Defining the problem – System Operations
The Department of Defense (DoD) protects its 15,000 networks by defining, implementing,
and auditing “best practices” for installation and maintenance of its information
technology resources. The Defense Information Systems Agency (DISA) develops and
publishes policy, in the form of the Security Technical Information Guides (STIGs), which
are used when hardening secure systems used in the DoD.
While significant advances have been made in the areas of threat definition and vulnerability monitoring, little progress has
been made in automating the arduous tasks of implementing and maintaining STIG policy
on the hundreds of thousands of systems operated by the DoD.
The problem, therefore, is not creating and maintaining secure, compliant environments.
The problem is creating and maintaining secure, compliant environments where software
applications will actually run reliably.
To define an enterprise solution, one needs to first define an enterprise. For example, in the
DoD, an enterprise might represent an individual program, a component, or merely a single
base, network, or domain. Or, does “enterprise” refer to the entirety of the DoD? Assuming
that the definition stands as the entirety of the DoD creates issues with typical enterprise
solutions. Commercial enterprise solutions were developed around the corporate model of
computing, including a single or a few domains, data centers, or networks. In contrast, the
DoD’s infrastructure is significantly more fractured, decentralized, and complex—including
This is the key to the leverage a simple signature that can be easily developed once and then used
securely across enterprises, in all networks and domains, with little training and no changes
to security, networks, or infrastructure.