OGS PROCUREMENT SERVICES GROUP

CONTRACTING STRATEGY FOR BUSINESS CONTINUITY AND SECURITY

 

August 13, 2002

 

 

BACKGROUND:

 

The OGS Procurement Services Group (PSG) provides centralized statewide contracts for commodities, services and technologies for use by all state agencies, political sub-divisions (such as municipalities, towns, villages, etc.), and others authorized by law to use state contracts. 

 

Those vendors designated by a * are on state contract.

 

BUSINESS CONTINUITY:

 

Peregrine*: Peregrine offers asset management and crises response tools, the latter being for emergency command center type operations.  Asset management allows an agency the opportunity to accurately track assets, including networks, so replacement of assets can be properly planned for.

Veritas*:  Veritas Software provides comprehensive storage software solutions to protect and manage information and provide for disaster recovery.  They have 13 data centers around the world, with application and storage interoperability with multiple software and hardware platforms.

 

SunGard (contract under development):  Precovery planning solutions that helps plan:

 

Needs Assessment

Business Recovery Plan

Technology Profile

Incident Command Services

Business Profile

Recovery Fast Track

Business Impact Analysis

Quick Start

IT Computer Center Recovery Plan

Plan Maintenance

Recovery Plan Audit

 

 

Gain a clear picture of your current business recovery capabilities to enhance your ability to create sound business decisions regarding your continuity/recovery program.  OGS in contract negotiations for software.

 

 

SECURITY VENDOR LANDSCAPE:

 

NOTE:  This landscape was developed by OGS for contracting strategy purposes and is not intended to be a complete overview nor a recommendation for any vendor or product. 

 

Security Service Vendors:

 

·          Managed Security Services: AT&T*, Sprint, Oracle*

·          Internet service providers (ISPs): AT&T*, MCI WorldCom, Genuity, Concentric)

·          Legacy Outsourcers: IBM* and EDS

·          Large Equipment Providers: HP*, Avaya*, Unisys*

 

Security Software Developers:

 

Authentication:  Many organizations are actively prototyping or in the discussion stages of installing some PKI product in support of new application development or Web deployment of business applications (frequently by re-engineering current systems). 

 

Leading vendors include:

 

Entrust Technologies (PKI)

Baltimore Technologies (IniCERT)

VeriSign (OnSite)

Microsoft* (Enterprise PKI – part of Windows 2000 operating system)

Sun/Netscape Alliance (iPlanet)*

Tivoli *(SecureWay PKI – formerly IBM*, now Peregrine*)

CA (certificate management)*

RSA Security* (Keon – encryption under other OGS contract below)

 

In addition, many IT organizations have already installed proprietary solutions for remote access authentication, such as Security Dynamics' SecurID and ACE/Server.  Support components such as certificate authorities and directories are dealt with under "Administration."

 

Access Control Enforcement.  For competitive, privacy, fiduciary, and legal reasons, organizations have an imperative to protect their information assets (e.g., financial data, customer/personal data, trade secrets, competitive strategies) from unauthorized third-party access (e.g., competitors, external/internal attacks, administrative accidents).  This "wall building" must be done while simultaneously permitting proper access to resources by authorized users (increasingly including third parties) without creating administrative and policy nightmares.  To address these issues, and to extend and augment relatively weak access control (AC) features found in distributed operating systems, various vendors offer products for controlling access to computing resources (e.g., servers, files).

 

Leading vendors are:

 

Axent’s “Privilege Manager” for Unix, Symark’s PowerBorker, Tivoli’s* TACF (Tivoli Security Management), and CA’s* Platinum Memco-developed SeSOS under the Unicenter product.

 

The above utilize "soft hooks," which actually intercept all security-related system calls. After these calls are intercepted, the software performs a database lookup of its "runtime database."  If access is permitted, the software passes the call back to the OS, which will then execute the command.  If access is not permitted, according to the database, an error code is returned to the process that requested permission

 

Perimeter Access Control.  The “firewall market” has entered the oligopoly stage (few viable vendors, little price competition).

 

The problem can be divided into four areas.  The first one is the use of the Internet as a component of the network infrastructure.  The Internet has become a communications medium.  Organizations must deal with network infrastructure across the Internet in the short term.  The second area is information publishing.  Information publishing is the "toe in the water."  The third area is the transaction environment.  In this case, we are talking about doing business transactions over the Internet- or intranet-based technologies and what the security implications are.  The fourth area is the "miscellaneous" category.  It includes things such as implementing groupware, doing research, and using third-generation client/server.  All of these leading-edge ways of looking at things are inherently messy and requires a security approach to dealing with the inherently messy areas of business.

 

Leading Vendors in each perimneter access control area below are:

 

Network Infrastructure: Check Point*, Cisco* and Axent, which acquired Raptor, is building a converged system and network console to service security configuration and operations needs across the traditional organizational boundaries.

 

Information Publishing: Little control needed for this aspect.

 

Transaction Environment: See list under authentication.

 

 

Administration.  The increasing need for common administration of heterogeneous systems will provide a significant need for vendors specializing in connecting legacy and leading-edge technologies.  Tools include:

 

Schumann's SAM and Tivoli's* TME 10 Security Manager.

 

Audit.  Various classes of audit tools (static/policy, network scanning, incursion testing) are overlapping heavily, and vendors in this space are rapidly becoming full-function audit tool companies.  This is expected to settle into an oligopoly situation soon.  The current large vendors are:

 

Axent and Internet Security Systems.

 

These have competition from:  WheelGroup, Intrusion Detection and BindView.  It is believed the larger players will ultimately acquire these.

 

 

SECURITY PRODUCTS AND SERVICES AVAILABLE FROM OTHER OGS CONTRACTS

 

Security Services:

 

Under the IT Services (Computer Consulting, Systems Integration, and Training)

 

For those agencies seeking sources for business continuity and security, please note that the back-drop contracts for IT Services do provide a vehicle to purchase consultant services which include but may not be limited to:

 

Hardware Security Support

Software/application Security Support

Disaster Recovery including at a minimum:

1.       business impact analysis

2.       continuity of operations

3.       contingency planning

4.       risk assessment

5.       simulation and testing

6.       intrusion detection

7.       penetration testing

8.       disaster recovery

 

Additional Security Services

For Customers of IBM, Unisys and Compaq, the above services 1) through 8) and Training for Network Security Personnel can be found under the  Comprehensive Services agreements (CSAs):

 

Hardware & Software Products:

 

Security badges, readers, software

ADI

Contract Number: PT00494  

Simplex

Contract Number: PT00523 

Kronos

Contract Number: PT00523

 

Ø      Access Control - Identicard's, IDentiPASS access Control System, door access, central monitoring, photo recall and AV alarms

 

Ø       Digital imaging - Identicards IVIS Plus 2000 - employee photos, manage personnel data, design & print custom badges, verify employee ID images electronically

 

Software:

 

ASAP

SecureNet 3.0 Firewall software (intrusion detection)   

Netegrity authentication                               Norton Anti-virus products

 

IBM - Tivoli Software

Access Management - Tivoli: Policy Director, Policy Director for MQSeries, Privacy Manager, Global Sign-On

Risk Management - Tivoli: Risk Manager, Intrusion Manager

Identity Management - Tivoli: Identity Director, User Administrator, Security Manager

Additional IBM Products - Tivoli: PKI, SecureWay Server for OS/390,  IBM: SecureWay Directory, Secureway Firewall, Embedded Security Chips in NetVista & Thinkpads

 

SUN

Trusted Solaris, Crypto Accelerator, Solaris Data Encryption, SunScreen and Java Security Products

 

UNISYS & COMPAQ Systems contracts have RSA Data Security, Inc. products.

 

HP

Security software products on Contract P008541 include:

 

Product #    Option              Description

B5411EA                            HP VV Security 4.5 Server Media

B5413EA                            HP VV Security 4.5 Manuals

B7969EA                            HP VV Security 4.5 Demo/Dev LTU

B8748EA                            HP VV Security 4.5 Tier 1 First CPU LT

 

PIONEER-STANDARD

NetForensics is an Internet/Intranet Software intrusion / detection system. 

The Nokia products include Internet Firewalls.

 

PCs: Most OGS PC vendors have associated security products.