Government's ROI from DNS SecurityInsights on How Agencies Can Budget for and Boost Security
But government agencies in particular need to be concerned about DNS security to protect their e-government initiatives.
In an exclusive interview on DNS security, Mark Beckett of Secure64 and John Thomas Flynn, former CIO of the states of California and Massachusetts, discuss:
- What is most at risk at government organizations;
- How agencies have successfully deployed DNSSEC;
- How these initiatives can be funded.
Mark Beckett develops and executes product strategy and customer-facing marketing programs at Secure64. He has more than 23 years of experience in product marketing, business development and software engineering. Beckett holds B.S. and M.S. degrees in Mechanical Engineering from Stanford University.
John Thomas Flynn is a co-founder and partner with Flynn, Kossick & Associates, a business consulting, research and training organization dedicated to serving both business and government with a focus on information technology investment, management, procurement and oversight in the public sector. For almost two decades, he has been at the center of the renaissance to upgrade the public sector's management and utilization of its information technology assets.
DNS Security DefinedTOM FIELD: Mark, when we're talking about domain name system security extensions, what exactly are we talking about, and why is this area of security so important to public sectors CISOs?
MARK BECKETT: Well, I think before we talk about DNSSEC, or domain name system security extensions, we probably need to talk about DNS itself, which is the domain name system. So the DNS is really the -- it's usually described as the phone book of the internet, the thing that we use, all computer systems use, to look up the names of servers we might want to communicate with, and the DNS returns the IP address of that server. So whenever we visit a website or send an email to somebody, we're using the DNS behind the scenes to translate a server name, like www.mysite.com, into an IP address that our computers can understand.
So DNSSEC is adding critically needed security to the DNS protocols themselves. The DNS was designed quite a while ago, and back in those days, we just weren't worrying about security too much. And we didn't worry about it for quite a long time until about 2008, when we discovered a major flaw in the security protocols of the DNS. And DNSSEC are the extensions to those original DNS protocols that add the security that we need to make sure that when we go to a website or when we send an email, we're sending it to the server we intend to be talking to and not some imposter.
Public Sector RisksFIELD: Mark, what do you find to be most at risk for public sector organizations?
BECKETT: Well, like any organization, public sector organizations have -- they use the internet, they use websites, use email to communicate with the citizens of their state or locality. So, if the DNS is vulnerable, if it can be compromised, then if I'm a citizen of my state and I'm going to, for example, submit my state tax return online or otherwise communicate with my state government online, and if an attacker could essentially hijack the web server of the state that I think I'm talking to when I try to submit my tax return so that I'm actually sending it to a place I don't intend to, that's really bad news. And so this is not unique to public sector organizations, but any organization that is using the internet to try to improve communication or, you know, lower costs of running e-government, essentially, has got to worry about the security of those communications. And so DNSSEC is important for them, just as it is for other organizations as well.
CISO ConsiderationsFIELD: Well, let's put ourselves in the CISO's perspective. What does the CISO need to be considering when thinking about deploying DNSSEC?
BECKETT: Well, if a CISO would look at this and say, "Look, I need to add security to the DNS. It's critically important to secure this basic protocol," they would basically have several different options on how they could deploy it. Those options range from using free open source tools to deploy DNSSEC to outsourcing it to a third party or using commercial products to deploy DNSSEC. But regardless of the approach that they might consider taking, they really need to be thinking about a few critical things.
DNSSEC, first of all, is fairly complicated, and so you have to ask the question, "Do I have the knowledge or skills on my staff, or can I get that quickly, in order to understand what this thing is and how to deploy it?" A second consideration is: "Do I really have the staff to actually implement it?" So it's one thing to understand it, but it's yet another thing to actually implement DNSSEC. It can be complex, and it can be time consuming, and so you really need to look at your staffing and say, "Do I have the resources that it's going to take to deploy it and keep it deployed?" Because it is not a do it once and then forget about it kind of a solution. It requires constant care and feeding. So those are a couple of important considerations for any CISO looking at deploying DNSSEC to consider up front.
Government ExperiencesFIELD: I know you've got experience with government in federal, state, and local. What have some of these sectors experienced when they have implemented DNSSEC?
BECKETT: Well, as you mentioned, Tom, we have been fortunate to work with a number of federal and state and local governments, and we've seen a few common themes running through them. One is the realization, especially as these organizations start investigating DNSSEC and what's involved in deploying it, that this is not a simple thing. They look at the resources that it takes to actually deploy it, even traditional open source tools that are available to everybody. And another thing they realize is that it takes quite a bit of time to do the initial deployment and then to maintain it. And then the last thing is that they realize, sometimes a little bit the hard way, that if they make a mistake in their deployment, the consequences are fairly severe. They can take all their websites and all their email servers effectively offline if they make a mistake.
So, for example, we've been working with the Commonwealth of Virginia, which started off doing some good due diligence on DNSSEC. They investigated deploying it using commonly available open source tools. After that, they realized that it was going to take them quite a bit of time to deploy it, and it was going to take quite a bit of staff to keep it running. And they also realized that if they made a mistake, it could be fairly catastrophic for them. So they looked around and eventually they chose Secure64's product to automate the deployment. And so they were able to do it in a very short period of time. They were able to avoid having to add that one to one-and-a-half full-time people to keep DNSSEC running, and they also, because it's now automated, don't have any risk of making a mistake that could be fairly catastrophic for them.
Investment DriversFIELD: Now, John, from a state's perspective, what's driving new investments in DNSSEC?
JOHN THOMAS FLYNN: Well, I think the serious implications to the issue are probably: 1) the idea of having a breach, losing data, having password interception -- the things that Mark was just elaborating on -- systems crashes, etc. These are the CIO "career is over" kinds of implications for these types of events. So that's one thing. But certainly, I think there is the formal interest of the federal government, the Federal Information Security Management Act, FISMA, requires DNS security compliance and required it several years ago now. The federal government agencies are somewhat slow in implementing it, but there certainly is a watch and a scorecard on their compliance. And states take that seriously. In fact, many states -- Virginia is a good example -- felt that the way that the federal government FISMA requirements were written and the fact that state governments are such large grantees of federal funds, that sooner or later, just like with the year 2000, the implications are that federal programs that are being operating and administered by state governments are going to make the dot govs of the state and local governments in play, and, consequently, that's why they're looking at compliance. So you have states like Virginia, you have states like Idaho, states like Vermont and California seriously looking at implementing it, and several have done so, and I'm sure we're going to see more in the future as we talk to some of my former colleagues at state CIO and CISO levels.
Challenges to OvercomeFIELD: John, what do you find to be the key barriers that these organizations have to overcome?
FLYNN: Well, I think it's just about like any kind of IT investment, at least in this day and age. There's certainly a constraint on state and local budgets. It's very difficult for IT leadership to go in and ask for more money, so they've got to get a little more creative, and certainly they have to be able to make the powers that be realize -- not only with their CIO, but with the folks in the budget office -- that there are serious implications. It used to be it really wasn't that critical, for example, if online services went down for the state because there were so few of them. But now you have states that are receiving tens of millions of dollars a day in revenues and payments through their information technology systems, and this would put a huge burden on them if there was a disruption. So they've got to learn to be able to overcome those barriers by talking to the right people, prioritizing their investments, and understanding the implications of what would happen if there was a serious breach.
How to Fund DNSSECFIELD: John, you mentioned budget. That's a huge hurdle. What are some of the ways that DNSSEC initiatives can be funded? What have you seen work?
FLYNN: Well, there's the normal way. It's just every year there are a certain amount of projects that end, and new ones then will begin. And consequently, again, you have to prioritize these new information technology initiatives and make sure the ones related to security are front and foremost when you start prioritization.
Secondly, you've got to look at other options. Most of these data centers that are become the centerpiece, if you will, for DNS security implementation, most of them operate in a charge-back environment where they charge different agencies for each bite of the pie in terms of hosting their applications. Well, it's a lot easier for a shared service to be funded in that respect than coming up with brand new money, which would not be spread about, but would be concentrated within the data center budget.
And then, of course, you've got some very interesting implications for states that have taken a look at grant funding. For example, the State of California was very successful and got over $1,000,000 last year in a federal grant, Homeland Security grant, under the State Homeland Security Program, SHHP, which funds their implementation, which is in the process of being -- the procurement is about to occur here in Sacramento. So there are different ways to do it, but like anything else, unless you can make a business pay for it, it's going to be difficult to do so, and this falls directly on the CISO and, in many respects, to their bosses, which is usually the CIO.
NASCIO RoleFIELD: One thing I didn't mention up front, John, is you're the former president of NASCIO, the National Association of State CIOs. Could you explain for us, please, NASCIO's role in championing DNS security?
FLYNN: NASCIO has become a very sophisticated organization over the last 10 or 15 years. I remember when I was CIO in Massachusetts back in the mid '90s, there wasn't a CIO, and arguably I became one of the first CIOs in the country when I was in Massachusetts. But now you find 40 to 45 states have a CIO, and most of them are cabinet level. And consequently, the NASCIO has taken on a much greater role, not only with the states but vis-Ã -vis their relationship with the federal government. And there is a standing subcommittee on security that has been in effect going back to when Connecticut CIO Rock Reagan was in charge. And their membership is made up not only of the state CIOs, but they have a subcommittee on privacy and security, of which many of the state CISOs around the country are actual members, and they're attending the NASCIO events and very active in their monthly calls.
So in speaking with the representatives from the subcommittee recently, DNS security is right on their radar, and it has been elevated, I think, because of their close relationship with the federal government and, again, through the implications of the FISMA and how it affects the federal government and how it will affect anybody that's receiving federal grant funding. So NASCIO will play a major role in this, a great source of information, a great source of collaboration, and we expect to see more and more of that at the NASCIO conference next week in Washington, D.C., as a matter of fact.
Closing ThoughtsFIELD: Let's bring this down to some closing thoughts now. John, why don't you start first? If you could boil it down to some advice, where would you say is the best starting point to tackle this topic of DNSSEC?
FLYNN: Well, I think we first realized that this is -- more than likely, this is in the purview and the portfolio of the Chief Information Security Officer. And in most cases, in the states, they report to the CIO. So it's very important that the CISO form a strong partnership in relation with their boss and use that to educate. Because just like the year 2000, it wasn't just the IT folks they needed to educate; it was the program people and the budget people. To realize the implications of a DNS security breach, we could have lost data and password interceptions and even a systems crash, and what that means to the state in this high tech age.
And, finally, I think you have to be able to push this issue to the top in terms of your priorities. That's the way we're going to get funding. Grants are nice, but they take a while. Charge-backs, the same old. If it's important, if the education is done properly, people are going to realize this has to be funded. And certainly the way to do this would be identifying the problem, coming up with a solution for it, and, having the funding made available, you're going to get this problem solved.
FIELD: That's well said. Mark, let me turn this back to you, your closing thoughts. Where would you advise is the best starting point?
BECKETT: Well, I agree with what John said, and I think education is critically important. In many cases, there's sort of a general awareness that DNSSEC is out there, but not very much more detailed knowledge about it. And I think if you're going to prioritize DNSSEC against all of the other things that are contending for limited resources, you only need to understand what it is and what problems it's solving and what the risks of those vulnerabilities in the DNS are for your organization if you're going to do that prioritization that John was talking about. So there's a wealth of resources out on the internet. One particular set of things I know of that Secure64 has done, we've put some short YouTube videos out on the internet. If you go to YouTube and just search on Secure64, you'll find a number of short videos that just explain what the vulnerabilities are and what DNSSEC is and how it works, and that's certainly a good starting point. There is a wealth of other resources, I think, out there as well, if you just search on DNSSEC.