Furlani: A lot of what needs to be clear is a good definition of what we're talking about before we can start saying how you might protect it. Then, looking at the trade-offs between security and privacy, usability, how you can scale identity management; there are many research-related issues here. How do you measure a truly secure system, and against what risk levels are you trying to measure?
InformationWeek: In an area like cloud computing, which is amorphous and widely defined and still in a developmental phase, how does that play out? How do you pick and choose your battles of what to define as standards now versus what to do later?
Furlani: It can and will be an enormous savings if we can figure out how to do it correctly, and I think that's what we're all struggling with, both Vivek Kundra, GSA, and the CIOs in general. I co-chair a subcommittee of the CIO Council that helps identify some of these ongoing technology infrastructure constraints; it's the subcommittee under the Architecture and Information Committee, the Technology Infrastructure Committee. We actually have the change, control responsibilities for the Federal Desktop Core Configuration and IPv6, so I'm in the thick of thinking about what the government should do about cloud computing, both with NIST and with the CIO architectural control community. Actually defining what cloud computing is is number one, and number two is figuring out where there should be standards.
InformationWeek: While the government has been pushing IPv6 for some time, standardization has begun to take final shape, and there are requirements that soon everything new has to be IPv6. How do you get the testing program ramped up?
Furlani: We put out the government profile of what the government should expect from IPv6 and what should be measured. With the labs, we're setting up accreditation programs that we can do the same kinds of work, with the University of New Hampshire doing the bulk of the work. We'll work with OMB to make sure what exactly a requirement clause would say that makes these requirements imperative in the acquisition process.
InformationWeek: What's going to be your role in taking what was developed in the 60-day federal cybersecurity review and implementing it? I wanted to drill down into one area where there's a lot of work to be done in standardization, which is identity management.
Furlani: In the big picture, portions of the Comprehensive National Cybersecurity Initiative were focused on the research direction. Another piece we bring in is the whole understanding of standards and their development and the recognition internationally. IT is global, so if you're talking about DNSSEC or Internet connectivity or use, building the standards internationally, understanding those standards, and bringing that back into the community is important.
In identity management, it's not just the context of IT management. I need to understand you are you, but I also need to understand if the computer is yours or it's somebody else's. Being 'you' may mean something entirely different in your work life and your private life. Bridging these trust models, some kind of federated credentialing, understanding scalability issues. Role-based access comes into play. There's a lot of research there, and there's also a lot of moving the standards forward.