The Open Source Revolution in Government

Posted on by Natalie Gregory

Open source technology accounts for a significant portion of most modern applications, with some estimates going as high as 90%, and it is the foundation of many mainstream technologies. Its strength lies in the fact that a vibrant ecosystem of developers contribute to and continually improve the underlying code, which keeps the software dynamic and responsive to changing needs. Enterprise open source software further augments these community-driven projects by providing enterprise-grade support and scalability, while retaining the innovation and flexibility driven by the open source development model. By providing the best of both worlds, such solutions represent a powerful arsenal of tools for addressing government’s most pressing challenges. In a recent pulse survey of FCW readers, 93% of respondents said they were using open source technology. And more than half of respondents to FCW’s survey see open source as an integral resource for strengthening cybersecurity. That number reflects a positive trend toward a better understanding of open source software’s intrinsic approach to security. The power of enterprise open source technologies lies in a combination of collaboration, transparency and industry expertise. As agencies expand their use of such technologies, they maximize their ability to achieve mission success in the most secure, agile and innovative way possible. Learn how the combined power of community-driven innovation and industry-leading technical support is expanding the government’s capacity for transformation in Carahsoft’s Innovation in Government® report.

Why Open Source is a Mission-Critical Foundation

“Open source transforms the way agencies manage hybrid and multi-cloud environments. The most critical technology in the cloud, across all providers, is Linux. Everything is built on top of that foundation — both the infrastructure of the cloud and cloud offerings. Given the right partner, the promise of Linux is that it provides a consistent technology layer for agencies across all footprints, including multiple cloud providers, on-premises data centers and edge environments. From that foundation, agencies and their partners can build portable architectures that leverage other open source technologies. Portability gives organizations the ability to use the same architectures, underlying technologies, monitoring and security solutions, and human skills to manage mission-critical capabilities across all footprints.”

Read more insights from Christopher Smith, Vice President and General Manager of the North America Public Sector at Red Hat.

How Open Source is Expanding its Mission Reach

“The real power of open source technologies was revealed when they cracked the code on being highly powered, mission-specific, distributed systems. That’s how we are able to get insights out of data by being able to hold it and query it. Today, open source innovation is being accelerated by the cloud, and the conversation is still changing, with people now demanding that their open source companies be cloud-first platforms. Along the way, the open source technologies that start in the community and then receive a boost of commercial innovation have matured. The most powerful ones are expanding their ability to address more of the government’s mission needs. They are staying interoperable and keeping the data interchange non-proprietary, which is important for government agencies.”

Read more insights from David Erickson, Senior Director of Solutions Architecture at Elastic.

The Open Source Community’s Commitment to Security

“A central tenet of software development is visibility and traceability from start to finish so that a developer can follow the code through development, testing, building and security compliance, and then into the final production environment. Along the way, there are some key activities that boost collaboration and positive outcomes, starting with early code previews, where developers can spin up an application for stakeholders to review. Other activities include documented code reviews by peers to ensure the code is well written and efficient. In addition, DevOps components such as open source, infrastructure as code, Kubernetes as a deployment mechanism, automated testing, and better platforms and capabilities have helped developers move away from building ecosystems and instead focus on innovation.”

Read more insights from Joel Krooswyk, Federal CTO at GitLab.

The Limitless Potential of an Open Source Database

“One of the most important elements of any database migration is ensuring that proper planning and due diligence have been performed to ensure a smooth and successful deployment. In addition, there are some key considerations agencies should keep in mind when moving to open source databases. It is essential to start with a clear understanding of the business case and objectives for adopting an open source approach. Agencies also need to decide how the database should function and what it should do to support their digital transformation. Then they must choose the optimal method to deploy the database.”

Read more insights from Jeremy A. Wilson, CTO of the North America Public Sector at EDB.

Modernizing Digital Services with Open Source

“A composable, open source digital experience platform (DXP) enables agencies to overcome those challenges. Open source technology is continuously contributed to by a community of developers to reflect a wide array of needs across organizations in varying industries and of varying sizes. A composable approach allows agencies to assemble a number of solutions for a fast, efficient system that is tailored to their needs. When agencies combine a composable DXP with open source technology, they have access to best-of-breed software and the ability to customize the assembly to suit their requirements. An enterprise DXP will enable agencies to achieve a 360-degree view of how constituents are engaging with their digital services and gain valuable data to understand how to enhance their experience. Finally, a composable, open source DXP provides a proactive approach to protecting against security and compliance vulnerabilities.”

Read more insights from Tami Pearlstein, Senior Product Marketing Manager at Acquia.

Creating Secure Open Source Repositories

“Protecting the software supply chain requires looking at every single thing that might come into an agency’s environment. To understand that level of visibility, I like to use the analogy of a refrigerator. All the ingredients necessary to make a cake or pie are in the refrigerator. We know they are of good quality, and other teams can use them instead of having to find their own. At Sonatype, our software equivalent of a refrigerator is the Nexus Repository Manager. A second aspect of our offering, called Lifecycle, allows us to evaluate the open source components in repositories at every stage of the software development life cycle. One piece of software can download a thousand other components. How do we know if one of those components is malicious?”

Read more insights from Maury Cupitt, Regional Vice President of Sales Engineering at Sonatype.

Better Data Flows for a Better Customer Experience

“A more responsive and personalized customer experience isn’t much different from the initial problem set that gave birth to Apache Kafka. When people interact with agencies, they want those agencies to know who they are and how they’ve interacted in the past. They don’t want to be asked for their Social Security number three times on the same phone call. They also expect that the information or service they receive will be the same whether they are accessing it over the phone, via a mobile app and on a website. To elevate the quality of their service, agencies must be able to stream information in a low-friction way so different systems are consistent with one another and up-to-date at all times, regardless of the communication channel an individual uses. President Joe Biden’s executive order about transforming the federal customer experience is based on this capability. The most successful companies across industries have figured out how to do it, and for the most part, they’ve done it with open source software.”

Read more insights from Jason Schick, General Manager of Confluent US Public Sector.

An Open Source Approach to Data Analytics

“For the past 40 years, agencies have used data warehouses to collect and analyze their data. Although those warehouses worked well, they were limited in what they could do. For instance, they could only handle structured data, but by some estimates, 90% of agencies’ data is unstructured and in the form of text, images, audio, video and the like. Furthermore, proprietary data warehouses can show agencies what has happened in the past but can’t predict what might happen in the future. To achieve the government’s goal of evidence-based decision-making, agencies need to be able to tap into all their data and predict what might come next.”

Read more insights from Howard Levenson, Regional Vice President at Databricks.

Download the full Innovation in Government® report for more insights from these open source thought leaders and additional industry research from FCW.

EDUCAUSE 2022: Uniting IT and Education

Posted on by Tim Boltz

The education landscape has continued to thrive following the aftermath of the COVID-19 pandemic. While stay-at-home orders have been lifted, education has maintained a digital component through online classes and remote-learning technology. Although online education has many benefits, it brings the concern of security breaches. To continue keeping student information secure, education leaders must adapt alongside the changes in technology. EDUCAUSE is a nonprofit association that provides a community for technology, academic, industry and campus leaders to collaborate and build together. The annual EDUCAUSE conference hosted several sessions that showcased ways to keep students engaged and secure in the new age of education.

Educational Institutions as a Hot Target for Cybercriminals

Cybersecurity deserves consistent attention within the education sector. While schools may be compliant with security standards, they can still be vulnerable. Higher education institutions are top targets as they connect thousands of staff, students and faculty members under one system.

There are several strategies IT professionals recommend that can help education systems defend against breaches:

Keep operating systems and software up to date
Employ multi-factor authentication
Maintain robust user training
Implement encryption
Create cloud back-ups for information
Maintain efficient detection and monitoring systems
Implement a quick incident response plan
Utilize external and cloud data storage

By following these steps, institutions can take the initiative toward deploying security measures for staff and students alike.

Robust Cybersecurity on a Budget

Since many academic institutions still face budget constraints due to COVID-19, their cyber posture may not be their first IT priority. To enhance cybersecurity, even on a budget, institutions should:

Know their external footprint: Through the employment of third-party devices that scan the internet for web service protocol solutions, agencies can see how much of their information is public.

Identify external login flaws: Since hackers can circumvent simple tools like automatic lockout policies, agencies should identify all login portals and check major input fields for automated controls.

Identify cloud security flaws: Agencies should switch to a multi-platformed and open-sourced cloud, since it enables security posture assessments and detection of security risks.

Implement phishing education and exercises: Phishing is one of the most common ways organizations are compromised. Institutions should ensure that all employees are educated on anti-phishing policies.

Clean up network share permissions and information: By utilizing credential scans, sensitive information can be restricted to the proper personnel. Implementing a zero trust framework ensures that each user will only gain the information that they are authorized to.

Limit the success of kerberoasting: Kerberoasting leverages the functionality of service principles to encrypt user’s passwords, which can later be retrieved offline for hacking. While it is impossible to completely prevent kerberoasting, agencies that implement detection capabilities limit the exposure and effectiveness of kerberoasting.

Prevent relay attacks: Software should avoid authentication systems that can be relayed or cracked. Responder tools can be used to analyze traffic and point out vulnerabilities.

Identify active directory misconfigurations: As active directory environments mature, built up misconfigurations can cause excessive access privileges. To prevent these being misused by bad actors, institutions should implement tools that check for vulnerable certificates.

Strengthen password security: Agencies should ban easy to guess passwords, enable multi factor authentication and disable old accounts.

Avoid flat networks and lack of network segmentation: Access should be limited to those that need to know; student and faculty accounts should reside on different domains.

Fostering a Sense of Belonging for Online Students

By meeting students where they are comfortable, educational institutions can readily share information. For example, since students are familiar with their phones, when universities utilize phone apps it can help provide a unified, digital experience for higher education students to reduce complexity, fuel career readiness and stoke student success. When creating an app for an institution, some helpful features to include are:

Tailored experiences with custom events depending on the user
Information unique to students, such as a marketplace to buy and sell goods like dormitory furniture or textbooks
IT toolkits
Self-assessment tools for COVID-19 or the flu
Campus features such as desk or study center reservations, transit routes, dining schedule or university maps
In-app messaging that can be directed to groups, such as students or faculty or personal messages
Feedback surveys to inspire improvement

Higher Education’s Top IT Issues for 2023

As students have become accustomed to hybrid and virtual learning, their expectations for new and elevated digital experiences have increased. There are many ways to achieve this modernization, but it requires intentional effort and technology updates from education administrators. Challenges to consider when implementing technology into learning are to:

Ensure IT has a “seat at the table” so they can weigh in on decisions
Ensure privacy and cybersecurity by training students and faculty to avoid scams, shift to data minimization, address cloud migration risks and leverage contracts with cybersecurity experts and investments
Adapt to students’ interests and products familiar to them
Create a seamless and enriching student experience
Utilize student data to update technology to better empower students
Pursue next-generation IT support to expand and reimagine digital campus abilities

Promoting Independence Through IT

A school’s duty is to prepare students for their futures in the workforce. Oftentimes, many careers require extensive knowledge of an array of technologies. Students should show proficiency in these areas to take advantage of more opportunities in various fields. By implementing technology into everyday use, educational institutions can promote confidence in technology, problem-solving skills, time management skills and collaboration between peers.

Diversity, equity and inclusion are also vital to university standards from both a legal and moral lens. IT intersects with diversity to make enrollment and education accessible to all by analyzing existing data to revamp hiring rubrics or utilizing cross-team conferences to create inclusive policies. With these inclusions, schools can emphasize transparency and accountability.

The pandemic revealed the importance of campus communication systems expanding beyond traditional parameters. Education departments had to shift to a remote work environment that a traditional phone system could not easily support. Universities should leverage communications software to reduce costs, provide additional flexible phone capabilities and accommodate all students regardless of where they live.

Through the inclusion of technology, educational institutions can reach new heights in their accessibility and connection with students. By enhancing security and offered digital features, educators can prepare students for an ever-changing workforce.

To learn more about utilizing IT for education initiatives, visit Carahsoft’s EDUCAUSE resource hub to schedule a meeting and speak to a representative today.

*The information contained in this blog has been written based off the thought-leadership discussions presented by speakers at EDUCAUSE 2022.*

3 Ways to Address Developers’ Productivity Concerns

Posted on by Barry Duplantis

From modernizing software development to creating Zero Trust cybersecurity architectures, the federal government has ambitious plans for 2023. But those plans will only reach fruition by removing the barriers that get in the way of developer productivity.

Government agencies have made great strides to bring IT teams, including developers, closer together over the past few years. For example, they’ve made significant investments in software development factories that are rooted in DevOps cultures. And the Department of Defense clearly recognizes the benefits of collaboration between cybersecurity and development teams, making it a core facet of the agency’s software modernization strategy.

But as a recent Mattermost survey discovered, more must be done to break down communication and collaboration barriers that inhibit developer productivity.

For Unblocking Workflows: The 2023 Guide to Developer Productivity, 300 software developers were surveyed to find out what’s keeping them from being as productive as possible, and what can be done to accelerate productivity. Their responses showed that although organizations have tried to build more collaborative development cultures, there’s still some work to be done in certain areas.

Let’s dig into some of the challenges—and what you, as a government IT professional, can do to address them.

“Poor communication across teams” is a big productivity challenge

Poor communication practices are the biggest obstacles to productivity and collaboration, with 29% of survey respondents citing “poor communication across teams” as an inhibitor. Their biggest issues are around “lack of process and documentation” (27%) and “lack of clarity around project prioritization” (25%).

General-purpose collaboration platforms that other teams use aren’t helping. Thirty-seven percent of respondents said there are “too many distractions from non-developers” using those tools while 25% said they “don’t fit their workflows well.”

“Information spread across too many tools” (46%) and lack of integration with other tools” (45%) are making it tough to collaborate and find information

Having to work with different tools is also making it difficult for developers to collaborate. Indeed, the developers surveyed said that information silos were among their biggest concerns.

These silos are making it frustrating for developers to find what they need when they need it. Thirty-two percent of respondents said they spend 3 to 5 hours per week hunting down information while 18% spent 6 to 8 hours.

Remote work “somewhat improves collaboration” but continues to be a source of tension among some developers

Remote work might be the norm, but developers aren’t entirely taken with it. Forty-three percent of respondents stated that remote work “somewhat improves collaboration” while 33% believe it makes collaboration worse.

That number is down from our 2021 survey, where more than half of respondents said that remote work was a net gain. The fact that the number has fallen is likely a reflection of the deterioration of communications practices and lack of integration, both of which contribute to poor project clarity.

What government agencies can do to improve developer productivity

Our survey respondents sent a clear message: Give us tools and processes that allow us to collaborate more effectively, break up information silos, and share knowledge easily. There are three things you can do to satisfy these needs.

Invest in software built for developer workflows.

Since open source is easily customizable, it’s simple to integrate different development tools. This will make it easier for developers to share code and resources, manage workflows, and communicate with each other without interference from other teams.

Create a central repository for knowledge sharing.

Having a “single source of truth” that developers can refer to when looking for information can save enormous time. Invest in a repository that pulls information from different teams and tools. Provide developers with greater visibility and access to the information they need to do their jobs more efficiently.

Automate information sharing and workflow management.

Automatically input new information into the repository once it’s received so developers don’t have to look for it. Automate workflow processes, too, by using a system that automatically checks off tasks when they’re done, alerts developers when it’s their time to work on a project, and more. Help your developers spend less time focusing on these tasks and more time building applications.

The success of accelerated investments in software factories and modernization initiatives in 2023 will depend in large part on developers’ abilities to be productive. Right now, there are obstacles getting in the way of that productivity. But you can eliminate those obstacles by improving collaboration and information sharing.

Want to learn more about developers’ productivity concerns and what you can do to address them? Check out Unblocking Workflows: The 2023 Guide to Developer Productivity.

Ransomware on the Rise

Posted on by Alex Whitworth

News story after news story, cyberattack after cyberattack has demonstrated the rampant presence of ransomware in today’s society taking down all shapes and sizes of companies in both the public and private sectors. By 2026, Gartner predicts that unstructured data storage, which is very susceptible to ransomware, will triple in size, and with that, an inevitable increase in the attack surface. Currently 80% of enterprises’ data is made even more vulnerable by the number of daily users, its distributed nature across devices and servers and overall lack of secure protection.^[¹^]

Experts have arrived at this bottom-line conclusion—everyone is vulnerable to a ransomware attack and cybersecurity measures have become an absolute necessity, not an option.

RANSOMWARE DEFINITION

Ransomware is a form of extortion through malware exploiting cyber vulnerabilities to infiltrate systems and capture vital operating or private data. The cybercriminals require payment, often in the form of cryptocurrency, for the release, restoration or decryption of the files or the assurance of not blackmailing individuals with the information accessed. Only 2% of organizations within healthcare get their full data back even after paying the ransom, with the majority of organizations receiving about 65% of their information back.^[²^] Currently, the situation has escalated to the point where bad actors are demanding multiple ransoms, one to restore the data and others to not publish the information on the black market.

The primary four ways ransomware infects a system are through:

Phishing emails and malicious links
Insecure network ports, devices and services
Backdoors left by other malware
Network vulnerabilities such as poor password hygiene with little user authentication, too many legacy systems, missing software patches and updates etc.^[³^]

The rise of ransomware as a service (RaaS) has increased the ease of carrying out a cyberattack with practically no technical knowledge necessary for a criminal to execute the attack.^[⁴^] One group creates the malware program code and then sells it for other groups to initiate the attack on specific victims.^[⁵^] X-Force head Charles Henderson said these crime affiliations have created a condition in which “criminals are more collaborative than the cybersecurity industry.”^[⁶^]

All the shifts and advancements in ransomware require a frank review of the past few years and the statistics to understand the situation, properly form the best course of action and minimize the repercussions on American citizens through critical infrastructure.

RANSOMWARE LANDSCAPE

Ransomware has existed since 1989; however, the past two years have seen a dramatic spike in quantity and impact of cyberattacks. All areas of government, business and healthcare are susceptible regardless of their size and relative importance.^[7] In recent years, the landscape has changed from individual domestic hackers exploiting opportunities to organized groups of professional criminals based in and often funded by adversarial nations to strategically disrupt critical functions and achieve financial and political goals.^[⁶^]

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified 16 major critical sectors whose capabilities directly impact the national public health, safety, security and economy of America, most of which (14 out of 16) have fallen under heavy ransomware attack in the past two years.^[8] By targeting these essential infrastructures across financial, industrial, transportation and healthcare institutions, bad actors can disrupt nation-wide and global supply chains. CISA executives stress the importance of universal action to improve cybersecurity and combat the widespread ransomware threat. Because of the interconnectivity of U.S. infrastructure, they warn that if one organization is compromised, cybercriminals could gain access and infiltrate other larger vital service providers and ultimately spread out of control.^[9]

Government agencies and critical businesses are not the only groups seeking to improve through tech modernization. The ransomware landscape has changed drastically due to advances in cybercriminal activity as well.

The timeline of these attacks has also accelerated. In 2019, the average time between the initial system infiltration to malware deployment was over two months but in 2021 it dropped 94% to an average of less than four days.^[¹²^] Every 10 seconds, a new victim is attacked by ransomware. Not only are attacks and ransom demands increasing and their deployments faster, the majority (60%) of companies do not feel prepared if their company were to be faced with a similar threat in the next 12 months.^[¹³^] This problem is expected to continue to grow over the next decade, with ransomware cost predictions of more than $265 billion in total damage by 2031.^[¹⁴^] Agencies and organizations must evaluate their cybersecurity standing and make improvements to ensure that they can withstand these escalating attacks.

RANSOMWARE — ACTION REQUIRED

Contrary to public opinion, most cybercriminals do not primarily target organizations based on the perceived importance of their data, but rather the ease of access to infiltrate the system and the probability that the company will pay the ransom. Critical infrastructure in particular has an obligation to strengthen and reinforce their cybersecurity to prevent disruption and protect these vital functions for the American people. With the increasing trends, officials point to the new harsh reality that ransomware is not a question of if a company will be attacked through malware, but when. Based on the current landscape, organizations must act or risk being swept away by the growing tide of ransomware.

Carahsoft and its partners offer cybersecurity solutions to defend against ransomware and mitigate the risks. Reach out to discover how Carahsoft can make an impact for your organization. Dive deeper into how ransomware is affecting U.S. critical infrastructures such as healthcare and utilities in our Ransomware in Healthcare and Utilities Blog. Find our full Ransomware Series here.

Resources:

[1] “Protect, Detect & Recover: The Three Prongs of a Ransomware Defense Strategy for Your Enterprise Files,” Nasuni, https://media.erepublic.com/document/Whitepaper-_A_Three_Prong_Ransomware_Strategy_-_Nasuni.pdf

[2] “The State of Ransomware in Healthcare 2022,” Sophos, https://news.sophos.com/en-us/2022/06/01/the-state-of-ransomware-in-healthcare-2022/

[3] “Security Primer – Ransomware,” Center for Internet Security, https://www.cisecurity.org/insights/white-papers/security-primer-ransomware

[4] “Ransomware: In the Healthcare Sector,” Center for Internet Security, https://www.cisecurity.org/insights/blog/ransomware-in-the-healthcare-sector

[5] “Health Care Ransomware Strains Have Hospitals in the Crosshairs,” Security Intelligence, https://securityintelligence.com/articles/health-care-ransomware-strains-hospitals-in-crosshairs/

[6] “Ransomware Attacks on Hospitals Have Changed,” AHA Center for Health Innovation, https://www.aha.org/center/cybersecurity-and-risk-advisory-services/ransomware-attacks-hospitals-have-changed

[8] “Critical Infrastructure Sectors,” Cybersecurity & Infrastructure Security Agency, https://www.cisa.gov/critical-infrastructure-sectors

[9] “Ransomware Hackers Will Still Target Smaller Critical Infrastructure, CISA Director Warns,” Nextgov, https://www.nextgov.com/cybersecurity/2022/07/ransomware-hackers-will-still-target-smaller-critical-infrastructure-cisa-director-warns/374953/

[12] “Ransomware in 2022: Evolving threats, slow progress,” TechTarget, https://www.techtarget.com/searchsecurity/news/252522369/Ransomware-Evolving-threats-slow-progress

[13] “Global Data Protection Index 2021,” Dell Technologies, https://www.dell.com/en-us/dt/data-protection/gdpi/index.htm#pdf-overlay=//www.delltechnologies.com/asset/en-us/products/data-protection/industry-market/global-data-protection-index-key-findings.pdf

[14] “Ransomware in the Utilities Sector,” ThirdPartyTrust and BitSight, https://info.thirdpartytrust.com/hubfs/03%20Guides%20and%20Ebooks/ransomware-utilities-bitsight-thirdpartytrust.pdf

Infographic Resources:

[7] “Ransomware Threat March 2022: Special Report” Nextgov, https://www.nextgov.com/assets/ransomware-threat-ngq122/portal/

[10] “Looking Back at the Colonial Pipeline Ransomware Incident,” Government Technology, https://www.govtech.com/blogs/lohrmann-on-cybersecurity/looking-back-at-the-colonial-pipeline-ransomware-incident

[11] “Much to Do About Ransomware: Report Highlights a Path Forward,” Government Technology, https://www.govtech.com/security/much-to-do-about-ransomware-report-highlights-a-path-forward

| Carahsoft

Tag Archives: Cybersecurity