Archive for February, 2012
In December 2002 the US Congress passed the Federal Information Security Management Act (FISMA). FISMA requires each government agency to implement policies, procedures, and documentation for information security. This includes internal and external government-run systems, and systems provided by third-party providers.
A flourishing information security practices industry has developed in FISMA’s wake to help guide the government and vendors through the numerous, byzantine certification activities.
The FISMA mission statement is to:
Protect the Nation’s Critical Information Infrastructure
FISMA has three assessment levels and risk profiles.
- Low – Procedures to manage public-facing government websites, such as data.gov
- Moderate – Best practices for managing sensitive data and personal identifiable information such as credit card numbers, social security numbers, etc.
- High – Strict policies for managing military, intelligence and classified information.
The majority of internal applications require FISMA Moderate. The moderate certification process is the focus of this series.
The moderate risk profile means addressing over three hundred controls ranging from information handling, physical media management and threat assessments. The hundreds of controls are categorized into the following “control families”:
- Access Control
- Awareness and Training
- Audit and Accountability
- Security Assessment and Authorization
- Configuration Management
- Contingency Planning
- Identification & Authentication
- Incident Response
- Personnel Security
- Risk Assessment
- System and Communication Protection
- System and Information Integrity
Many start-ups address the above in various levels of completeness, but may not necessarily have all the supporting documentation to prove compliance. For SaaS systems operating in a cloud environment, the challenge is to describe the control boundaries between the cloud provider and the application layer. For example FISMA requires a policy for physical media disposal. The app layer (i.e. the cloud customer) doesn’t have access to physical media in a cloud environment, so that control is the responsibility of the cloud provider and the app layer inherits the control. Conversely, the cloud infrastructure has no control over the app layer, and the FISMA requirement to support two-factor web-app authentication is the responsibility of the app layer, not the cloud provider.
FISMA wasn’t designed for a world with cloud computing. It’s heritage back to 2002 is a world with hardware-centric design principles and best practices. Sonian and others are pioneering FISMA Moderate certification in a cloud environment.
Topics I will cover in upcoming issues of the FISMA Chronicles:
- The impact cloud computing has on FISMA
- How “agile” start-ups manage ongoing FISMA compliance requirements
- FEDRamp is the next step to consistent FISMA-like accreditation
Image Credit: fismacenter.com
Increasingly, cloud-based start-up intellectual property is a mixture of proprietary technology and “IP” created by tuning open source modules to work on various cloud environments. This includes configuration settings, tuning parameters, architectural designs, automated deployment scripts and a best practices “run book.” The combination creates trade-secrets in the form of code and operational best practices for Amazon Web Services, IBM SmartCloud, Openstack and other clouds.
A fusion of recent meetings with investor audiences:
- Investor: “What’s the secret sauce here?”
- Cloud Start-Up CTO: “It’s a combination of open source and home built technology.” [Projects pretty diagram of all the platform components and their function.]
- Investor: “What’s the protectable IP?”
- Entrepreneur: “It’s not a single patentable idea. It’s a collection of best practices, proprietary code, and of course, open source.”
- Investor: “What keeps a competitor from copying you?”
- Lean Start-Up CTO: “Hard to say. We have five years accumulated experience that you can only get by living through five years of growing up with the modern public cloud.”
- Investor: “How long would it take for someone else in their garage to build the same thing?”
- Curious CTO: “Probably three years. A hypothetical team on the same mission will have about two years decreased learning experience compared to our journey. Do you have any other cloud-themed investments?”
- Investor: “What’s the secret sauce here?”
- Exasperated CTO: “I think we already covered this?”
- Investor: “I’m still not getting it. What’s the proprietary IP?”
- Frustrated CTO: “Let me try to explain. There is no off the shelf “playbook” or Cliff Notes for what we are doing in the cloud. Best practices are learned in real-time, just in time. Each cloud has it’s own unique operating characteristics. Think of each cloud having its own laws of physics. There are some similarities, but also many important differences. And understanding these differences determines success or failure.”
- Investor: “I want to be part of this project. But I don’t quite get what’s special here, and what can keep competitors from catching up. Help me get to…. Yes.”
- Enlightened CTO: “In the cloud, differentiated IP is created with the combination of proprietary code, open source, and tuning the entire system to work simultaneously on many cloud environments, and using one reference architecture. It’s our trade-secrets expressed as a system run-book and operational best practices for Amazon Web Services, IBM SmartCloud, Openstack and the the other clouds.”
New pontification: What do GitHUB and GrabCAD Have in Common? http://t.co/f8leZ7fw
During our last board meeting one of our directors mentioned a start-up he thought was interesting: GrabCAD. Awhile ago I had read about this company on Techcrunch, but since the company was in the CAD/CAM space I filed a note in a brain cell memory register “interesting company, but not something I need to follow closely.”
But a different thought took hold; Hmmm… GrabCAD is to the CAD/CAM professional the same way GitHUB is to the software professional. We’re witnessing the rise of start-ups that cater to “niche” audiences who create a certain kind of content as their prime means of professional affiliation. Don’t take offense to the term niche audience applied to software or CAD professionals. It’s just a way to say “not a mass audience” that is served by a general purpose content creation site like Tumblr, WordPress.com, etc.
GrabCAD targets the CAD/CAM professional with a CAD-specific sharing space augmented with a thin “social network layer.” Create a drawing, upload to GrabCAD, post a link “hey look what I created” and share, trade, and sell your work product. It’s not a place to generate generalized content (like Google Docs, ZoHo, or Office 365), but rather a sharing space for affiliated professionals that want to showcase “their wares.”
GitHUB is a content sharing system that targets the software professional. In this case, “content equals source code.” It’s really “social source code management” with a bunch of other goodies like wikis and pasties mixed in. Source code management has been around forever, but GitHUB makes it really easy to share and integrate code from various projects. Developers don’t actually write their code in GitHUB, they do that in their own developer environments, just like CAD professionals don’t use GrabCAD to create drawings.
In the software world, it is now common for developers to tout their GitHUB account URL as a living resume. You can imagine the CAD/CAM professional one day sharing links to their GrabCAD creativity just like software developers share their GitHUB awesomeness.
Catering to a large niche audience with a custom experience is a successful end-run around mass appeal social networks like Facebook. The core required features, such as file upload, link sharing, and comment curation exist in many platforms, from WordPress to Drupal, to Facebook. But a generic user experience will not suffice. GrabCAD speaks the language of the CAD industry. GitHUB does the same for the software industry.
There are other examples of this trend, although none as focused as GrabCAD or GitHUB:
- Prezi and Slideshare for presentations, although not specifically targeted toward a specific profession.
- Scribd for documents. But not targeted to a specific industry.
- Disqus for comments? Would it be a stretch to cite Disqus for the professional commenter? Probably, but an interesting idea.
- Basecamp for project managers.
- Sortfolio for web designers.
I can imagine other industries ripe for this niche audience approach: legal (specialized documents), chemical (formulas), teachers (lesson plans), music (lyrics). Easy and clear content owner attribution will need to be resolved for some of these ideas to be successful.
I’m excited to see the next GrabCAD come to life. If you know any vertically aligned professions where content creation is the core work-product, scratch your entrepreneurial itch and create a niche audience user experience now.