Homeland Security Department tackles enterprise architecture

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,79963,00.html

By DAN VERTON 
APRIL 02, 2003
Computerworld 

WASHINGTON -- The U.S. Department of Homeland Security (DHS) plans to
complete an initial inventory of its entire IT infrastructure by June
-- a critical step toward the ultimate creation of a nationwide
architecture for homeland security, said Steve Cooper, the
department's CIO.

The new department has already identified more than 2,500
"mission-critical applications or automated solution sets" and more
than 50,000 "items" that make up its IT infrastructure, said Cooper,
speaking yesterday at the Secure E-Business Executive Summit in
Arlington, Va. However, the process of taking an initial inventory is
only 40% to 50% complete, he said.

The DHS includes 22 formerly independent federal agencies, and the
Office of Management and Budget began working on the Federal
Enterprise Architecture Framework in February 2002. The goal is to
leverage IT to simplify processes and unify work across agencies and
throughout federal business processes.

The challenge for homeland security, however, is to devise an
architecture that is secure and aids rapid information-sharing and
collaboration at all levels of government and the private sector.

"The national enterprise architecture is not just federal," said
Cooper. "We've reached out to state and local environments, and we are
reaching out [to the private sector]. But we haven't figured out the
optimal way to reach out to the private sector."

The department has started an aggressive outreach effort that's being
led by a series of independent task forces hoping to identify business
processes common to the department's five directorates. Meanwhile, two
separate task forces have been studying infrastructure and application
security. And a third task force is studying security from a physical
and business-process standpoint, he said.

The challenge of creating a robust enterprise architecture that is
both open and secure has been one of the key topics during the many
town hall meetings held during the past year by the President's
Critical Infrastructure Protection Board. The two goals "seem to be in
conflict with each other, but I would submit that they are not," said
Howard Schmidt, chairman-elect of the board.

"We have to rethink the way we [create architectures]," said Schmidt.  
"We used to look at what we can do with it, as opposed to what [an
adversary] can do against it." In addition, he said, the introduction
of new technologies is forcing officials to "redefine what it means to
have a secure architecture.

"Now, the end point, the handheld, the wireless phone are part of your
architecture," said Schmidt. "And that architecture and the thought
process has to change. When we start adopting IPv6 [Internet Protocol
Version 6], and everything is connected and everything has an IP
address, that's going to be a different architecture."

"We'll never get away from needing multiple layers of defense," said
Dan Mehan, CIO at the Federal Aviation Administration. The FAA has
taken a first step toward making security a core component of its
enterprise architecture by integrating its information systems
security with the overall National Airspace System (NAS) architecture,
said Mehan.

"We're now looking at the administrative and mission-support areas and
harmonizing those," said Mehan. The FAA has discovered, somewhat to
its surprise, that by putting its IS security architecture on top of
the NAS architecture -- and integrating the two -- it added
constraints on the IS security architecture that would not have been
there if the IS security architecture had been developed separately.

"We're using the enterprise architecture work we're doing now to step
back a little bit and see if perhaps we constrained the information
systems security architecture inadvertently," he said.

Van Hitch, CIO at the U.S. Department of Justice, questioned the
appropriateness of "lumping" all business processes under one
enterprise architecture umbrella. "What we're really dealing with is a
whole classified element of critical infrastructure that has one set
of risks" and various other open and public processes, he said.

For now, however, the challenge for the DHS is to set up something
that can help officials make critical decisions at a time of war, said
Cooper. As a result, people should be prepared for the architecture to
change over time.

"At the same time that we have true operational capability that we
have to sustain, we have to make sure that it works right now," he
said. "We're fighting a war in Iraq and a war on terrorism, and there
are absolutely real things that we have to do right now that we
honestly don't have the luxury of fully architecting before we put
solutions in place. We fully recognize that some of that will have to
be reshaped or replaced somewhat down the road. We accept that."

Cooper warned that the department wouldn't get it perfect the first
time. "There's a huge difference between perfection and good enough,"  
he said. "We have to be good enough to make decisions and move
forward."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.