JF's security (and other things) log

From here:

Happy New Year, everyone. I hope 2010 is a healthy and meaningful one for you all. The new year is a time of new beginnings and promises to ourselves to be better in our personal and professional lives (It's also a time to visit the local shrine here in Japan). So the first presentation I point to this year is one that has a message that is important no matter who you are or what kind of work you're engaged in. In this TEDx talk below, National Geographic writer and explorer Dan Buettner shares what the world's longest-lived peoples have in common. Buettner condensed the findings into nine easy-to-remember lifestyle habits. The presentation is good in terms of content and delivery; Buettner is an engaging figure. Visually, the presentation would be even better if he ditched that typical PowerPoint template in favor of slides with a dark background that fit the feel of his other visuals. However, except for that I really like the way he effortlessly mixes in high quality images and video to augment his narrative. You are starting to see more and more people now mix in full-screen video clips (with the audio removed) with other images while they tell their stories or share their evidence.

Dan Buettner: How to live to be 100+

  
I'm not crazy about the typical PowerPoint template used in a few of the slides, but most of the time the screen was filled with full-screen images (Left) or video clips (Right) that were a good complement to the talk.

In Sum
What are the common denominators running through the different cultures they studied? If you do not have time to watch the video, I summarized them below in my own words. You can go to the Blue Zones website to get all the details.

Move Naturally
(1) You don't need a formal, rigorous exercise plan. We're talking here a change in lifestyle that is fundamentally active. We're designed to move. We've not meant to drive 100 meters in a car to pick up chips at the local store. Walk, do yard work, whatever. Do exercises/activities that you enjoy.

Have Right Outlook
(2) Slow down. When you're constantly in a hurry and stressed out, this has a negative impact on your health. Limiting negative stress is one of the healthiest things you can do for yourself.
(3) Have a clear purpose. The Japanese call it "ikigai" ???? (lit: life + value, be worth while). You must have a passion, a calling, a purpose. There's got to be a reason to get out of bed every day.

Eat Wisely
(4) Drink a little (wine) everyday.
(5) Eat mainly plant-based foods. Small amounts of meat and fish are OK.
(6) Hara Hachi Bu: Eat until 80% full. Do not eat eat until you're stuffed. (I've talked about this many time before in the context of presentation.)

Be Connected with others
(7) Put family, loved ones first.
(8) Belong to a community. Many in his study belonged to faith-based communities.
(9) Belong to the right tribe. That is, hang out with people with healthy habits, physical and emotional ones.

How to live a long, healthy life in one slide
Even nine recommendations can be hard to remember, so I simplified the advice down to five in this Keynote slide that capture the essence of the tips from Dan Buettner's good TEDx talk.


(Click on image of slide for a larger size.)

From here:

-------------------------------

Fall of 2009 marks the 20th anniversary of the start of my professional security career. That was the first day someone stuck a yellow shirt on my back and sent me into a crowd of drunk college football fans at the University of Colorado (later famous for its student riots). I'm pretty sure someone screwed up, since it was my first day on the job and I was assigned a rover position -- which normally goes to someone who knows what the f&%$ they are doing, not some 18 year old, 135-lb kid right out of high school. And yes, I was breaking up fights on my first day (the stadium wasn't dry until a few years later).

If you asked me then, I never would have guessed I'd spend the next couple decades working through the security ranks, eventually letting my teenage geek/hacker side take over. Over that time I've come to rely on the following guiding principles in everything from designing my personal security to giving advice to clients:

1. Don't expect human behavior to change. Ever.
2. You cannot survive with defense alone.
3. Not all threats are equal, and all checklists are wrong.
4. You cannot eliminate all vulnerabilities.
5. You will be breached.

There's a positive side to each of these negative principles:

1. Design security controls that account for human behavior. Study cognitive science and practical psychology to support your decisions. This is also critical for gaining support for security initiatives, not just design of individual controls.
2. Engage in intelligence and counter-threat operations to the best of your ability. Once an attack has started, your first line of security has already failed.
3. Use checklists to remember the simple stuff, but any real security must be designed using a risk-based approach. As a corollary, you can't implement risk-based security if you don't reallyunderstand the risks; and most people don't understand the risks. Be the expert.
4. Adopt anti-exploitation wherever possible. Vulnerability-driven security is always behind the threat.
5. React faster and better. Incident response is more important than any other single security control.

With one final piece of advice -- keep it simple and pragmatic.

And after 20 years, that's all I've got...

—Rich

Very interesting post from Slate magazine:

Why are we so bad at detecting the guilty and so good at collective punishment of the innocent?

I just read some VERY interesting reading, something I've noticed myself even though I'm only a new parent.

--------------------------

From here with some deleted links (just advertising for other Time.com articles):

The insanity crept up on us slowly; we just wanted what was best for our kids. We bought macrobiotic cupcakes and hypoallergenic socks, hired tutors to correct a 5-year-old's "pencil-holding deficiency," hooked up broadband connections in the treehouse but took down the swing set after the second skinned knee. We hovered over every school, playground and practice field — "helicopter parents," teachers christened us, a phenomenon that spread to parents of all ages, races and regions. Stores began marketing stove-knob covers and "Kinderkords" (also known as leashes; they allow "three full feet of freedom for both you and your child") and Baby Kneepads (as if babies don't come prepadded). The mayor of a Connecticut town agreed to chop down three hickory trees on one block after a woman worried that a stray nut might drop into her new swimming pool, where her nut-allergic grandson occasionally swam. A Texas school required parents wanting to help with the second-grade holiday party to have a background check first. Schools auctioned off the right to cut the carpool line and drop a child directly in front of the building — a spot that in other settings is known as handicapped parking.

We were so obsessed with our kids' success that parenting turned into a form of product development. Parents demanded that nursery schools offer Mandarin, since it's never too soon to prepare for the competition of a global economy. High school teachers received irate text messages from parents protesting an exam grade before class was even over; college deans described freshmen as "crispies," who arrived at college already burned out, and "teacups," who seemed ready to break at the tiniest stress.

This is what parenting had come to look like at the dawn of the 21st century — just one more extravagance, the Bubble Wrap waiting to burst.

All great rebellions are born of private acts of civil disobedience that inspire rebel bands to plot together. And so there is now a new revolution under way, one aimed at rolling back the almost comical overprotectiveness and overinvestment of moms and dads. The insurgency goes by many names — slow parenting, simplicity parenting, free-range parenting — but the message is the same: Less is more; hovering is dangerous; failure is fruitful. You really want your children to succeed? Learn when to leave them alone. When you lighten up, they'll fly higher. We're often the ones who hold them down.

A backlash against overparenting had been building for years, but now it reflects a new reality. Since the onset of the Great Recession, according to a CBS News poll, a third of parents have cut their kids' extracurricular activities. They downsized, downshifted and simplified because they had to — and often found, much to their surprise, that they liked it. When a TIME poll last spring asked how the recession had affected people's relationships with their kids, nearly four times as many people said relationships had gotten better as said they'd gotten worse. "This is one of those moments when everything is on the table, up for grabs," says Carl Honoré, whose book Under Pressure: Rescuing Our Children from the Culture of Hyper-Parenting is a gospel of the slow-parenting movement. He likens the sudden awareness to the feeling you get when you wake up after a long night carousing, the lights go on, and you realize you're a mess. "That horrible moment of self-recognition is where we are culturally. I wanted parents to realize they are not alone in thinking this is insanity, and show there's another way."

How We Got Here
Overparenting had been around long before Douglas MacArthur's mom Pinky moved with him to West Point in 1899 and took an apartment near the campus, supposedly so she could watch him with a telescope to be sure he was studying. But in the 1990s something dramatic happened, and the needle went way past the red line. From peace and prosperity, there arose fear and anxiety; crime went down, yet parents stopped letting kids out of their sight; the percentage of kids walking or biking to school dropped from 41% in 1969 to 13% in 2001. Death by injury has dropped more than 50% since 1980, yet parents lobbied to take the jungle gyms out of playgrounds, and strollers suddenly needed the warning label "Remove Child Before Folding." Among 6-to-8-year-olds, free playtime dropped 25% from 1981 to '97, and homework more than doubled. Bookstores offered Brain Foods for Kids: Over 100 Recipes to Boost Your Child's Intelligence. The state of Georgia sent every newborn home with the CD Build Your Baby's Brain Through the Power of Music, after researchers claimed to have discovered that listening to Mozart could temporarily help raise IQ scores by as many as 9 points. By the time the frenzy had reached its peak, colleges were installing "Hi, Mom!" webcams in common areas, and employers like Ernst & Young were creating "parent packs" for recruits to give Mom and Dad, since they were involved in negotiating salary and benefits.

Once obsessing about kids' safety and success became the norm, a kind of orthodoxy took hold, and heaven help the heretics — the ones who were brave enough to let their kids venture outside without Secret Service protection. Just ask Lenore Skenazy, who to this day, when you Google "America's Worst Mom," fills the first few pages of results — all because one day last year she let her 9-year-old son ride the New York City subway alone. A newspaper column she wrote about it somehow ignited a global firestorm over what constitutes reasonable risk. She had reporters calling from China, Israel, Australia, Malta. ("Malta! An island!" she marvels. "Who's stalking the kids there? Pirates?") Skenazy decided to fight back, arguing that we have lost our ability to assess risk. By worrying about the wrong things, we do actual damage to our children, raising them to be anxious and unadventurous or, as she puts it, "hothouse, mama-tied, danger-hallucinating joy extinguishers."

Skenazy, a Yale-educated mom who with her husband is raising two boys in New York City, had ingested all the same messages as the rest of us. Her sons' school once held a pre-field-trip assembly explaining exactly how close to a hospital the children would be at all times. She confesses to being "at least part Sikorsky," hiring a football coach for a son's birthday and handing out mouth guards as party favors. But when the Today show had her on the air to discuss her subway decision, interviewer Ann Curry turned to the camera and asked, "Is she an enlightened mom or a really bad one?"

From that day and the food fight that followed, she launched her Free Range Kids blog, which eventually turned into her own Dangerous Book for Parents: Free-Range Kids: Giving Our Children the Freedom We Had Without Going Nuts with Worry. There is no rational reason, she argues, that a generation of parents who grew up walking alone to school, riding mass transit, trick-or-treating, teeter-tottering and selling Girl Scout cookies door to door should be forbidding their kids to do the same. But somehow, she says, "10 is the new 2. We're infantilizing our kids into incompetence." She celebrates seat belts and car seats and bike helmets and all the rational advances in child safety. It's the irrational responses that make her crazy, like when Dear Abby endorses the idea, as she did in August, that each morning before their kids leave the house, parents take a picture of them. That way, if they are kidnapped, the police will have a fresh photo showing what clothes they were wearing. Once the kids make it home safe and sound, you can delete the picture and take a new one the next morning.

That advice may seem perfectly sensible to parents bombarded by heartbreaking news stories about missing little girls and the predator next door. But too many parents, says Skenazy, have the math all wrong. Refusing to vaccinate your children, as millions now threaten to do in the case of the swine flu, is statistically reckless; on the other hand, there are no reports of a child ever being poisoned by a stranger handing out tainted Halloween candy, and the odds of being kidnapped and killed by a stranger are about 1 in 1.5 million. When parents confront you with "How can you let him go to the store alone?," she suggests countering with "How can you let him visit your relatives?" (Some 80% of kids who are molested are victims of friends or relatives.) Or ride in the car with you? (More than 430,000 kids were injured in motor vehicles last year.) "I'm not saying that there is no danger in the world or that we shouldn't be prepared," she says. "But there is good and bad luck and fate and things beyond our ability to change. The way kids learn to be resourceful is by having to use their resources." Besides, she says with a smile, "a 100%-safe world is not only impossible. It's nowhere you'd want to be."

Dispatches from the Front Lines
Eleven parents are sitting in a circle in an airy, glass-walled living room in south Austin, Texas, eating organic, gluten-free, nondairy coconut ice cream. This is a Slow Family Living class, taught by perinatal psychologist Carrie Contey and Bernadette Noll. "Our whole culture," says Contey, 38, "is geared around 'Is your kid making the benchmarks?' There's this fear of 'Is my kid's head the right size?' People think there's some mythical Good Mother out there that they aren't living up to and that it's hurting their child. I just want to pull the plug on that."

The parents seem relieved to hear it. Matt, a textbook editor, reports that he and his wife quit a book club because it caused too much stress on book-club nights, and stopped fussing about how the house looks, which brings nods all around the room: let go of perfectionism in all its tyranny. Margaret, a publishing executive, tells her own near-miss story of how she stepped back from the brink of insanity. On her son's fourth birthday, she says, "I'm like 'Oh, my God, he's eligible for Suzuki!' I literally got on the phone and called 12 Suzuki teachers," she says, before realizing the nightmare she was creating for herself and her child. Shutting down your inner helicopter isn't easy. "This is not a shift in perspective that occurs overnight," Matt admits after class. "And it's not every day that I consciously sit down and ask myself hard questions about how I want family life to be slower or better."

Fear is a kind of parenting fungus: invisible, insidious, perfectly designed to decompose your peace of mind. Fear of physical danger is at least subject to rational argument; fear of failure is harder to hose down. What could be more natural than worrying that your child might be trampled by the great, scary, globally competitive world into which she will one day be launched? It is this fear that inspires parents to demand homework in preschool, produce the snazzy bilingual campaign video for the third-grader's race for class rep, continue to provide the morning wake-up call long after he's headed off to college.

Some of the hovering is driven by memory and demography. This generation of parents, born after 1964, waited longer to marry and had fewer children. Families are among the smallest in history, which means our genetic eggs are in fewer baskets and we guard them all the more zealously. Helicopter parents can be found across all income levels, all races and ethnicities, says Patricia Somers of the University of Texas at Austin, who spent more than a year studying the species at the college level. "There are even helicopter grandparents," she notes, who turn up with their elementary-school grandchildren for college-information sessions aimed at juniors and seniors.

Nor is this phenomenon limited to ZIP codes where every Volvo wagon just has to have a University of Chicago sticker on it. "I'm having exactly the same conversations with coaches, teachers, parents, counselors, whether I'm in Wichita or northern Canada or South America," says Honoré. His own revelation came while listening to the feedback about his son in kindergarten. It was fine, but nothing stellar — until he got to the art room and the teacher began raving about how creative his son was, pointing out his sketches that she'd displayed as models for other students. Then, Honoré recalls, "she dropped the G-bomb: 'He's a gifted artist,' she told us, and it was one of those moments when you don't hear anything else. I just saw the word gifted in neon with my son's name ..." So he hurried home and Googled the names of art tutors and eagerly told his son all about the special person who would help him draw even better. "He looks at me like I'm from outer space," Honoré says. "'I just wanna draw,' he tells me. 'Why do grownups have to take over everything?' "

"That was a searing epiphany," Honoré concludes. "I didn't like what I saw." He now writes and lectures about the many fruits of slowing down, citing research that suggests the brain in its relaxed state is more creative, makes more nuanced connections and is ripe for eureka moments. "With children," he argues, "they need that space not to be entertained or distracted. What boredom does is take away the noise ... and leave them with space to think deeply, invent their own game, create their own distraction. It's a useful trampoline for children to learn how to get by."

Other studies reinforce the importance of play as an essential protein in a child's emotional diet; were it not, argue some scientists, it would not have persisted across species and millenniums, perhaps as a way to practice for adulthood, to build leadership, sociability, flexibility, resilience — even as a means of literally shaping the brain and its pathways. Dr. Stuart Brown, a psychiatrist and the founder of the National Institute for Play — who has a treehouse above his office — recalls in a recent book how managers at Caltech's Jet Propulsion Laboratory (JPL) noticed the younger engineers lacked problem-solving skills, though they had top grades and test scores. Realizing the older engineers had more play experience as kids — they'd taken apart clocks, built stereos, made models — JPL eventually incorporated questions about job applicants' play backgrounds into interviews. "If you look at what produces learning and memory and well-being" in life, Brown has argued, "play is as fundamental as any other aspect.'' The American Academy of Pediatrics warns that the decrease in free playtime could carry health risks: "For some children, this hurried lifestyle is a source of stress and anxiety and may even contribute to depression." Not to mention the epidemic of childhood obesity in a generation of kids who never just go out and play.

Remember, Mistakes Are Good
Many educators have been searching for ways to tell parents when to back off. It's a tricky line to walk, since studies link parents' engagement in a child's education to better grades, higher test scores, less substance abuse and better college outcomes. Given a choice, teachers say, overinvolved parents are preferable to invisible ones. The challenge is helping parents know when they are crossing a line.

Every teacher can tell the story of a student who needed to fail in order to be reassured that the world wouldn't come to an end. Yet teachers now face a climate in which parents ghostwrite students' homework, airbrush their lab reports — then lobby like a K Street hired gun for their child to be assigned to certain classes. Principal Karen Faucher instituted a "no rescue" policy at Belinder Elementary in Prairie Village, Kans., when she noticed the front-office table covered each day with forgotten lunch boxes and notebooks, all brought in by parents. The tipping point was the day a mom rushed in with a necklace meant to complete her daughter's coordinated outfit. "I'm lucky — I deal with intelligent parents here," Faucher says. "But you saw very intelligent parents doing very stupid things. It was almost like a virus. The parents knew that was not what they intended to do, but they couldn't help themselves." A guidance counselor at a Washington prep school urges parents to find a mentor of a certain disposition. "Make friends with parents," she advises, "who don't think their kids are perfect." Or with parents who are willing to exert some peer pressure of their own: when schools debate whether to drop recess to free up more test-prep time, parents need to let a school know if they think that's a trade-off worth making.

A certain amount of hovering is understandable when it comes to young children, but many educators are concerned when it persists through middle school and high school. Some teachers talk of "Stealth Fighter Parents," who no longer hover constantly but can be counted on for a surgical strike just when the high school musical is being cast or the starting lineup chosen. And senior year is the witching hour: "I think for a lot of parents, college admissions is like their grade report on how they did as a parent," observes Madeleine Rhyneer, dean of students at Willamette University in Oregon. Many colleges have had to invent a "director of parent programs" to run regional groups so moms and dads can meet fellow college parents or attend special classes where they can learn all the school cheers. The Ithaca College website offers a checklist of advice: "Visit (but not too often)"; "Communicate (but not too often)"; "Don't worry (too much)"; "Expect change"; "Trust them."

Teresa Meyer, a former PTA president at Hickman High in Columbia, Mo., has just sent the youngest of her three daughters to college. "They made it very clear: You are not invited to the registration part where they're requesting classes. That's their job." She's come to appreciate the please-back-off vibe she's encountered. "I hope that we're getting away from the helicopter parenting," Meyer says. "Our philosophy is 'Give 'em the morals, give 'em the right start, but you've got to let them go.' They deserve to live their own lives."

What You Can Do
Among the most powerful weapons in the war against the helicopter brigade is the explosion of websites where parents can confide, confess and affirm their sense that lowering expectations is not the same as letting your children down. So you gave up trying to keep your 2-year-old from eating the dog's food? You banged your son's head on the doorway while giving him a piggyback ride? Your daughter hates school and is so scared of failure she won't even try to ride a bike? "I just want to throw in the towel and give up on her," one mom posts on Truuconfessions.com. "This is NOT what I thought I was signing up for." Honestbaby.com sells baby T-shirts that say "I'll walk when I'm good and ready." Given how many books and websites drove a generation of parents mad with anxiety, a certain balance is restored to the universe when it becomes conventional for people to brag about what bad parents they are.

The revolutionary leaders are careful about offering too much advice. Parents have gotten plenty of that, and one of the goals of this new movement is to give parents permission to disagree or at least follow different roads. "People feel there's somehow a secret formula for parenting, and if we just read enough books and spend enough money and drive ourselves hard enough, we'll find it, and all will be O.K.," Honoré observes. "Can you think of anything more sinister, since every child is so different, every family is different? Parents need to block out the sound and fury from the media and other parents, find that formula that fits your family best."

Kim John Payne, author of Simplicity Parenting, teaches seminars on how to peel back the layers of cultural pressure that weigh down families. He and his coaches will even go into your home, weed out your kids' stuff, sort out their schedule, turn off the screens and help your family find space you didn't know you had, like a master closet reorganizer for the soul. But any parent can do it just as well. "We need to quit bombarding them with choices way before their ability to handle them," Payne says. The average child has 150 toys. "When you cut the toys and clothes back ... the kids really like it." He aims for a cut of roughly 75%: he tosses out the broken toys and gives away the outgrown ones and the busy, noisy, blinking ones that do the playing for you. Pare down to the classics that leave the most to the child's imagination and create a kind of toy library kids can visit and swap from. Then build breaks of calm into their schedule so they can actually enjoy the toys.

Finally, there is the gift of humility, which parents need to offer one another. We can fuss and fret and shuttle and shelter, but in the end, what we do may not matter as much as we think. Freakonomics authors Stephen Dubner and Steven Levitt analyzed a Department of Education study tracking the progress of kids through fifth grade and found that things like how much parents read to their kids, how much TV kids watch and whether Mom works make little difference. "Frequent museum visits would seem to be no more productive than trips to the grocery store," they argued in USA Today. "By the time most parents pick up a book on parenting technique, it's too late. Many of the things that matter most were decided long ago — what kind of education a parent got, what kind of spouse he wound up with and how long they waited to have children."

If you embrace this rather humbling reality, it will be easier to follow the advice D.H. Lawrence offered back in 1918: "How to begin to educate a child. First rule: leave him alone. Second rule: leave him alone. Third rule: leave him alone. That is the whole beginning."

Of course, that was easy for him to say. He had no kids.

— With reporting by Karen Ball / Kansas City, Mo.; Alexandra Silver / New York City; and Elizabeth Dias and Sophia Yan / Washington

From here:

In the age of virtualization and cloud computing, administrators need a holistic approach

• By Rutrell Yasin
• Nov 20, 2009

With the advent of cloud computing, rich Internet applications, service-oriented architectures and virtualization, data center operations are becoming more dynamic, with fluid boundaries.

The shift toward a new computing environment adds layers of complexity that have broad implications for how information technology managers secure the components of a data center to protect data from malicious attack or compromise.

Organizations should bake security into the design of the data center, said Henry Sienkiewicz, technical program director of the Defense Information Systems Agency?s Computing Services Directorate.

?The data center is an entire ecosphere, which has to be looked at as individual components but also holistically,? Sienkiewicz said. ?If we don?t do that we will miss something.?

IT managers are increasingly looking to ensure completely secure transactions, which means securing everything from the desktop and network to applications and storage, said Jim Smid, data center practice manager for Apptis Technology Solutions. Traditionally, the network support team secured the networks, and the application team would handle data encryption. But the present and emerging environments call for new methods, Smid said.

Organizations need to monitor that all data center operations interact correctly and that each element of the data center is secure, he said.

In addition, federal agencies must manage the policies, people and technologies needed to secure dynamic, fluid data centers. Every security layer is important, so it is hard to say if one is more important than another, data center security managers and industry experts say.

Organizations such as the Cloud Security Alliance, a coalition of industry leaders, global associations and security experts, have published guidance to promote best practices and provide education on the use of cloud computing. The consortium has released guidelines that cover 15 security domains, ranging from computing architecture to virtualization, that organizations can apply to data center security.

However, based on conversations with several data center security managers and industry experts, GCN has formed a list of five things to consider when securing a data center.

Agencies' first step is to consider whether they want to continue to maintain their own data centers or outsource the task, Smid said. Many agencies are carefully evaluating that option, trying to identify an application that might be suitable for outsourcing to test the waters.

During the past six months, transparency has emerged as a major factor that will influence agencies' data center decisions, Smid said. For government agencies to feel comfortable with outsourcing ? whether to another agency or an outside company ? they will want to know the security level of their data.

1. Get physical ? control physical access to the data center

Some data center managers might start with harder tasks, such as controlling access to each system or the network layer. But Corbin Miller, IT security group manager at NASA?s Jet Propulsion Laboratory, prefers to start by locking down physical security to the data center.

?A lot of people will forget the physical because there is so much on the network side,? Miller said.

At a Federal Aviation Administration data center in Oklahoma, layered security is increasingly popular, said Mike Myers, former enterprise services center IT director at FAA, during a recent Federal Computer Week e-seminar on data center security. At that center, physical security includes a fenced-off campus; badge access to the main building and data center; a guard who escorts visitors; key card admittance to rooms; video surveillance of the data center; and locked cages for servers, depending on the sensitivity of the data that they contain.

Miller also is working to establish layers of physical security at JPL?s data center to partition testing, development and production areas.

The center?s manager wants to set up a development laboratory in the data center, but Miller wants to keep it separated from the production area that is home to systems that keep JPL?s operations running.

?I want to keep the production zone at the highest security level,? only allowing authorized systems administrators into the area.

?So I envision three zones within that one data center,? he said. One zone would be for researchers to test and stage equipment, one would provide more control over which development work on applications and systems is performed before putting them into production, and a production zone, which only core systems administrators could access.

For the inner layers, you don?t necessarily need badge access, but you should have some type of access control, such as locks on server racks, for production systems, Miller said. ?I just don?t want the accidental lab guy that is working on his equipment to say, ?I need power. let me plug it in here,? and he overloads the power circuit for production,? he said.

2. Establish secure zones in the network

After you have physical security processes in place, the hard work begins: securing the network, Miller said.

?I would concentrate on zoning into the network layer,? he said. At JPL, ?the first zone is a little bit looser environment because it is a development area. The next one is a test subnet, which is isolated from the random traffic of the development area but looser than the production area,? Miller said.

The third zone, the production or mission support subnetwork, is where systems administrators spend a lot of time and effort. That zone has only approved production equipment ? so administrators must deploy new systems to the production network in a controlled manner, Miller said.

At JPL, administrators can physically or virtually deploy systems to subnetworks attached to virtual local-area networks, and they can set strict rules about incoming or outgoing traffic. For example, administrators could deploy mail servers to Internet Port 25 or Port 80, which should not affect approved traffic in that zone.

Data center managers need to consider the types of business that various subnetworks will handle, Miller said. Applications such as e-mail and some database-monitoring activities would use ports that link to the outside world. However, those production machines shouldn?t be going to CNN.com, ESPN.com or Yahoo News. After administrators set those rules, they can better detect anomalous activity, Miller said.

By the time a machine moves onto a production network, you should know what it is running, who has access to the operating system layer and what other systems it is communicating with across the network, Miller said.

?Now you can better understand where to put your security monitors or data leakage prevention monitors,? he said. ?If I know only three machines are going to be talking on the Web, it is easy for me to watch traffic and look for specific things.?

Although wireless networks are popular, Miller said wireless access points are not necessary in a data center. They?re difficult to control even with Radius and two-factor authentication, Miller said.

DISA takes a three-pronged approach to data center security, Sienkiewicz said.

The first part is NetOps, the operational framework that ensures that the Defense Department?s Global Information Grid has availability, protection and integrity. The second is technical protection, and the final piece is accreditation and certification of applications, he said.

NetOps consists of the GIG Enterprise Management, GIG Network Assurance and GIG Content Management. DISA has devoted specific people, policies, processes and business support functions to operate NetOps, Sienkiewicz said.

On the technical side, the DOD demilitarized zone is a focal point. All of the Defense Enterprise Computing Centers? traffic funnels through DOD and DISA demilitarized zones.

As a result, Internet connections to DOD Web servers are inspected and managed from the Internet access point all the way to the host machine. There also is physical separation between Internet-accessible Web infrastructure and other DECC infrastructures and logical separation between users and server types.

With that setup, DISA can limit access points, manage command and control, and provide centralized security and load balancing across the environment.

Additionally, ?we run an out-of-band network, so production traffic does not cascade into the way we manage the infrastructure,? Sienkiewicz said. Through virtual private network connections, users can manage their own environments. The VPN connections provide paths for production hosts to send and receive enterprise systems management traffic.

3. Lock down servers and hosts

At the FAA facility in Oklahoma, all servers are registered in a database that contains contact information and details about whether the servers contain privacy information. Most of the database is manually maintained, but the process could be improved by automation, Myers said. Problem areas have been change and configuration management ? some of those processes are automated, and some are manual. FAA is working with Remedy software to improve automation.

Server security is standardized and subjected to Statement on Auditing Standard 70 (SAS 70) and annual inspector general audits. FAA also has standardized on National Institute of Standards and Technology security checklists that are available on the agency's Web site. In addition, FAA is implementing patching programs and tracking vulenerabilities on servers by scanning them at least monthly.

FAA handles data security separately from server security. FAA is doing more appliance encryption than software encryption, which is too restrictive and poses system compatibility problems. The agency set up firewalls to separate private data from government data. FAA also uses scanning technology to monitor data in motion for potentail privacy leaks. The scanning technology seeks to ensure that data goes to the right recipients and is properly encrypted, Myers said.

At DISA, data center managers are working to address security concerns caused by server virtualization. ?When we look at virtualization, that notion of how do we increase server virtualization has brought on new security issues,? Sienkiewicz said.

A couple of questions that DISA security managers must answer are ?how do we ensure that the hypervisors are locked down? How do we make sure that additions, deletions and moves are properly protected? VMware has been a good partner helping DISA to work through security attributes of virtualization,? he said.

?One of the big things we have used for virtualization is separation and isolation,? Sienkiewicz said. ?We do try to separate applications, Web services, application services, database services into physical separate racks, so that there is no possibility of data linkage or spillage or something else happening in the environment."

?We are also hardening other parts of the environment,? he said.

As with FAA, DISA requires hosts to be registered on a white list. The agency also has installed host-based security systems, which monitor and detect malicious activity.

?Are we completely there yet? No. Do we have an aggressive plan? Yes,? Sienkiewicz said. DISA's broad perspective strives to protect each individual host.

Lastly, DISA is using the public-key infrastructure initiative it runs for DOD to manage physical security. Users must log on to systems with a Common Access Card, which provides two-factor authentication.

?That is giving us digital data signing ? the ability to encrypt e-mail traffic ? and it is a real-time certification program,? Sienkiewicz said.

4. Scan for application vulnerabilities

Application-scanning and code-scanning tools are important, NASA?s Miller said.

At JPL, if someone wants to deploy an application, it must undergo a scan before administrators release it in the production environment. Miller uses IBM Rational AppScan to look at Web applications. AppScan tests for vulnerabilities that hackers can easily exploit and provides remediation capabilities, security metrics and dashboards, and key compliance reporting.

On the other hand, developers who write their own code must run it through a code scanner, which could be a Perl script that looks for specific functions or a fortified product that scans source code for buffer overflows or other vulnerabilities that crept into the code, Miller said.

5. Coordinate communication between security devices for visibility into data flows

With cloud computing, agencies need to change their whole approach to securing the data center, said Tim LeMaster, director of systems engineering at Juniper Networks.

?In cloud computing, it is about securing the data flows between data centers, client systems and data center, and between virtual machines within the data center,? LeMaster said. Therefore, application visibility becomes important.

?You have to have visibility into these flows to validate that the traffic is legitimate and is not malware [because] a lot of malicious traffic tries to mask itself as something else.? A lot of that traffic uses Port 88 or tunnels with Secure Sockets Layer encryption. Network administrators must have the knowledge and application identification to understand what that traffic is, he said.

Juniper has developed application identification technology that looks beyond port protocols to the context of the data and tries to apply signatures that help determine if an application is really a shareware program or peer-to-peer program.

Juniper's technology also focuses on application denial-of-service attacks. Denial-of-service attacks are not new, but the traditional way to counter the attack was to ?black hole? the traffic. But that approach helps the denial-of-service attack accomplish what it intended to do ? deny services ? because a network administrator must remove all traffic from the server that is under attacked.

Application denial-of-service prevention software provides a profiling capability for administrators to determine if traffic is legitimate or not. With such tools, administrators can look at other data flows, such as client-to-server traffic, and compare them to flows that exist in other data centers or between servers ? or between virtual machines within the virtualized data center.

?You can have traffic between the virtual machines that can escape the normal security appliances or services you offer,? LeMaster said. Juniper has partnered with a company to offer an intervirtual machine firewall capability, he said.

?I would like my intrusion prevention to see that malicious worm [and] not just drop it but to talk with the SSL device and eliminate only that bad session,? he said.

The concept of coordinating networking devices, firewalls, SSL devices, and intrusion prevention solutions becomes useful in a cloud computing infrastructure. Juniper is working with the Trusted Network Connect Work Group, a consortium of users and service providers that published standards that will allow security components made by different companies to share information about a device, LeMaster said.