Defense Cloud Computing-Security-DISA-Part 3 Nov. 2013

David Bennett: Take that is absolutely on target. The identity piece of this is going to be key as we move forward as we put enterprise email into place. We created identity synchronization service which basically identifies all 4.5 million users that DNDC has within their data base. So we have entire work force identified from identity perspective and we tie that in with their PKI EDIPI. So we know actually who the individuals are, which is a key piece in getting that initial access to capabilities. So that identity and access management the attribute based access control are the key elements to do that. In addition to that, one of the key things is though moving the security boundaries to the cloud and providing a standard common approach to providing that front insecurity that every application and user has to come through is a central part of how do we need to business going forward. Today it is inconsistencly applied across the enterprise and as we move more and more into the cloud as GIE takes hold and we bring single security architecture in place and the regional securities, those become key components to providing that infrastructure that boundary protection that needs to be there to protect the assets that we have. And I agree totally with Frank in terms of focusing totally on the data. Data and the security of the data is central. We are now looking to data from 2 perspectives really what is the public facing side of security, as well as, those sets of data that we really do not believe should be out in the public arena because of security reasons or PII type of data. JIm Flyzik: Sure. David Bennett: Things like this. So we are starting to categorize the data in terms of what its use and how to associate security with those use patterns so that we apply appropriate amount of security for the right type of data. By doing that it sort of drives us to go to a commercial cloud offerings, or do we do a private cloud offerings. JIm Flyzik: Very good. David Bennett: It just triggered a thought, we also have to raise the bar in terms of what is acceptable from an I perspective at the application level. We have had this thing in the department called plan of objectives and model stones relative to I posture and so we have too many applications and providers, who are systematically using poems as they refer to as a vital way to reduce risk. Poems are a piece of paper. They are not a physical act that change the infrastructure. One of the things we are doing, and we implemented that within our own internal network in the agency and we got the zero poems. JIm Flyzik: Okay. David Bennett: So just by doing that alone you either fix the problem or you take the system off the network. And we have to almost get to that level of visibility and focus if we are really going to make a meaningful impact as we do all these other things.