training,” Gilbert
said.
Thinking Diferently About Segmentation
Segmentation can be an efective security tool if done right, according to Brent
Bilger, vice president of product management at Vidder, which ofers a solution
that provides trusted access control across internal, external, and cloud
networks.
In a recent whitepaper, Segmentation for Security, Bilger advocates creating “a
strong barrier between users and servers that can execute trust-aware policies
for controlling access to applications.”
8. “Trust-aware means the access control system should act based on deep and
extensive knowledge about the user, the device being used, its location, and the
sanctity of the software on that device,” he continues.
“One might ask if I have such a powerful boundary between my user devices
and my servers, do I need to do any traditional network segmentation at all?
The answer is probably not in the corporate access network. But traditional
network segmentation between servers in the data center can be a useful
complement to add a layer of security in the data center,” Bilger writes.
However, not all network segmentation approaches are the same. Blue Ridge
Networks recommends an autonomous approach that allows organizations to
continue leveraging shared infrastructure to reap the cost benefts without
leaving those systems wide open and susceptible to the risks that a shared
infrastructure poses. When Federal agencies break up their massive
networks into more controllable, segmented sections, security is increased
and any successful breach will have its potential damage greatly
minimized.
[Emphasis Supplied]
________________________________________________________
BLUE RIDGE NETWORKS
AUTONOMOUS NETWORK SEGEMENTATION
https://www.blueridgenetworks.com/industries/government/
Government networks cannot and should not be compromised.
If sensitive government data gets into the wrong hands, there's too much at
stake.
Yet, keeping pace with growing cyber threats is an uphill battle as networks
complexity increases with the convergence of OT and IT and the increased
adoption the internet of things and bring your own devices.
9. Our security algorithms have been FIPs [Federal Information Processing
Standards] validated and we currently hold Army CoNs [Certifcate Of
Networthiness] for multiple products. In addition, our solutions have been cited
as compensating controls for HIPAA [Health Insurance Portability and
Accountability Act of 1996] and PCI compliance [Payment Card Industry Data
Security Standard (PCI DSS)].
________________________________________________________
ARMY NETWORTHINESS PROGRAM (CERTIFICATE OF NETWORTHINESS)
https://www.atsc.army.mil/tadlp/implementation/confg/networthiness.asp
The Networthiness Certifcation Program manages the specifc risks and
impacts associated with the felding of Information Systems (ISs) and supporting
eforts, requires formal certifcation throughout the life cycle of all ISs that use
the Information Technology (IT) infrastructure, and sustains the health of the
Army Enterprise Infrastructure. Networthiness Certifcation is concerned with
the identifcation, measurement, control, and minimization of security risks and
impacts in IT systems to a level commensurate with the value of the assets
protected.
________________________________________________________
We are not to judge thrift solely by the test of saving or spending
If one spends what he should prudently save, that certainly is to be deplored
But if one saves what he should prudently spend,
that is not necessarily to be commended
A wise balance between the two is the desired end
Owen D. Young
American Industrialist, Businessman, Lawyer, Diplomat