Real world successes in security standardization: Federal desktop core configuration
By Shelly Bird
It is worth examining why FDCC represents a compelling and reasonable approach to managing desktop security within the federal government and what promise that could hold for other government entities.
FDCC’s settings have been drawn from real world experiences, within organizations such as the U.S. Air Force, and consequently take into account the complexity of computing security in the federal environment. They are comprehensive, comprising over 580 settings that address both XP and Vista operating systems. This is an ambitious and absolutely unprecedented approach to tightening security across the enterprise.
Historically, many major agency security initiatives, such as HSPD-12, telework and Continuity of Operations (COOP), have been slowed or seriously hampered by the fact that the very foundation upon which these technologies have been built was often unstable. Desktop and laptop configurations could not be safely predicted, making enterprise planning and implementation excessively difficult. Moreover, even in today’s systems, if security policies are applied, access rights could potentially negate or harmfully alter the important configurations.
FDCC takes on this challenge of unmanaged desktops, not only through standardization but by requiring restriction of the rights of typical enterprise users. Thus, daily tasks are performed under the User, not the Local Administrator security context. Those who work regularly with security see FDCC as a critical step towards regaining control of the vast federal enterprise.
Identifying successes and areas for improvements
Because FDCC is also a work-in-progress, whose success largely depends on agency feedback and customization, it is important for agencies to know what has made this effort more successful than previous security approaches.
First of all, agencies have recognized that FDCC is implementation-oriented and must remain a "living standard." Clearly, cyber security is a moving target. Thus, FDCC has been planned from the beginning to evolve as needed not only to respond to threats, but to adjust appropriately to the productivity needs of FDCC users, without unnecessarily exposing the enterprise.
Second, because FDCC is not just a paper policy, but provides actual Group Policy Objects to load in Windows Active Directory environments, human error in translating the policy is kept to a minimum. With the help of FDCC Virtual PCs, developers can test their configurations and customizations in a safe environment. The pre-loaded FDCC settings on Virtual PCs allow developers to rapidly determine whether their software has any issues with FDCC.
In addition,
thanks to NIST, agencies now also have a measurable and accountable way to centralize and standardize security checks and a reliable way to showcase compliance. It is called the Security Content Automation Protocol (SCAP).
Standardization uptak
e is encouraging. Yet, there remain areas for improvement. For instance, report streamlining and formalization would help to incorporate agency feedback into the process more quickly. The Federal CIO Council and other groups that have management and operations controls inside the agencies must have an established and transparent channel of formal feedback communication with NIST.
Additionally, the sharing of information about applications that span the federal government will greatly speed the distribution of any required fixes and will limit the duplication of effort.
Finally, should some agencies (such as those in the intelligence community) need additional and more restrictive settings and configuration decisions that go above and beyond FDCC, it makes sense for these to be made and maintained by suitably cleared personnel.
Ultimately, using the Federal CIO Council for FDCC configuration management may be the best avenue to bring all of these practices together. This decision is currently under consideration by OMB.
As agencies continue to take the next necessary steps to formalizing their FDCC engagement, they are receiving more and more examples of successful deployments. Not least of these is the one that began it all -- the U.S. Air Force and its vanguard effort to successfully deploy to more than 500,000 desktops.
Microsoft has observed customers who have established similar standards reap large benefits: serious cost savings, greatly improved security, far more agile response to new attacks and the ability to deploy new security technologies more rapidly. Consequently, we applaud OMB and NIST in their admirable attempt to close the gaps in federal desktop security. FDCC is cross-agency collaboration at its finest.
Shelly Bird is a senior technical leader in Microsoft’s Federal Services division. She can be reached at: .
- Add your comment
- trackback url: http://www.gsnmagazine.com/cms/trackback/684-1
