Hardening ICANN’s IT and Digital Services
During ICANN52, many community members inquired after the state of ICANN's digital-services. In addition, in response to one of my blog posts, some of you met with Chris Gift, VP of Digital Services, and me to gain a deeper understanding of status and plans. And in a recent announcement, ICANN stated that we would share more about our multi-year "digital-services hardening" efforts. I am writing this blog to start this process of keeping you – our community – informed and engaged on our many current and planned IT activities.
The Five "Pods" of IT Enablement
To help set a good baseline, I am repeating part of a message from a prior blog/vlog. Broadly speaking, ICANN offers five pods of IT-enabled assets in the form of "Digital Services":
- Community-facing web services
- Contracted-party services
- Technical services to the community
- IANA services
- Staff-facing operations services
As you can imagine, we treat these very differently from one another, especially from an IT security perspective. In total, we have over 80 such digital services that benefit the community, Board and ICANN staff. I have spoken and written about the data that these services collect, collate and curate characterized this information as the valuables that ICANN safeguards. To use and extend a banking metaphor, ICANN as a whole is the "data depository desk" and we – in IT – are the physical custodians of this data. This is a public trust that we take very seriously.
Annual Third-Party Audits in Place
To ensure we are safeguarding these valuables properly, in June-July of 2014, we invited a leading, globally recognized 3rd party to audit all of our IT assets from stem-to-stern. The methodology we chose to adopt and use to assess our systems is the 20 Critical Security Controls Framework (formerly SANS Institute). We will adhere to this framework for the next several years, so ICANN can review its IT assets in a world-class "mirror" and see how our efforts are changing its "image" over a period of time. I am also pleased to say that this same third party has been retained for regular annual audits, and is currently reviewing our progress over the past 12 months, and we'll soon know these results.
The results of the assessment in 2014 showed that we did well in some areas and we have room to improve in others. More valuable than this general assessment was a clear list of specific areas where we could immediately focus our attention and quickly implement improvements.
We took the individual recommendations and sorted them in many ways. We classified them on an importance / urgency matrix; we tagged each recommendation with a level of effort (LoE); and with anticipated hard dollar-costs. We then prioritized the sequence in which they could be addressed.
This resulted in a 16-project roadmap for FY15 and part of the way into FY16. We are addressing these as a top-priority, and nine critical projects have now been completed, including: advanced intrusion detection on Windows servers, fully implemented Intrusion-detection solutions (IDS) and Intrusion-prevention solutions (IPS), a perimeter IDS solution, centralized oversight for patch management, Regularly-scheduled and monitored server software management, and monitoring privileged accounts, just to name a few. These projects are substantial and have started to successfully address some of ICANN's most pressing needs. Many other projects are currently in progress.
On a concurrent but separate track, ICANN engaged the services of an expert-knowledge firm to review our Salesforce.com implementation – the database, the code-base and the configuration. The review highlighted several areas where we could harden our platform. We have since released multiple software patches to address several potential vulnerabilities that were identified. We expect to complete all work no later than the end of calendar 2015. We will work with users of these platforms to ensure that we minimize disruption to service delivery, while improving security.
Most recently, the ICANN Board approved funds to engage similar expert-knowledge firms to review the code-base used in all of ICANN's digital services delivery platforms. Quickly thereafter, ICANN retained the services of two such firms. These firms will review one or two platforms (inclusive of all services hosted on them) from stem-to-stern and work with us to address any issues that are uncovered. Once this is completed, we will address the next two platforms. And so on….until we are done.
Preparing for CyberSecurity Threats
On a third parallel track, ICANN staff has undertaken mandatory training in Cyber security awareness. Training has been "chased" with assessment tests, tracked and reviewed regularly. As a result, ICANN staff is now measurably more alert and aware of threat-vectors. To further cement learnings, ICANN retained the services of an expert-firm specializing in Social Engineering. That firm's efforts are further highlighting specific areas where additional remedial actions are required (and are being taken).
ICANN – like any other high-profile organization – is vulnerable to attack, particularly given the global and increasing IT threats landscape. We cannot control who attacks us or when they launch an attack. BUT....we can choose the armor we put on to defend ourselves when attacked.
To this end, ICANN's Computer Incident Response Team (CIRT) enlisted a subject-matter expert firm to lead certain staff members through a series of table-top exercises to help fine-tune our response-rhythms and better prepare us to react to future incidents.
We are also leveraging scenario-planning techniques to develop, refine and exercise disaster-recovery plans. Much like securing a home against an intruder, this is not a one-and-done exercise. Instead, it is a thoughtful exercise, with plans and programs being implemented to systematically shore-up our defenses. As with any good plan, we will periodically reassess our plan and reset baselines as required.
We now have a focused IT roadmap – backed by a supporting budget and appropriate staff resources – for FY16 and FY17. We stand ready to execute. You can see our plans in the FY16 Operating Plan and Budget.
We are also regularly briefing the Board Risk Committee (BRC) – and IT update is now a standing item on their agenda. Their involvement has been invaluable in gaining guidance, the needed resources and the focused-traction that is required to execute on our sweeping IT Security program now has at ICANN.
Every so often, I plan to share additional perspectives on our progress and future plans. If you have suggestions or thoughts, please share them with me at email@example.com. Better yet, if you plan to attend ICANN53 in Buenos Aires, perhaps we can meet and talk?