Getting the Basics Rights - Interview with Jerry Davis, NASA deputy chief information officer for IT security.
Jerry Davis, the deputy chief information security officer at the National Aeronautics and Space Administration, says he has created what he calls a "managed environment," where new devices such as the iPhone can identify the steps that must be taken to secure the technology.
"I like to think of myself as more as a 'yes' guy, rather than a 'no' guy," Davis says, in an interview with GovInfoSecurity.com (transcript of interview below). "Chief information security officers are typically known as kind of the "no" people. I try to run an organization that is parallel with what we are doing in the offices of chief information officers, which is enabling our customer and our client. We try to be a solutions-oriented environment."
In the interview, Davis also addresses the role the space agency's cybersecurity organization plays in the consolidation of NASA's IT infrastructure. "Security doesn't function on its own in silos," Davis says. He also discusses the need for NASA to attract more highly skilled IT security practitioners, especially those with forensic experience.
Davis was interviewed by Eric Chabrow, GovInfoSecurity.com's managing editor.
ERIC CHABROW: What are the major IT security challenges that NASA faces, and how are you addressing that?
JERRY DAVIS: Some of our major challenges we have to do are some of the newer things that you see today. No. 1, you have issues where consumer devices, what we call consumerism, and bringing things like iPhones into the environment, devices that are primarily made for the consumer, The end users, our clients and customers, like to use them to conduct business, and they don't always have the best security configurations for those devices.
The next thing would have to be our Internet presence. NASA has a very large Internet presence, a lot of web applications out there. Web attacks are one of the number one things that we deal with on a daily basis.
In dealing with some of these new things, like cloud computing, virtualization, where our data is located, moving into that environment is one of the other challenges that we're dealing with.
The first things we have done around consumer devices is, we have decided to move those things into a pilot environment, so that when we have new and emerging technology that has come into the environment, we allow people to use them. But we push those into a managed environment, so that way we can better kind of understand what the security parameters or the gap security that these devices have, and we can run a risk management exercise around that, so we can understand what the gaps in security are, and what are the things that we need to put into place, the controls we need to put into place so we can bring those devices into the environment, or not bring those into the environment. Those are part of the risk management process that we are dealing with.
When it comes to things like web applications and attacks around web applications or web presence, we are starting some new applications around application level security, software assurance and things of that nature, to understand what our web footprint looks like, and then how we manage software for that, to reach across the web, how we manage that software and what are the security controls that need to be in that software before we roll it out into the environment. That's a new program that we are just starting and it seems to be working out fairly well at this point, but we are, again, in the early planning stages of that, and putting up a framework around that.
CHABROW: It sounds as if, and correct me if I'm wrong, that you like the idea of new technologies, and you would like to adopt them if they can be done.
DAVIS: I like to think of myself as more as a "yes" guy, rather than a "no" guy. Chief information security officers are typically known as kind of the "no" people. I try to run an organization that is parallel with what we are doing in the offices of chief information officers, which is enabling our customer and our client. We try to be a solutions-oriented environment. You talk about things like cloud computing, you talk about things like iPhones, or smart phones. They're here already. You're already a little bit behind the curve, in trying to deal with them, the end users are already using them. Why can't they use something in the environment that they use at home on a day to day basis. I look at my job as trying to continue to enable that. We used to use the term "enablement" in security, enabling the business, as, kind of a buzz word.
I look at it more as something that we really try to do in being solutions oriented. I spend a great deal of my time looking for solutions. And we see things like remote access and telework. How do I bring in thousands and thousands of unmanaged computers - so this will be something at someone's house - how do I allow them access into the environment without jeopardizing the posture of my environment? Early on, we see where the trends are going, and we start looking for solutions immediately. There are times when there are no solutions out there, so we may hold something in abeyance for some time. I spend a great deal of my time, and I know my staff does as well, really pushing a lot for solutions. So, I am forever talking to a number of vendors out in the community, I bring them in, and we talk at length about different solutions, and kind of the vision of where I'm trying to go in managing different devices and new technology.
CHABROW: What's the most innovative thing you feel NASA is doing to secure IT?
DAVIS: Maybe it's not so innovative. I think, in practicality, when you think about it conceptually, that's consolidating our infrastructure and moving things to a more centralized, managed environment.
You hear a lot of organizations, a lot of federal agencies, a lot of commercial practices, are all trying to have, to some degree, a consolidated and centralized IT operation. Security is something I look at that it doesn't function on its own, by itself, in a silo. Gaps in security happen as a result of something that has gone wrong in IT management.
And, one of the things we are doing at NASA, what I believe some of the more innovative things we are doing, are around consolidation and centralizing the IT. For instance, we are consolidating our active directory, which is usually important for us for better management of security, around users' access to different objects and things of that nature, accountability and then authentication. That is something that was a monumental activity for us that has been going on for the last couple of years, but we are making headway in it. We are already starting to see some of the benefits of doing things like that, and doing other initiatives like IP address management, and understanding what we have, because if you don't really understand what you have in your environment, it's very tough to protect it. Big, enterprise initiatives, like IP address management, consolidating things like e-mail, and active directory, all have profound impacts on security. Managing better IT in that regard helps us better to manage security, as well.
One of the other big security activities was setting up our consolidated security operations center. For years, NASA had had largely a fragmented and decentralized security operations activity and incident management activity. We've spent the last year, or year and a half, or so, consolidating security operations functions, and monitoring intrusion detection systems and installing log aggregation tools across NASA, not just in one center, center by center, but across NASA. We are now able to get better visibility from one location. We are working toward seeing all the way down into the different NASA centers, where we couldn't do that before, and that helps us to detect things better, and enables our response a little bit better. But, that is one of the more innovative things we have done in the last year, year and a half, or so, and it's taken a lot of work, and there's a lot of challenges, but we've overcome, probably about 80 percent of those, and we're kind of in the home stretch now, the next six months, of wrapping up that activity. And it will be the first time that NASA had an end to end view of its posture, from here, all the way out to Russia.
CHABROW: What are your challenges regarding recruiting, maintaining and training IT security workforce?
DAVIS: Our first challenge is getting good IT folks. Then, the second part, after getting good IT folks, is (to assure) they have a strong background in security. One of the issues we have today - when you look at it from a government perspective, when you talk about job series - is how they categorize jobs, the number for IT Specialist is 2210, that's the job series. Today we tend to wrap security into that job series of 2210. In my estimation, and I think if you talk to some of my colleagues around the federal government, that it's about time that security has its own job series. It's becoming a very specialized profession, and there's just not enough people in the profession today. You kind of rob and steal from other agencies because the profession is in distress, there's just not enough IT professionals.
The training side, once we have them, training is not a problem. We give them the training that they need. The problem is just the resources. There just are not enough IT security specialists out there. I think that the colleges and universities are doing a heck of a job in putting together the information assurance programs, the National Security Agency Center of Excellence-type programs, but they're still not coming out fast enough. And we need them to come out fast enough, and we need some very particular skill sets.
A number of years ago, computer forensics was not a skill set that was widely known, and it was very, very specialized. Today, I am finding that your average IT security specialist, when they come in the door, we desperately need them to have a forensics background. It's a matter of resources, but the training side of it, we're doing fairly well, but again, when you don't have anybody to train, that's kind of a problem. We're looking to try to get more and more people out of the colleges and universities, or wherever they may be, that have a strong IT background and a strong security background, to go along with that, to add to our security cadre.
CHABROW: A couple of points: One, you are say the first thing you need is good IT people. Does that mean you feel IT employees, even if their job is not security, should have to be aware of and be working on security. Second, you talk about a need for people. Are there shortages of IT security personnel at NASA? Can you hire people now? How much of a shortage is there? Third, you talk about forensics. Why forensics?
DAVIS: There is definitely, I think, a shortage in good IT people, as well. One of your core competencies - even (for) an IT specialist - is security. When we talk about folks, like system administrators, you've got to look up the definition of a system administrator, and you look into their roles and responsibilities, and security is a huge role and responsibility for system administrators. You need those types of IT folks who understand their roles and responsibilities as it pertains to security, and as they understand things like networks.
One of the key things that we look for, that we would like to have are, are folks who are just well-rounded, and understand the basics and roles and responsibilities of their jobs as IT professionals. One of those roles and responsibilities that we looked at is security. NASA is hiring almost all the time, not necessarily where I am, in headquarters, we don't want to overload all the specialists and people that have the high skill set at headquarters. We want those people to be out at the centers, where the real work is taking place, and where I like to say, "where the smart people work," out at the NASA centers. Those centers are hiring, from time to time. It just depends on what the condition of the environment is like, and how many slots they have available, and things of that nature.
The centers do need more security professionals, because the work is voluminous, and there is just not enough folks to handle that. Some centers have been picking up folks here and there, but it's just a matter of how many slots they have available at their centers, and what their headcounts are and things like that. There are some limitations to being able to hire up in staff up in those areas.
As it pertains to forensics, you get a lot of attacks these days that are related to malware, or things like viruses, Trojan horses, spyware, worms, and things like that. A good forensics person can help you go in and kind of break down malware and tell you how it works. And my understanding of how it works and you get a better understanding of what you need to do to secure your system. Forensics professionals can also tell you about things about your system, or applications that you didn't know, for instance, when you have zero day attacks. A forensics person will be able to tell you that, "Hey, you know, this is a vulnerability that's not known out in the public, and here is how we need to deal with that."
We're finding that one of the number one issues that we are having is around malware, as every other agency is having. A good forensics person will be able to tell you how the malware works, how to break it down, and then what are the things you need to do to secure your systems. And, it also will tell you things around the network, as well, better things we can do around the networks that contain issues, and things of that nature. Forensics professionals are in high demand right now. We contract that work out today. We have some folks on staff that have a pretty good forensics background, but largely, it's such a high demand, and we just don't have the professionals that are coming in with that skill set that are civil service. We have to go out and buy that talent.
CHABROW: You would rather have them in-house than to contract out?
DAVIS: Personally, it doesn't matter one way or the other. I would take them either way I can get them. But, it would be nice to have a handful of people in-house. That would be a great skill set.