Securing While Innovating – Not Easy, But Totally Possible!

This interview is an excerpt from our recent guide, 30 Government Innovations That Mattered in 2015 which examines 30 government case studies that explore innovation at all levels of government. Innovations that spanned the government job spectrum from human resources to cybersecurity and back again.

The ease of online services and digital resources are perks that citizens often associate with their favorite retailers — not government agencies.

Government innovation has truly taken off in the past few years. Every where you look, it seems like a new technology is popping up or taking place, from improvements in cloud computing, to drones, to cognitive governance, to the Internet of Things. There’s a lot that’s changing, to put it mildly.

But despite the myriad innovations that are happening and all the change that is taking place in government, one thing has remained a constant: the need for better security.

To understand how government can continue to innovate while staying secure, GovLoop sat down with David Egts, Chief Technologist, North America Public Sector, Red Hat.

“Red Hat sees security as incredibly important because you can’t innovate properly without knowing that what you’re doing is secure,” he said.

Egts explained that security will never be a problem that can fully be solved or go away – but it is something that, when addressed properly, can have its risk minimized. One way to do this? Automated security.

As Egts explained, in the past, security was a very manual and labor-intensive process, where people would secure their systems by hand – something that worked relatively well at the time when government data centers consisted of a relatively small number of large systems.

“But nowadays you have a large number of very small systems, where you have blade computers, virtual machines, cloud virtual machines, and containers that are all over the place, that may not even be in your physical datacenter,” Egts said. “How are you able to secure that?”

That’s where automation of security comes in. In the past few years, Egts noted, there have been many innovations in the industry in terms of increasing the automation of security. NIST has come up with SCAP, the Security Content Automation Protocol, a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation.

“Industry has stepped up,” Egts said. “Red Hat is coming up with SCAP content to be able to lock down systems, and to be able to do that at scale. And that’s really important, when you have a large number of very small workloads that are ephemeral and that need to be in production much faster.”

While Egts stressed that Red Hat is not a security company, “We’re all about building secure software by design, and providing government customers tools to get the certification and accreditation done as quickly as possible, and get those workloads securely into production as fast as possible. And that’s why security automation is going to be big. It’s going to go away from the manual checklists, to be much more automated.”

Automation also enhances another innovation the government is starting to adopt: the hybrid cloud.

“People used to think, ‘Oh, I put something in the cloud, it’s out of my control and it’s not secure,’” Egts mused. “But if I have a hybrid cloud management tool, I can manage everything from a single console, and add additional cloud providers. One would think that adding more cloud providers would increase complexity, but the level of effort actually lessens using hybrid cloud management tools. Instead of having to swivel from one vendor’s cloud management console to another, I can use hybrid cloud management tools to define processes once and repeatably automate the them.”

Security around the hybrid cloud is important because its use in government will only grow, Egts said.

“Having a hybrid management tool is going to help with your security posture, because you can define it once and apply it everywhere,” he explained. “That’s whether it’s physical, or it’s in your datacenter or in a public cloud. Additionally, having more and more cloud providers, knowing whether they’re going through the FedRAMP certification is important. And, and it’s more than just having the government certifications, but also the software vendor certifications, too.”

Overall, Egts emphasized that a community approach towards security in government is what will create the best environment for innovation.

“One of the things that we’re proud to be a part of is the SCAP Security Guide community, where Red Hat and other vendors, as well as NIST, NSA, DISA, and other agencies are working together to do security policy in the open, using open source tools and the processes,” he said. “So instead of people being very secretive and proprietary, doing security policy in the open makes everybody much more secure.”


Leave a Comment

Leave a comment

Leave a Reply