8 minute read
Enhancing Architecture, Data Management and Security Through a New Type of Collaboration
NITECH ››› PARTNERSHIPS AND COLLABORATION
ENHANCING ARCHITECTURE, DATA MANAGEMENT AND SECURITY THROUGH A NEW TYPE OF COLLABORATION
84 We speak to the NCI Agency’s CTO Chief Architecting & Engineering Detlef Janezic and his team to see how a new way of collaborating can enhance data management and security
Q What are the key steps that have to be taken when collaborating on a new data management project?
A Data management is not a new discipline. Data-related phrases such as big data, data centricity, data lakes and data exploitation underline the importance of data across all business domains. Within NATO, it is absolutely crucial to aggregate data into information in order to achieve information superiority as the foundation for timely and precise decisionmaking. It is also key that both structured and unstructured data is considered to be of relevance.
The identification of authoritative data repositories as the single source of truth (SoT) and the assignment of data owners ensuring data quality and validity is absolutely vital. What makes a big difference in our world, as its spins ever faster, is the need for even timelier processing and analysis of data. Data science technologies such as machine learning and artificial intelligence provide such capabilities and help to generate data models by using modern DataOps approaches. However, data-model development requires a more iterative, agile and collaborative data engineering approach.
To enable this, our data science team collaborating in the NATO Software Factory (NSF) has implemented a new DataOps toolchain. The NSF provides one common engineering space that helps in establishing the foundations for DataOps collaboration with industry, academia, NATO Nations and NATO entities. Since the NSF environment is public and cloud service-based, it has the advantage of providing access to both commercial and open data sources, and consequently enriches our data foundation for NATO decision-making. By following this approach, the use of industry standards for master data can be applied as can standards like UNLOCODE for geographical locations or
UNSPSC for IT product categories. This too enables us to standardize and streamline our master data repositories.
Q
Which important elements should be considered to ensure success?
A People matter and are indeed key to success. But, they need to communicate, interact and collaborate within existing organizational structures or cross-organizational/functional teams.
Effective collaboration, focused on the products and benefits, enriches the value chain and is always key to success. Nevertheless, effective collaboration only works when all aspects are being correctly addressed. That is why the NSF’s collaborative environment, which involves the right people with the right skills sets, is delivering results.
Project management is also important. In any governmental organization we are often confronted with layers of governance. These are necessary, but they should not slow down the decision cycle. Neither should micro-management prevent sufficient space for teams to generate value. This is indeed a delicate balance and requires true leadership at senior executive level.
Q
How early in a project should the key aspects of a project be scoped out?
A In terms of the correct timing for certain aspects of a project, it is essential to shift important life cycle activities earlier to the left by applying, for example, a security-by-design approach. This prevents ripple effects, caused by cyber security vulnerabilities, being experienced at the later stages of a product life cycle. Another good example is the need to shift integration or penetration testing activities to the earlier stages of a project in a more iterative and automated way, enabling the identification of deficiencies earlier and consequently allowing adjustments to be made as early as possible.
Last but not least, it is vital to recognize that the introduction of new technologies and approaches can cause change resistance and can even result in culture shocks. These types of innovations require clear communication and close collaboration with all stakeholders.
Q
Why should cyber vulnerabilities be addressed early?
A An important lesson we learned was that security-related requirements are often not taken into account early enough in a process or project, only to be discovered later in the product development life cycle. Usually, our cyber security team is able to discover security weaknesses during penetration testing activities. In cases that security-related vulnerabilities are in fact detected, it usually means that the team has to re-architect and re-design the product. Obviously, bringing a product back to earlier stages of the life cycle is very resource intensive and causes delays to the project. Sometimes, vulnerabilities can be ‘showstoppers’ resulting in project failure.
In order to prevent such a situation, it is absolutely vital that security-related requirements and any other non-functional requirements are included as early as possible during the requirements phase. By following a security-by-design approach, such security requirements are included in the early design phase. It is also key that cyber security subject matter experts are part of the product team from day one, especially when following ‘Agile’ development methodology.
Our recent implementations of the NCI Academy training network, offering online training to NATO and the Nations has shown that security requirements cannot be an afterthought – or a bolt-on feature. It is essential to understand how security will contribute and add true business value to our ICT. Automated secure templates, pre-screened container registries, continuous cybermonitoring and patching are all essential in today’s world. Public cloud and internet-exposed systems are extremely vulnerable to tardy patching and the lack of cyber monitoring. Therefore, within the NCI Agency and across NATO as a whole, security has become a core element of every ICT system, service and project.
Close collaboration with our cyber security team, the creation of data-lakes for security and the logging of event information build the essential foundation for Security Information and Event Management (SIEM) Systems. The same goes for Service Management and Control (SMC). SIEM is indeed the nexus where securityby-design and SMC-by-design meet in order to support the architecting and design of secure, well-managed and closely-monitored services for NATO.
Q How did the DCIS Cube Architecture development process exhibit these collaborative attributes?
A The DCIS Cube Architecting Initiative was launched at NITEC 2017 in Ottawa, Canada as a collaboration effort with industry to explore how industry could help NATO improve its exploitation of modern COTS (commercial-off-the-shelf) technology for deployed CIS (Communications and Information 85
86 Systems). This effort was successful beyond all our expectations and delivered a modern industry-standard architecture based on commercial best practice that industry was comfortable supporting.
The DCIS Cube Architecture concept has been recognized internationally, including with an IEEE paper and has been re-used by NATO nations who are building their own national DCIS capabilities. Aspects such as security-by-design and service-management-by-design were included from the start by making sure a broad mix of expertise was involved. For example, we had generalists, experts on hardware, virtualization, security and orchestration, including representatives from public cloud providers.
Q
What lessons did you learn during the DCIS Cube development project?
A The DCIS Cube project has delivered many valuable lessons in terms of collaboration between industry and NATO. For example, it is really important that the right people with the right skills sets are gathered in a room, away from their normal day-to-day work. The collaborative architecting approach is essentially based on the collaboration of experts interacting in person during these workshops to achieve common use cases and their requirements. These workshop sessions need to be moderated by the NCI Agency to ensure the specific military domain knowledge is included and that the architecture remains vendor agnostic whilst also being industry standard and building-block based. It is also important to use existing industry-standard architecture building blocks and readily available solutions supported by commercial best practices, processes and standards.
A fundamental principle of the DCIS Cube Architecture initiative was that all deliverables are to be shared openly with other companies when requested by them even if they were not involved in the initiative. Monolithic and stove-piped approaches are no longer working due to the fast evolution and the high complexity of today’s IT landscape. We have to move away from a contractor–customer relationship to a true partnering ecosystem that embraces industry knowledge and commercial best practice and at the same time adapt to the latest IT developments as needed.
Q
How does the Workshop process work?
A Each workshop must address a portion of the big picture, while the NCI Agency architects continuously remind the group of the overall picture. It is key that an Agency architect translates the results of each workshop into architecture products. Moreover, these architecture products should always be shared with the whole group so they can offer comments on them during the next workshop in order to improve them.
To deliver a truly tangible architecture product for any given area, requires about six to ten focused workshops. Regular intervals of no more than two months are needed between each one. In addition, regular reviews and decision points for final approval by all contributors are critical to success.
Q
What is the NCI Agency’s role in this new collaborative process?
A The NCI Agency is a key stakeholder in this new way of collaborating while bringing military domain knowledge such as for C4ISR (command, control, communications, computers, intelligence, surveillance and reconnaissance), cyber security, service management and other NATO-specific expertise to the table. The NCI Agency role is also essential for ensuring technical cohesion, alignment to Enterprise Architecture and design, and enabling the successful integration into the portfolio of NATO ICT services.