Every week, between 250 and 400 terabytes of data traverses the network backbone operated by the Department of Veterans Affairs.
The data is stored and travels between 380,000 desktops, 40,000 laptops, 18,000 mobile devices, 21,000 servers and about 15,000 network devices VA employees use for work. On top of that, VA analysts have to maintain and manage massive data sets.
All of that presents enormous information assurance and security challenges for Jerry Davis, VA Deputy Assistant Secretary, Information Security, Office of Information and Technology.
“Everything we do is driven by risk and our tolerance for risk,” Davis said, summing up how his staff confronts that and other challenges at VA, during a recent Federal Executive Forum on Emerging Technologies.
“More than anything at VA today we are looking at the big topics around mobile devices, mobile device security, application security and continuous monitoring of infrastructure and devices on a near real-time basis,” Davis explained.
To manage risk, Davis said VA is investing in visualization technologies for continuous monitoring that allow him to see everything that’s on the network – including mobile devices — and be able to manage it in a near real-time environment.
“That’s a lot of information, so how do I move that data from a security perspective and turn it into usable information? I have to be able to collect it and distill it down to something in near real-time,” he noted.
“So our challenge right now and what we are really starting to dive into on the security side of the house, is how we are dealing with Big Data analytics.”
Embracing Mobility, Managing Risk
While analysts are worried about “big data,” Davis must also provide services for mobile phone and computing technologies and platforms now allowed to operate in the VA tech environment. The key, of course, is securing these devices.
“The big fear is losing data. So we took an approach that we don’t allow data to ever reside on the devices themselves,” Davis explained.
“Using virtualization technologies, the data is never resident or persistent on a device.” Therefore, if an iPad is lost, losing the device is the only loss, because there is never information resident on the device anyway.
“For me it’s all about risk management. So I make governance decisions — whether it’s technology purchases, policy implementation or policy changes — based on the amount of risk that I can buy down, transfer, avoid, or whatever,” explained Davis.
“And the risk management theme doesn’t always mean that we have to buy something new; it may just mean that we have to change the processes.”
Davis acknowledges that from the beginning that security has been viewed as the arch enemy of good business process.
“You want your computer to be fast, accessible and ready to go at the moment you push that button. But computer security has a tendency to slow you down. Security technology needs to get to a point where the security is adding value.”
Davis appreciates both the complexity of the today’s threat environment and what it takes to run large day-to-day operations.
Prior to joining VA, Mr. Davis was the deputy CIO and chief information security officer for NASA) where he oversaw the development and implementation of enterprise-wide IT security engineering, architecture, governance and operations. Before that, he served as deputy CIO at the Department of Education; helped design and implement the District of Columbia’s first city-wide IT security program; and worked for Central Intelligence Agency. A combat vertarn of the United States Marine Corps, Davis conducted research for the Strategic Defense Initiative Organization in the late 1980s on the evolving nature of “The electronic battlefield.”
Davis says he now spends a significant amount of his time at VA patching systems because of poor software development. That has to change, he said, because with 50 billion or so IP-enabled devices in the world, there is no way anyone can patch fast enough.
“Going forward we are going to have to start seeing security embedded in devices. It is going to have to be embedded below the operating system, down at the chip level, where security is inherent, providing those security functions for you.”