How secure is your COOP?

In the past, continuity-of-operations planners had a primary objective: Re-establish government operations as quickly as possible after a natural or man-made disaster. But now as COOP planners become more aware of information security vulnerabilities that can open up when primary information systems go down, some of them are taking a more cautious approach to recovery. “Today there’s more emphasis on ‘How do I get up and running securely?’ ” said William Pelgrin, director of the New York State Office of Cyber Security and Critical Infrastructure Coordination (OCSCIC). Pelgrin said agency managers must evaluate the circumstances before deciding whether to recover quickly or recover as securely as possible. “If there is an immediate threat to life, safety or health, then you do whatever you have to do to make sure that you can address that situation,” he said. Some emergency situations might dictate physically transporting a hard drive with unencrypted data if getting the information to first responders will reduce casualties. “But absent that, you need to ask ‘How do I make sure that I’m moving forward with the recovery effort while also making sure that I don’t add to the disaster?’ ” by inadvertently allowing an information security breach to occur, he said. COOP experts say the answer lies in combining policies and information technologies that maintain security continuity throughout a period in which a government office is closed and workers regroup at secondary sites, telework centers and home offices. Coming up with that combination requires that security considerations be part of continuity planning from the start. “When security gets bolted on at the end [of COOP development], that’s the worst scenario,” said Jim Kennedy, business continuity/disaster recovery practice lead at telecommunications vendor Alcatel-Lucent. “That means there hasn’t been the necessary continuum of thought required to make sure that you’ve considered all the little nuances that go along with security, whether it’s physical, administrative, or technical security.” Balancing security and fast recovery means enabling employees to access the data and applications they need to do their work while keeping unauthorized people from connecting to internal data networks or physically entering affected data centers. Even if an employee working remotely presents proper network-access authorizations, agencies must guarantee that the user’s computer can’t plant malware behind a firewall and that a hacker cannot intercept sensitive communications between COOP locations. The right mix isn’t purely technical. With the right selection of hardware and software, agencies can ensure that established security policies remain in effect during an emergency. “Technology can automatically enforce security policies so people won’t have a choice” to do otherwise, said Casey Coleman, chief information officer at the General Services Administration. “People will have to follow the security policies and procedures in order to get access to internal systems.” For example, GSA and New York’s OCSCIC are looking for technical methods to enforce internal mandates that remote workers only use protected, government-issued hardware when connecting to their respective networks. OCSCIC will rely on more than simply voluntary compliance to ensure that policy rules are observed.  “In my agency, I require that only state-issued thumb drives can be used,” Pelgrin said. “People are prohibited to even have no n-state thumb drives on the premises.”The office is evaluating commercial software designed to detect and prohibit unauthorized devices from successfully making a network connection. The software allows IT managers to remotely disable individual computer communications ports, such as ones for USB- and FireWire-compatible peripherals. The use of such software reduces the risk of virus infections or unauthorized access to data. “We’re only allowing connections where there is a business case that’s been balanced against the risk,” Pelgrin said.Similarly, Coleman said she is concerned about the number of outside machines run by contractors and teleworkers that are connecting to GSA’s network. “We are trying to move to a point where only the most trusted government-furnished equipment is given full access to the network,” Coleman said. “We are working on some network partitioning that gives more limited access to those less-trusted devices.”A class of technology known as network access controllers (NACs), which come in either software or appliance versions, offers additional ways of vetting remote machines. The NACs perform virus scans and check that a remote device is running the latest security updates before users can log in, said David Graziano, manager of federal security solutions at Cisco Systems. To defend against zero-day malware attacks, whose newness allows them to pass undetected by virus scanners, agencies can install intrusion-prevention systems. Those systems look for anomalies in the behavior of remote hardware that might indicate the presence of malicious code, Graziano said. In addition to authorizing individual devices for network access, agencies also must validate the individual users of the equipment. Several organizations, including GSA, are implementing two-factor user authentication by equipping laptop PCs with common access card readers that comply with standards developed to implement Homeland Security Presidential Directive 12. That directive requires federal employees and contractors to carry smart cards that verify their identities.   COOP experts recommend that two-factor authentication be applied to contractors who need access to networks during an emergency. In COOP mode, government employees will likely interact with a number of unfamiliar consultants, making it especially important to use more than just a password to identify who is gaining entrance to the network, Kennedy said. Meanwhile, agencies are deploying data encryption technologies to protect information, thereby increasing their COOP readiness. For example, the Navy Marine Corps Intranet (NMCI) is using a commercial encryption package, Guardian Edge, to protect data stored on its laptops, said Robert Pearson, vice president of NMCI leveraged delivery at EDS, which holds the NMCI contract. New York’s OCSCIC requires encryption capabilities on network-connecting laptops, personal digital assistants and thumb drives, a policy that all state agencies will be adopting this year, Pelgrin said. However, data stored or exchanged via laptops isn’t the only information that requires data encryption, COOP experts say. “Any file transfers made to synchronize with a mirrored site has to be encrypted,” Kennedy said. “Anybody that is sending data in the clear today is probably making a big mistake,” he added. Virtual private networks can create secure communications tunnels for mobile devices by using client software to scramble and unscramble data moving to and from remote locations. Perhaps the best way to keep data safe at remote locations is to make certain it is never stored outside primary or failover data centers, some CIOs say. Thin-client technologies from Citrix, Hewlett-Packard, Microsoft and thers allow emote users to see and manipulate applications and data housed at central locations. At the same time, they eliminate the danger of unauthorized users accessing those applications and data on a laptop’s hard drive. “We encourage folks not to store data on the local devices [of home PCs or mobile devices] to the maximum extent possible,” said Michael Duffy, deputy assistant secretary for information systems and CIO at the Treasury Department, a thin-client user. “We want people to access the data through the network.”Some agencies are also looking to technology to help them locate staff members during an emergency. In the past, GSA managers relied on phone and e-mail lists to track down all their employees and then forward that status information to the human resources department. Now the agency is using a mass notification system from 3n Global, which provides a central console for sending notifications to affected employees in multiple buildings and geographical regions. Alerts can be sent to phones, PDAs, cell phones and land lines. Employees respond using whichever channel is operational. “If someone on the e-mail team or someone on the storage team doesn’t report back, we might need to call in some extra contractors,” Coleman said. “That’s not IT security in the sense of a vulnerability to a foreign threat. It’s security in the sense of being able to carry out your essential functions in a time of crisis.”   Spurred by homeland security regulations, many federal agencies can justify COOP security technologies as a cost of doing business, Coleman said. “You can’t afford not to utilize these mechanisms. They’re mandatory nowadays.” Some state and local COOP directors are tapping federal funds available through the Homeland Security Department’s Urban Area Security Initiative to help cities pay for their security efforts. “There’s a big push for continuity of operations and for facility hardening, so we’ve been able to access some [federal] grant funding as well as our state homeland security grant program,” said Jeffrey Goldberg, logistics officer for Florida’s Palm Beach County Division of Emergency Management. Before joining county government, Goldberg spent several years in emergency management as a consultant and staff member of the Library of Congress and the Capitol Hill Task Force on Emergency Management. During that time, he saw COOP policies that didn’t fully consider security. In some cases, those policies were overly influenced by IT department leaders whose primary focus was not on physically securing an evacuated facility or temporary headquarters established in an emergency. Officials also must not overlook personnel issues during COOP planning. “It’s not so much about being able to flip the switch to turn on the hot site, but you have to consider, ‘How are you going to get Sally from her office into her relocation site?’ ” Goldberg said. “There are transportation issues, logistical issues, personnel security issues. You need to have convergence among emergency management, physical security and IT to have the best possible continuity of operations.”  New York’s Pelgrin said employee considerations are critical for successful COOP planning. “Continuity of operations is about how you set up the essential staff that is needed to maintain the minimum level of operations for your constituents and then move [the recovery plan] forward,” he said. “The group that developed our COOP plan came from every discipline within the agency. I had lawyers there, I had cybersecurity people there, I had [geographic information system] people there. I had every level represented on that committee to ensure there was a holistic approach, which I think is essential.” Making plans for getti g the recov ry staff members to their proper locations is critical, Alcatel-Lucent’s Kennedy added. “The staffing that will manage and maintain the technology has to move into that new location to make sure that the technology is being implemented, that it’s operating correctly, that it continues to be maintained and managed,” he said. “The recovery world is very dynamic, and one does not always know, even though there is a plan in a place, exactly what’s going to happening at that [backup] site.”