Making Information Technology (IT) Boring Again – Priorities, Progress, and Pandemics # 114, August 11, 2021 1 Defense Health Agency Speakers: Pat Flanders, SES, Defense Health Agency (DHA) Chief Information Officer (CIO)/Deputy Assistant Director, Information Operations (DAD IO)/J-6 Tom Hines, CISSP, HQE, Director, Engineering & Technology Transformation, Senior Advisor DISCLAIMER: The views and opinions expressed in this presentation are solely those of the author/presenter and do not necessarily represent any policy or position of HIMSS.
58
Embed
Making Information Technology (IT) Boring Again Priorities ...Making Information Technology (IT) Boring Again –Priorities, Progress, and Pandemics # 114, August 11, 2021 1 Defense
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Making Information Technology (IT) Boring Again – Priorities, Progress, and Pandemics # 114, August 11, 2021
1
Defense Health Agency
Speakers: Pat Flanders, SES, Defense Health Agency (DHA) Chief Information Officer (CIO)/Deputy Assistant Director, Information Operations (DAD IO)/J-6Tom Hines, CISSP, HQE, Director, Engineering & Technology Transformation, Senior Advisor
DISCLAIMER: The views and opinions expressed in this presentation are solely those of the author/presenter and do not necessarily represent any policy or position of HIMSS.
2#HIMSS21
Welcome
Director Engineering & Technology
Transformation
Tom Hines, HQE
DHA CIO/DAD IO/J-6
Pat Flanders, SES
#HIMSS21
Conflict of Interest
Pat Flanders, SES
Has no real or apparent conflicts of interest to report.
Tom Hines, HQE
Has no real or apparent conflicts of interest to report.
3
#HIMSS21
Agenda
• Learning objectives
• Our organization
• Starting point
• Priorities and major initiatives
• Response to COVID
• Summary
4
#HIMSS21
Learning Objectives
• Discuss IT integration and standardization requirements related to the
consolidation mandates of Section 702 of National Defense Authorization
Act (NDAA) 2017 which required the military treatment facilities (MTF) to
be transitioned to the authority, direction and control of the DHA
• Review challenges and successes of maintaining and improving network
capabilities and cybersecurity in response to the COVID-19 pandemic
• Outline top IT priorities for the DHA’s CIO
5
#HIMSS21
What Does Information Technology (IT) Involve?
6
First Responder MEDEVAC In-theater Hospital En route Care Stateside
Medic/Corpsman • Medical Capabilities Afloat
• Aid Stations
• Forward Surgical Teams
• Combat Support Hospitals
• Hospital Ships
• Expeditionary Medical Facilities
• Patient Staging Facilities
• Critical Care Air Transport
Teams
“Care in the Air”
• Department of Defense (DoD)
MTFs
• Private Sector
• Department of Veterans Affairs
(VA)
Continuum of Care
Military Health System (MHS) IT at a Glance
240,000 Windows Endpoints
3.1 Petabytes of Global Operational Data
$13M Medical Supply and Rx Items Processed Daily
60+ Enterprise Systems
400+ Support Agreements
38 Service Offerings in Catalog of Services
785 Accreditations enrolled in Risk Management
Framework (RMF)
IT liaison with Federal Partners (e.g., VA, Coast
Guard, Health & Human Services [HHS])
#HIMSS21
Our Medical Network: Med-COI
7
Department Of Defense Information Network (DODIN) Area Of Operations
Non-Classified Intranet (NIPR)
Air Force
Network
Med-COI
DHA Network
Navy
Network
Army
Network
= Gateway: A gateway allows access in or out of the network
DISA
4ENO
#HIMSS21
Starting Point - Hyper Variance….
8
#HIMSS21
Major Business & Technical Initiatives
9
Actionable Data
IT Best Practices
Cyber Security
Enterprise
Solutions
IT Innovations
• Ektropy II
• Monthly Review & Analysis (R&A) IT measures
• Standard Cyber Assessment Processes and Monitoring Tools
• Desktop to Datacenter (D2D)
• Formal “single PM” management of Platform IT (PIT) Systems
• Rationalization Efforts
• Enterprise IT Services (EITS)
• Sunset of legacy systems
• Use of DMLSS for property accountability
• Lifecycle management
• Contract Parade
• Financial Auditability (e.g., system management)
• Review and approve all Med-COI network infrastructure design & architectural changes & associated
infrastructure procurements
• Changes are triggered by engineering requests (ERs) associated with new requirements submitted by
the user community or internal DHA engineering groups
Structure
• Engineering Review Board (ERB)
• Performs initial review of all ERs and acts on those that are valid and actionable
• Forwards proposed ER designs requiring changes to the approved architectures and/or allocation of funds for review and approval
• Architecture Review Board (ARB)
• Reviews and acts (approve/disapprove) on ERs involving architectural changes or new spending
ERB-ARB Purpose/Mission & Structure
16
ERB-ARB Process Flow Diagram – need something at a higher levelERB-ARB Process
17
ERB-ARB Pipeline
18
19
Engineering Review Board
(ERB) / Architecture
Review Board (ARB)
Comply-to-Connect (C2C)
DHA Medical EnclaveSecurity Automation
Solution
#HIMSS21
DHA Medical Enclave Security Automation Solution; Major Component Integration
Palo Alto Networks Proprietary and Confidential 21
The ARMIS Collector (1
per site) observes data as it passes through the network at key traffic points. It also leverages SNMP and SSH communications with access-layer devices such as wireless LAN controllers and network switches. Metadata from these flows is shared with the Analytics Engine for deeper analysis
The ARMIS Analytics
Engine and Knowledge
Database (AEKDB) uses
data from the Collectors
to perform device identification, profiling, baselining, persistent behavioral anomaly, and threat detection. The AEKDB may be cloud-based or implemented as
a stand alone server. The AEKDB uses proprietary algorithms and machine learning to refine its ability to ID devices and assess their behavior. The DHA will leverage Amazon Gov Cloud for its enterprise instance of AEKDB.
Cisco Identity Service
Engine (ISE) is the
DHA’s selected Network Access Control (NAC) and AAA solution, and provides the baseline network visibility and policy-driven access management for devices and users throughout the enterprise. ISE provides the dynamic controls necessary to ensure only
the right people and trusted devices get the appropriate level of access regardless of where or how they attempt to connect
PxGrid is an optional
capability that's built into Cisco ISE. PxGridoperates as an information exchange hub where multiple security platforms can read and submit contextual data. This facilitates the sharing of security intelligence among
security technologies/vendors which enables an ecosystem of dissimilar IETF standards-compliant technologies to work
in-tandem leveraging a single open API.
The PaloAlto Next
Generation Firewall
(NGFW) supports Dynamic
Access Groups (DAGs). DAGs
allow on-the-fly creation of
policies for specific endpoints.
A DAG uses "tags" to
determine its members. Tags
are defined through ISE policy
SGT assignment that is
Published to PxGrid. Panorama
subscribes to this information
and dynamically updates the
device IP and associated tags,
and updates membership
information for the DAG(s),
resulting in implementation of
appropriate policy
20
#HIMSS21
DHA Medical Enclave Security Automation Solution; Component Integration (continued)
Palo Alto Networks Proprietary and Confidential 22
• Host-Based Security System (HBSS) ePolicy Orchestrator (DoD Proprietary implementation of McAfee
End Point Tools).
• Assured Compliance Assessment Solution (ACAS), DoD Proprietary Implementation of Tenable Nessus.
• Tanium Console and Agents (Detection and Remediation)
• CSSP Agent Software (Splunk & Others)
• DHA PKI/CA Infrastructure (Device Registration and Authentication)
• Active Directory (LDAP and Person Identification/Authorization)
21
DHA Medical Enclave Security Automation Solution‘Operation by the Numbers’
22
Endpoints / Users Access Devices
WLC
LAN Switch
VPN
MedCOI / NIPR / Internet
Traffic TAP
Identity Services
SAML IdP
AD /LDAP
PKIEAP / RADIUS / 802.1x / MAB / CoA User and Device PKI Authentication
PxGrid
Cisco ISE
Cloud-hostedArmis Analytics
Engine
Analytics Feed
Off
-Net
wo
rk D
evic
es(B
luet
oo
th /
Zee
Bee
/ Z
wav
e/
Ro
uge
Wir
eles
s)
CSSP / SEIMSituational Awareness Dashboard
TC-NAC
WMI
Enterprise Services
1
2
4c
3
4
4a
4b
5
6
ACASSCCM
DHA Medical Enclave Security Automation Solution ‘Operation by the Numbers’
23
• Device connects to the network.• Switchports/WLC/VPN configured to process 802.1x.
• MAB devices use Local Identity Store.• Devices using supplicants/agent software use External Identity Stores (Enterprise Identity Services).• Performs additional AD/PKI authentication for both device and/or user credentials
• Network equipment will first try to authenticate using 802.1x. If 802.1x is not detected, MAC Address (MAB) is used.
• ISE performs posturing and compliance checks after device is authenticated.
• ISE queries pxGrid for updated profiling and compliance information from McAfee, Tanium, and Armis.
• ISE queries SCCM for device SCCM management status and compliance. Retrieves status and # days since last check.
• ISE, through TC-NAC Service, queries ACAS for vulnerability information and time since last scan. If scan is not compliant or out-of-date, can initiate either an un-credentialed, or using a local agent a credentialed scan from ACAS.
• If compliant (enforced by policy in ISE), ISE sends ‘Access-Accept’ with assigned VLAN to access device.• If not compliant, ISE sends message to access device and places endpoint in remediation VLAN/shuts down port.• If device is not authorized, ISE sends a RADIUS ‘Access-Reject’ message and port, placing device in the “Restricted”
VLAN or applies a restricted ACL on the access device interface/WLC.
• ISE updates endpoint information in pxGrid for Palo Alto DAG. Panorama pushes updates to firewalls to allow/restrict endpoint access.
4c
1
2
3
4
4a
4b
5
6
Security Automation Solution‘Threat Detection and Remediation’
Traffic TAP
Identity Services
SAML IdP
AD /LDAP
PKI
PxGrid
Cisco ISE
Cloud-hostedArmis Analytics
Engine
Analytics Feed
Endpoints / Users Access Devices
WLC
LAN Switch
VPN
Off
-Net
wo
rk D
evic
es(B
luet
oo
th /
Zee
Bee
/ Z
wav
e/
Ro
uge
Wir
eles
s)
SEIMSituational Awareness Dashboard
Enterprise Services
6
1
4
WAN
2
3
5
Threat Detected
Update Endpoint Attributes
ReAuth results trigger Quarantine
Update device profile
Panorama retrieves SGT information
Add endpoint to DAG
Publish SGT to PxGrid
7
ISE issues instruction to re-authenticate
Place port in Quarantine VLAN
X
5
FORCE REAUTH
1
AnyConnect posture assessment initiated
2
Agent queries ISE for updates.Agent triggers AV scan based on new data.Results are reported to ISE.
REASSESS
5
ISE updates Endpoint status in PxGrid
4
ISE issues instruction to re-authenticate
Remediated
6Panorama retrieves updated SGT
Add endpoint to DAG
7
3
ISE initiates ACAS scan.Results are reported to ISE.
ACAS SCCM
25
Engineering Review Board
(ERB) / Architecture
Review Board (ARB)
DHA DevSecOps Community Cloud (DSOCC)
Evolving Integration &
Orchestration Pipeline
Medical Community of Interest (Med-COI)Multi-Vendor Cloud Environments
NIPRNetDoD Enterprise
Services
VA OneNetPISP/Internet
VA TIC
GWDISA
IAP
DISA
NFG
Med-COI
EnterpriseGateway
.com
DHA
Approved Repositories
DoD-Managed
Repositories(e.g. Platform
One)
DHA CAP
Military Treatment Facilities, Clinics and Other Lines of Business
LocalAccess
Gateway
On-PremiseHosting
(MAAG/LCI)
IL5
Identity & Access
ManagementTechnology
Stacks
Governance
Stacks
Commercial
Repositories
Continuous Integration and
Continuous Deployment (CI/CD)
Community and
POR Specific Container Infrastructure
Culture
Process
Technology AdoptionPolicy
Acquisition
Cyber Security TTPs
Tailored Threat Indicators
Orchestration Inheritance and Certification Process
Continuous Monitoring
DevSecOps Operational View (OV-1)
“DevSecOps is an organizational software engineering culture and practice that aims at
unifying software development (Dev), security (Sec) and operations (Ops). The main characteristic of DevSecOps is to improve customer outcomes and mission value by automating, monitoring, and applying security at all phases of the software lifecycle:
plan, develop, build, test, release, deliver, deploy, operate, and monitor.” – DoD Enterprise DevSecOps Reference Design
DHA Instance
SDN
Modified Contracting Language
Measures of Efficiency
Funding
Development of an affordable, innovative, robust and
secure Health Information Technology environment
Dev Test ProdCode
Content
Lexicon
Med-COI Boundary
Stakeholders
DHA DevSecOps Community Cloud
Kubernetes
26
DSOCC RoadmapSource Control Test Deploy Monitor / LogProject Mgmt BuildConfigure
AWS Cloud Trail
AWS Cloud Watch
= in Development
Backlog
Cu
rren
t (F
Y2
1 Q
4
Free
Clim
b
(FY
22
Q1
)To
p R
op
e (F
Y2
2 Q
2)
= Host and/or Platform
= under Cyber Review
= under Evaluation
44
DSOCC Software Factory – Process Flow:Dev Test Environment
28
Scan evidence from other environmentsFailed scans from other environments Build Promoted
DSOCC Software Factory – Process Flow:Pre-Prod
29
Send scans to documentation
Failed scans restart process
Builds promoted from Dev Test
Builds promotable to Prod
DSOCC Software Factory – Process:Production
30
Continuous monitoring
scans back to
documentation
Failed builds reset process Promotable builds presented for risk decision
Cloud Broker Service (CBS) 7/29/2021 Snapshot
2%
51%27%
20%
Cust. Engage Requirements & CostingPre Production Production
CURRENT PHASE of HOSTING PROJECTS (116) ----- GREEN TEXT = DSOCC/CONTAINERS ELEMENT (17)
13
4 37 7
11
5 3 4 5 3 2
05
1015
Past 12 Months - Began Hosting Process
Cust.Engage
(3)
Requirements & Costing (59) Pre Production (31) Production (23)
CIO Checklist Automating Discovery of Military Treatment Facility (MTF) Health; Pre-Populating Metrics Directly from Enterprise Systems for CIO Certifications